Penetration tests place testers in the role of attackers. In this video, learn about penetration testing techniques including verifying that a threat exists, bypassing security controls, testing security controls, and exploiting vulnerabilities. Also, learn about the three types of penetration tests: white box, black box, and grey box.
- [Announcer] Vulnerability testing merely probes systems for vulnerabilities. Those tests can be active reaching out and interacting with systems, but they are rarely dangerous because they don't typically complete an attack. Actually executing an attack is however, the best way to understand a system's vulnerabilities. Penetration tests do this by placing testers in the role of attackers. During a penetration test, attackers normally begin by gathering information about systems and then using that information to engage in actual attacks.
The test is considered successful if the attackers manage to penetrate the target system. The goal is to test security controls by attempting to bypass or defeat them. The National Institute for Standards and Technology (NIST) suggests that penetration tests loop back and forth between a discovery phase and an attack phase. During the discovery phase, attackers conduct reconnaissance against systems and think of possible avenues of exploit. When they find a path of potential vulnerability, they move into the attack phase where they seek to gain access to the target system, escalate that access to advanced privileges and then browse through the network looking for new systems they can access from that vantage point.
They may also install additional penetration testing tools on compromised systems in an effort to gain even deeper access to the network. For example, if penetration testers exploit a vulnerability to gain access to an application server, they might then install tools on that application server to attempt to gain privileges on the database server supporting that application. There are three types of penetration tests and they differ in the depth of knowledge that the attackers have prior to each test. In a white box test, the attacker has full knowledge of the network environment.
It's the equivalent of simulating an insider attack. In a black box test, the attacker has no prior knowledge of the enterprise IT environment and seeks to gain that knowledge as they move through the attack and discovery phases. This is equivalent to simulating an external attack. Gray box attacks fall in the middle and the attacker has some knowledge of the system. This approach is commonly used because it combines some of the external perspective benefits of a black box test with the time saving nature of a white box test.
Let's talk about two concepts from penetration testing that are important to understanding both penetration tests and attack attempts. Pivoting is an important concept used by penetration testers to simulate the activities of real attackers. Using this technique, testers first conduct an initial exploitation of a vulnerability on a system with weak security. The trick is that this system isn't their real target. They use this system to gain a foothold on the network and then switch, or pivot, to attack other systems on the same network.
Pivoting allows attackers to exploit whatever vulnerability they can find and then leverage that vulnerability to gain access to more secure systems. A second important concept used by penetration testers is persistence of their attacks. Once an attacker gains access to a system, he or she may install a backdoor on that system that allows the attacker to regain access to the system in the future. These back doors are independent of the vulnerability that the attacker used to gain initial access to the system and may allow the attacker to discreetly retain access to the system even after the administrator corrects the vulnerability that allowed the attack in the first place.
Penetration tests are labor intensive for internal staff and expensive when using external consultants. For this reason, they are not done frequently, but they do provide valuable insight into the security of a system. Therefore, penetration tests should be an occasional part of the security professional's test kit.
Looking for study partners?Join the CompTIA Security+ SY0-501 Exam study group
The CompTIA Security+ exam is an excellent entry point for a career in information security. The latest version, SY0-501, expands coverage of cloud security, virtualization, and mobile security. This course prepares exam candidates for the critical Threats, Attacks, and Vulnerabilities domain of the exam. By learning about malware, networking and application security exploitations, and social engineering, you'll be prepared to answer questions from the exam—and strengthen your own organization's systems and defenses. Author Mike Chapple, an IT leader with over 15 years of experience, also covers the processes for discovering and mitigating threats and attacks, and conducting penetration testing and scanning for vulnerabilities. Visit certmike.com to join one of his free study groups.
We are a CompTIA Content Publishing Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Comparing viruses, worms, and Trojans
- Backdoors and logic bombs
- Understanding the attacker
- Attack types: from denial of service to brute force attacks
- Preventing insider threats
- Wireless attacks
- Understanding cross-site scripting
- Preventing SQL injection
- Social engineering
- Scanning for vulnerabilities
- Penetration testing
- Assessing the impact of vulnerabilities