Penetration Testing Tutorial Guide for Beginners

To protect your application, system, or network from vulnerabilities, the best way would be to know the loopholes of the system along with its protection measures. To perform penetration testing, there is no need for any prior knowledge or background experience in hacking. With this write up, you can start as a newbie and can become an expert in penetration testing and website security to protect your hardware and software downtime and loss of data. Because, the protection of network and data are the most important for any business organization, and understanding HOW it is vulnerable is the best way to prevent your system from the various zombie attacks.

What is Penetration Testing?

Penetration Testing or Pen-testing is a process of testing the security weaknesses of an application, system, or network. If we want to check -

• Security of system or network
• the possibilities of our system or applications of being hacked or attacked

Let us understand it in a very simple way by taking an example of a house. There are multiple entry points in your house, that is doors and windows, and these are important to let you in and out of the house. However, you want only the people of your family or friends or the authorized people only should enter your house, nobody else. Now, you want to check the possibilities and weaknesses of the entry and exit systems of your house. To test this security, you can call a person who is proficient in checking such security methods so that this person will come and check your house for all the security measures.

To perform this, the security person will try to break to security and come into your house using all the possible means. At the end of this test, he will create a report where he’ll show all the security weaknesses in your house and will give you some recommendations. This is exactly what happens in a Pen Test. A person with expertise in Pen-testing or an authorized person in Pen-testing tries to enter into the application or system by breaking all the security measures, and then tries to find out all the security weaknesses and produces a report at the end. To ensure security, multiple security tests are  being conducted.

Why is Penetration Testing necessary?

• To make your application, system, or network more secure
• To ensure that any unauthorized person or intruder does not break your system
• To secure user data
• To find security loopholes in an application or a system
• To access the business impact of successful attacks
• To prevent data breaches
• To check security controls
• To access exploit detection and effectiveness of response
• To implement an effective security strategy in the organization

What should be tested?

Read: What is STLC? Learn Software Testing Life Cycle Phases

• Software (Operating system, services, applications, etc.)
• Hardware
• Network
• Processes
• End-user behavior

Penetration Testing do’s and don’ts

When you are ready to become a Pen tester or ready to test the security of your system or applications, ensure that you only test the systems that you are legally allowed to test. For example, do not try to break any other systems, do not try to break into your friend’s social media account as these are illegal and wrong both. Also, make sure that you should not test your social media accounts or your system, as it will lock your account and system forever and you’ll lose your data.

It will be better to always have a separate system for test purposes so that if that account or system gets locked, then you are not worried. Also, always have a separate environment or a separate system to perform Penetration testing. Do not perform it on your laptop or system because it can crash your system, and then it can erase all the data and information stored on your system. If you want to test someone else’s system or the organization you are working in, it is better to have written proof from them before initializing Penetration testing.

Different phases of Penetration Testing

• Planning: In this phase, the scope is defined, including which system to test, goals, and objectives to achieve penetration test, the resources, and the tools required to employ for test execution.
• Discovery: In this phase, we collect as much as information we can collect about the system. The discovery phase is also called fingerprinting. Two more tasks are performed in this phase-
  • Selection of proper pen-testing tools
  • Gain access
• Scanning: In this phase, it becomes clear to the pen tester how the target app will respond to the intrusion attempts, which can be done in two ways:
  • Static Analysis: Inspect an app’s code to see how it performs in a running state
  • Dynamic Analysis:Provides a real-time view of how an app performs
• Attack: In this phase, the pen tester finds exploits for various vulnerabilities which he needs to exploit the security of the system.
• Report: In this phase, the pen tester documents all the results and findings in an effective manner. This report is used as a reference document while alleviating activities to address the identified vulnerabilities. After this phase, two things are considered-
  • Maintain the access
  • Analyze the system

Types of Penetration Testing

The type of penetration testing depends upon the scope and the organizational requirements. Penetration testing is of three types: -

• Black Box Testing: The fact is that the tester here has no idea about the system initially. The pen tester collects all information related to the system before he or she starts working on it.
• Grey Box Testing: The pen tester, in this case, is provided with partial or limited knowledge about the system.
• White Box Testing: It is a Penetration testing method in which the tester knows the configuration and details and use them to break into the security of accounts and applications and tries to find out how secure the application is! This type of pen-testing examines the code coverage and performs data flow testing, path testing, and loop testing.

