Will discuss Penetration Testing vs Vulnerability Scanning vs Risk Assessment
- Active reconnaissance
- Passive reconnaissance
- Pivot
- Initial exploitation
- Persistence
- Escalation of privilege
- Black box
- White box
- Gray box
Penetration Testing
A penetration test, or a pen test, is an authorized, simulated attack on a computer system, performed to evaluate the security of the system by actively exploiting found vulnerabilities. aka Ethical Hacking.
- Information Gathering
- Threat Modeling
- Vulnerability Analysis
- Exploitation
- Post Exploitation
- Reporting
Penetration Testing Requirements
- Scope document of what will be tested
- Permission to test (get-out-of-jail-free card)
- Skills to attack resources limiting harm or collateral damage
- Plan of attack / steps
- Resources & access to conduct the test
Information Gathering / Discovery / Reconnaissance
Passive reconnaissance: an attempt to gain information about targeted computers and networks without actively engaging with the systems. (examples: collecting information from public databases, talking to employees/partners, dumpster diving)
Active reconnaissance: Gathering formation about targeted systems by actively engaging with the targeted system. Directly focuses on the system (port scans, traceroute information, network mapping, vulnerability scanning) to identify weaknesses that could be used to launch an attack.
Types of Testing
Black Box: The tester has absolutely no knowledge of the system and is functioning in the same manner as an outside attacker.
White Box: The tester has significant knowledge of the system. This simulates an attack from an insider—a rogue employee.
Gray Box: This is a middle ground between the first two types of testing. In gray box testing, the tester has some limited knowledge of the target system.
Non-intrusive tests involve passively testing of security controls—performing vulnerability scans and probing for weaknesses but not exploiting them.
Intrusive tests involve actually trying to exploit vulnerabilities to break into the network.
Penetration Testing Activities
Initial exploitation: Gain a foothold on a system / network. This is often with lesser privileges or access.
Pivot: attacking a system using another, compromised system that’s trusted to the one you are attacking. Often done on the same network through island hopping.
Persistence: Maintaining access for a period of time / hiding
Escalation of privilege: Gaining elevated privileged access to resources that are normally protected from an application or use
Penetration Testing vs. Vulnerability Scanning vs. Risk Assessment
Penetration Test: see definition above. A penetration test is essentially an attempt to exploit these vulnerabilities
Vulnerability Scanning: Allows tester to identify specific vulnerabilities in a network, system or application. Most penetration testers will start with this procedure so that they can identify likely targets to attack.
Risk Assessment: Allows an organization to understand the cyber-security risk to organizational operations (including mission, functions, image, or reputation), organizational assets, systems or individuals.
Vulnerability Scanning / Assessment Types
Intrusive vs. non-intrusive: See passive vs. active reconnaissance
Intrusive: Directly engaging on the target system to identify weaknesses that could be used to launch an attack
Non-intrusive: gain vulnerability information about targeted computers and networks without actively engaging with the systems- (example: Qualys SSL Labs)
Credentialed vs. non-credentialed: Whether or not authentication credentials (user-ids & passwords) are used in scanning. Credentialed has lesser risks and may provide more information, but isn’t as realistic.