Penetration Testing

What is Penetration Testing?
It’s the process to identify security vulnerabilities in an application by evaluating the system or
network with various malicious techniques. Purpose of this test is to secure important data from
outsiders like hackers who can have unauthoried access to system. !nce vulnerability is identified
it is used to e"ploit system in order to gain access to sensitive information.
#auses of vulnerabilities$
% &esign and development errors
% Poor system configuration
% 'uman errors
Why Penetration testing?
% (inancial data must be secured while transferring between different systems
% )any clients are asking for pen testing as part of the software release cycle
% To secure user data
% To find security vulnerabilities in an application
Penetration testing
It’s very important for any organiation to identify security issues present in internal network and
computers. *sing this information organiation can plan defense against any hacking attempt. *ser
privacy and data security are the biggest concerns nowadays. Imagine if any hacker manage to get
user details of social networking site like (acebook. !rganiation can face legal issues due to a
small loophole left in a software system. 'ence big organiations are looking for P#I compliance
certifications before doing any business with third party clients.
What should be tested?
% +oftware
% 'ardware
% ,etwork
% Process
Penetration Testing Types$
-. +ocial /ngineering$ 'uman errors are the main causes of security vulnerability. +ecurity
standards and policies should be followed by all staff members to avoid social engineering
penetration attempt. /"ample of these standards include not to mention any sensitive information in
email or phone communication. +ecurity audits can be conducted to identify and correct process
flaws.
0. 1pplication +ecurity Testing$ *sing software methods one can verify if the system is e"posed to
security vulnerabilities.
2. Physical Penetration Test$ +trong physical security methods are applied to protect sensitive data.
This is generally useful in military and government facilities. 1ll physical network devices and
access points are tested for possibilities of any security breach.
Pen Testing Techniques$
-. )anual penetration test
0. *sing automated penetration test tools
2. #ombination of both manual and automated process
The third process is more common to identify all kinds of vulnerabilities.
Penetration Testing Tools$
1utomated tools can be used to identify some standard vulnerability present in an application.
Pentest tools scan code to check if there is malicious code present which can lead to potential
security breach. Pentest tools can verify security loopholes present in the system like data
encryption techniques and hard coded values like username and password.
#riteria to select the best penetration tool$
% It should be easy to deploy3 configure and use.
% It should scan your system easily.
% It should categorie vulnerabilities based on severity that needs immediate fi".
% It should be able to automate verification of vulnerabilities.
% It should re%verify e"ploits found previously.
% It should generate detailed vulnerability reports and logs.
!nce you know what tests you need to perform you can either train your internal test resources or
hire e"pert consultants to do the penetration task for you.
/"amples of (ree and #ommercial Tools %
,map3 ,essus3 )etasploit3 Wireshark3 !pen++43 #ain 5 1bel3 T'# 'ydra3 w2af
#ommercial services$ Pure 'acking3 Torrid ,etworks3 +ecPoint3 6eracode.
4imitations of Pentest tools$ +ometimes these tools can flag false positive output which results in
spending more developer time on analying such vulnerabilities which are not present.
)anual Penetration Test$
It’s difficult to find all vulnerabilities using automated tools. There are some vulnerabilities which
can be identified by manual scan only. Penetration testers can perform better attacks on application
based on their skills and knowledge of system being penetrated. The methods like social
engineering can be done by humans only. )anual checking includes design3 business logic as well
as code verification.
Penetration Test Process$
4et’s discuss the actual process followed by test agencies or penetration testers. Identifying
vulnerabilities present in system is the first important step in this process. #orrective action is taken
on these vulnerability and same penetration tests are repeated until system is negative to all those
tests.
We can categorie this process in following methods$
-. &ata collection$ 6arious methods including 7oogle search are used to get target system data. !ne
can also use web page source code analysis technique to get more info about the system3 software
and plugin versions. There are many free tools and services available in the market which can give
you information like database or table names3 &8 versions3 software versions3 hardware used and
various third party plugins used in the target system.
0. 6ulnerability 1ssessment$ 8ased on the data collected in first step one can find the security
weakness in the target system. This helps penetration testers to launch attacks using identified entry
points in the system.
2. 1ctual /"ploit$ This is crucial step. It requires special skills and techniques to launch attack on
target system. /"perienced penetration testers can use their skills to launch attack on the system.