What are different Penetration Testing Tools?

Pen testers undertake the vulnerability finding approach before the attackers intrude in. The specific criteria to select the best penetration tool is listed below:

Read: Top 15 Penetration Testing Tools To Know In 2019

• It should be easy to deploy, configure and use
• It should scan your system easily
• It should categorize vulnerabilities based on severity that needs an immediate fix
• It should be able to automate the verification of vulnerabilities
• It should re-Authenticate exploits found previously
• It should generate detailed vulnerability reports and logs

There are three major categories of penetration testing tools: -

• Port Scanner: The tools included in this category collect information and personal data about a particular target from a remote environment
• Vulnerability Scanner: The tools included in this category are used to find if there are any known vulnerabilities in the system that is being targeted. It is subdivided into two categories:
  • Host-based
  • Network-based
• Application Scanner: These type of tools checks in for any type of vulnerability inside the web-application like e-commerce applications

Following is the list of tools that can be used for simple as well as complex assessment:

Tool Name	Purpose	Portability	Expected Cost
Hping	Port Scanning Remote OC fingerprinting	Linux, NetBSD, FreeBSD, OpenBSD,	Free
Nmap	Network Scanning Port Scanning OS Detection	Linux, Windows, FreeBSD, OS X, HP-UX, NetBSD, Sun, OpenBSD, Solaris, IRIX, Mac, etc.	Free
SuperScan	Runs queries including ping, whois, hostname lookups, etc. Detects open UDP/TCP ports and determines which services are running on those ports.	Windows 2000/XP/Vista/7	Free
p0f	Os fingerprinting Firewall detection	Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, Windows, and AIX	Free
Xprobe	Remote active OS fingerprinting Port Scanning TCP fingerprinting	Linux	Free
Httprint	Web server fingerprinting SSL detection Detect web-enabled devices (e.g., wireless access points, switches, modems, routers)	Linux, Mac OS X, FreeBSD, Win32 (command line & GUI	Free
Nessus	Detect vulnerabilities that allow a remote cracker to control/access sensitive data	Mac OS X, Linux, FreeBSD, Apple, Oracle Solaris, Windows	Free to limited edition
GFI LANguard	Detect network vulnerabilities	Windows Server 2003/2008, Windows 7 Ultimate/ Vista, Windows 2000 Professional, Business/XP, Server 2000/2003/2008	Only Trial Version Free
Iss Scanner	Detect network vulnerabilities	Windows 2000 Professional with SP4, Windows Server 2003 Standard with SO1, Windows XP Professional with SP1a	Only Trial Version Free
Shadow Security Scanner	Detect network vulnerabilities, audit proxy and LDAP servers	Windows but scan servers built on any platform	Only Trial Version Free
Metasploit Framework	Develop and execute exploit code against a remote target Test vulnerability of computer systems	All versions of Unix and Windows	Free
Brutus	Telnet, FTP, and Http password cracker	Windows 9x/NT/2000	Free

What are the different methods of Penetration Testing?

1) External Testing: This method aims the assets of an organization that is visible on the internet to gain access and also extra valuable data.

2) Internal Testing: The tester with this access to an application or system behind its firewall ais simulated by an attack by the malicious insider.

3) Blind Testing: The pen tester here is only given the name of the organization so that the system security personnel get a real-time look at how an actual application or system assault happens.

4) Double-Blind Testing: Here, the security personnel within the organization would have no idea regarding the assault same as like it happens in real attempted breaches.

Read: List of Top 12 Software Performance Testing Tools to Help You The Most!

5) Targeted Testing: In this method, the pen tester and the security personnel both work together for the vulnerabilities. This is a valuable method as it offers instant suggestions from the hacker’s point of view.

Manual Penetration vs. Automated Penetration Testing

As the name suggests, manual pen-testing is performed by human beings who are expert in this field, and automated pen-testing is performed by machine only.

Manual Penetration Testing	Automated Penetration Testing
Manual Testing requires expert professionals to run the tests	Automated test tools provide clear reports with less experienced professionals
Manual Testing requires Excel and other tools to track it	Automation Testing has centralized and standard tools
In Manual Testing, sample results vary from test to test	In the case of Automated Tests, results do not vary from test to test
Memory Cleaning up should be remembered by users	Automated Testing will have comprehensive cleanups
The methods included in manual pen-testing are data collection, vulnerability assessment, actual exploit, report preparation, etc.	The automated pen-testing is performed by using pen-testing tools like Nmap, Aircrack-ng, Wifiphisher, Burp Site, OWASP ZAP, etc.
Manual penetration testing is of two types- Focused manual pen-testing and Comprehensive manual pen-testing.	Automated pen-testing can be any of the three types: Black box pen-testing, white box pen-testing, and grey box pen-testing.

 Penetration Testing Sample Test Cases

• Check if the web application can identify spam attacks on contact forms used on the website
• Proxy server – Check if network traffic is monitored by proxy appliances. The proxy server makes it difficult for hackers to get internal details of the network thus protecting the system from external attacks
• Spam email filters – Authenticate if incoming and outgoing email traffic is filtered and unsolicited emails are blocked. Many email clients come with inbuilt spam filters which need to be configured as per your needs. These configuration rules can be applied to email headers, subject, or body.
• Firewall – Make sure the entire network or computers are protected with Firewall. A Firewall can be software or hardware to block unauthorized access to a system. A Firewall can prevent sending data outside the network without your permission.
• Try to exploit all servers, desktop systems, printers, and network devices.
• Authenticate that all usernames and passwords are encrypted and transferred over secured connection like https.
• Authenticate information stored in website cookies. It should not be in a readable format.
• Authenticate previously found vulnerabilities to check if the fix is working.
• Authenticate if there is no open port in the network.
• Authenticate all telephone devices.
• Authenticate Wifi network security.
• Authenticate all HTTP methods. PUT and Delete methods should not be enabled on a web server.
• Authenticate if the password meets the required standards. The password should be at least eight characters long containing at least one number and one special character.
• Username should not be like “admin” or “administrator.”
• The application login page should be locked upon a few unsuccessful login attempts.
• Error messages should be generic and should not mention specific error details like “Invalid username” or “Invalid password.”
• Authenticate if special characters, HTML tags, and scripts are handled properly as an input value.
• Internal system details should not be revealed in any of the error or alert messages.
• Custom error messages should be displayed to end user in case of web page crash.
• Authenticate use of registry entries. Sensitive information should not be kept in the registry.
• All files must be scanned before uploading to the server.
• Sensitive data should not be passed in URLs while communicating with different internal modules of the web application.
• There should not be any hard-coded username or password in the system.
• Authenticate all input fields with long input string with and without spaces.
• Authenticate if reset password functionality is secure.
• Authenticate application for SQL Injection.
• Authenticate application for Cross-Site Scripting.
• Important input validations should be done at server side instead of JavaScript checks at the client-side.
• Critical resources in the system should be available to authorized persons and services only.
• All-access logs should be maintained with proper access permissions.
• Authenticate user session ends upon log off.
• Authenticate that directory browsing is disabled on the server.
• Authenticate that all applications and database versions are up to date.
• Authenticate URL manipulation to check if a web application is not showing any unwanted information.
• Authenticate memory leak and buffer overflow.
• Authenticate if incoming network traffic is scanned to find Trojan attacks.
• Authenticate if the system is safe from Brute Force Attacks – a trial and error method to find sensitive information like passwords.
• Authenticate if system or network is secured from DoS (denial-of-service) attacks. Hacker can target network or a single computer with continuous requests due to which resources on the target system gets overloaded resulting in the denial of service for legit requests.
• Authenticate application for HTML script injection attacks.
• Authenticate against spoofing attacks. Spoofing can be of multiple types – IP address spoofing, Email ID spoofing, ARP spoofing, Referrer spoofing, Caller ID spoofing, Poisoning of file-sharing networks, GPS spoofing.
• Check for uncontrolled format string attack – a security attack that can cause the application to crash or execute the harmful script on it.
• Authenticate XML injection attack – used to alter the intended logic of the application.
• Authenticate if the error pages are displaying any information that can be helpful for a hacker to enter into the system.
• Authenticate if any critical data like the password is stored in secret files on the system.
• Authenticate if the application is returning more data than it is required.

 What to do next?

So, at the end of this write-up, you are now familiar with what Penetration testing is, its phases, types, tools, and the various penetration testing test scenarios. Penetration testing has always been a bumpy ride. But remember, to create new standards and enjoy this ride. Tell us in the comments section below when are you planning to perform your first hack?

Read: Differences Between Black Box Testing and White Box Testing