9. :esult analysis and report preparation$ 1fter completion of penetration tests detailed reports are
prepared for taking corrective actions. 1ll identified vulnerabilities and recommended corrective
methods are listed in these reports. ;ou can customie vulnerability report format <'T)43 =)43
)+ Word or P&(. as per your organiation needs.
Penetration testing sample test cases <test scenarios.$
:emember this is not functional testing. In Pentest your goal is to find security holes in the system.
8elow are some generic test cases and not necessarily applicable for all applications.
%%%%%%%%%%%%

-. #heck if web application is able to identify spam attacks on contact forms used in the website.
0. Pro"y server > #heck if network traffic is monitored by pro"y appliances. Pro"y server make it
difficult for hackers to get internal details of the network thus protecting the system from e"ternal
attacks.
2. +pam email filters > 6erify if incoming and outgoing email traffic is filtered and unsolicited
emails are blocked. )any email clients come with in%build spam filters which needs to be
configured as per your needs. These configuration rules can be applied on email headers3 sub?ect or
body.
9. (irewall > )ake sure entire network or computers are protected with (irewall. (irewall can be a
software or hardware to block unauthoried access to system. (irewall can prevent sending data
outside the network without your permission.
@. Try to e"ploit all servers3 desktop systems3 printers and network devices.
A. 6erify that all usernames and passwords are encrypted and transferred over secured connection
like https.
B. 6erify information stored in website cookies. It should not be in readable format.
C . 6erify previously found vulnerabilities to check if the fi" is working.
D. 6erify if there is no open port in network.
--. 6erify all telephone devices.
-0. 6erify WI(I network security.
-2. 6erify all 'TTP methods. P*T and &elete methods should not be enabled on web server .
-9. Password should be at least C character long containing at least one number and one special
character.
-@. *sername should not be like EadminF or EadministratorF.
-A. 1pplication login page should be locked upon few unsuccessful login attempts.
-B. /rror messages should be generic and should not mention specific error details like EInvalid
usernameF or EInvalid passwordF.
-D. 6erify if special characters3 html tags and scripts are handled properly as an input value.
0G. Internal system details should not be revealed in any of the error or alert messages.
0-. #ustom error messages should be displayed to end user in case of web page crash.
00. 6erify use of registry entries. +ensitive information should not be kept in registry.
02. 1ll files must be scanned before uploading to server.
09. +ensitive data should not be passed in urls while communicating with different internal modules
of the web application.
0@. There should not be any hard coded username or password in the system.
0A. 6erify all input fields with long input string with and without spaces.
0B. 6erify if reset password functionality is secure.
0C. 6erify application for +H4 In?ection.
0D. 6erify application for #ross +ite +cripting.
2-. Important input validations should be done at server side instead of Iava+cript checks at client
side.
20. #ritical resources in the system should be available to authoried persons and services only.
22. 1ll access logs should be maintained with proper access permissions.
29. 6erify user session ends upon log off.
2@. 6erify that directory browsing is disabled on server.
2A. 6erify that all applications and database versions are up to date.
2B. 6erify url manipulation to check if web application is not showing any unwanted information.
2C. 6erify memory leak and buffer overflow.
2D. 6erify if incoming network traffic is scanned to find Tro?an attacks.
9G. 6erify if system is safe from 8rute (orce 1ttacks > a trial and error method to find sensitive
information like passwords.
9-. 6erify if system or network is secured from &o+ <denial%of%service. attacks. 'acker can target
network or single computer with continuous requests due to which resources on target system gets
overloaded resulting in denial of service for legit requests.
These are ?ust the basic test scenarios to get started with Pentest. There are hundreds of advanced
penetration methods which can be done either manually or with the help of automation tools.
(urther reading$
Pen Testing +tandards > P#I &++ <Payment #ard Industry &ata +ecurity +tandard.3 !W1+P <!pen
Web 1pplication +ecurity Pro?ect.3 I+!JI/# 0BGG03 !++T)) <The !pen +ource +ecurity Testing
)ethodology )anual..
#ertifications > 7P/,3 1ssociate +ecurity Tester <1+T.3 +enior +ecurity Tester <++T.3 #ertified
Penetration Tester <#PT..
(inally as a penetration tester you should collect and log all vulnerabilities in the system. &on’t
ignore any scenario considering that it won’t be e"ecuted by end users.