To protect your application, system, or network from vulnerabilities, the best way would be to know the loopholes of the system along with its protection measures. To perform penetration testing, there is no need for any prior knowledge or background experience in hacking. With this write up, you can start as a newbie and can become an expert in penetration testing and website security to protect your hardware and software downtime and loss of data. Because, the protection of network and data are the most important for any business organization, and understanding HOW it is vulnerable is the best way to prevent your system from the various zombie attacks.
What is Penetration Testing?
Penetration Testing or Pen-testing is a process of testing the security weaknesses of an application, system, or network. If we want to check -
- Security of system or network
- the possibilities of our system or applications of being hacked or attacked
Let us understand it in a very simple way by taking an example of a house. There are multiple entry points in your house, that is doors and windows, and these are important to let you in and out of the house. However, you want only the people of your family or friends or the authorized people only should enter your house, nobody else. Now, you want to check the possibilities and weaknesses of the entry and exit systems of your house. To test this security, you can call a person who is proficient in checking such security methods so that this person will come and check your house for all the security measures.
To perform this, the security person will try to break to security and come into your house using all the possible means. At the end of this test, he will create a report where he’ll show all the security weaknesses in your house and will give you some recommendations. This is exactly what happens in a Pen Test. A person with expertise in Pen-testing or an authorized person in Pen-testing tries to enter into the application or system by breaking all the security measures, and then tries to find out all the security weaknesses and produces a report at the end. To ensure security, multiple security tests are being conducted.
Why is Penetration Testing necessary?
- To make your application, system, or network more secure
- To ensure that any unauthorized person or intruder does not break your system
- To secure user data
- To find security loopholes in an application or a system
- To access the business impact of successful attacks
- To prevent data breaches
- To check security controls
- To access exploit detection and effectiveness of response
- To implement an effective security strategy in the organization
What should be tested?
Read: What is UAT? User Acceptance Testing Best Practices
- Software (Operating system, services, applications, etc.)
- End-user behavior
Penetration Testing do’s and don’ts
When you are ready to become a Pen tester or ready to test the security of your system or applications, ensure that you only test the systems that you are legally allowed to test. For example, do not try to break any other systems, do not try to break into your friend’s social media account as these are illegal and wrong both. Also, make sure that you should not test your social media accounts or your system, as it will lock your account and system forever and you’ll lose your data.
It will be better to always have a separate system for test purposes so that if that account or system gets locked, then you are not worried. Also, always have a separate environment or a separate system to perform Penetration testing. Do not perform it on your laptop or system because it can crash your system, and then it can erase all the data and information stored on your system. If you want to test someone else’s system or the organization you are working in, it is better to have written proof from them before initializing Penetration testing.
Different phases of Penetration Testing
- Planning: In this phase, the scope is defined, including which system to test, goals, and objectives to achieve penetration test, the resources, and the tools required to employ for test execution.
- Discovery: In this phase, we collect as much as information we can collect about the system. The discovery phase is also called fingerprinting. Two more tasks are performed in this phase-
- Selection of proper pen-testing tools
- Gain access
- Scanning: In this phase, it becomes clear to the pen tester how the target app will respond to the intrusion attempts, which can be done in two ways:
- Static Analysis: Inspect an app’s code to see how it performs in a running state
- Dynamic Analysis:Provides a real-time view of how an app performs
- Attack: In this phase, the pen tester finds exploits for various vulnerabilities which he needs to exploit the security of the system.
- Report: In this phase, the pen tester documents all the results and findings in an effective manner. This report is used as a reference document while alleviating activities to address the identified vulnerabilities. After this phase, two things are considered-
- Maintain the access
- Analyze the system
Types of Penetration Testing
The type of penetration testing depends upon the scope and the organizational requirements. Penetration testing is of three types: -
- Black Box Testing: The fact is that the tester here has no idea about the system initially. The pen tester collects all information related to the system before he or she starts working on it.
- Grey Box Testing: The pen tester, in this case, is provided with partial or limited knowledge about the system.
- White Box Testing: It is a Penetration testing method in which the tester knows the configuration and details and use them to break into the security of accounts and applications and tries to find out how secure the application is! This type of pen-testing examines the code coverage and performs data flow testing, path testing, and loop testing.
Pen testers undertake the vulnerability finding approach before the attackers intrude in. The specific criteria to select the best penetration tool is listed below:
Read: What is Functional Testing? A Complete Tutorial Guide you need to know
- It should be easy to deploy, configure and use
- It should scan your system easily
- It should categorize vulnerabilities based on severity that needs an immediate fix
- It should be able to automate the verification of vulnerabilities
- It should re-Authenticate exploits found previously
- It should generate detailed vulnerability reports and logs
- Port Scanner: The tools included in this category collect information and personal data about a particular target from a remote environment
- Vulnerability Scanner: The tools included in this category are used to find if there are any known vulnerabilities in the system that is being targeted. It is subdivided into two categories:
- Application Scanner: These type of tools checks in for any type of vulnerability inside the web-application like e-commerce applications
||Port Scanning Remote OC fingerprinting
||Linux, NetBSD, FreeBSD, OpenBSD,
||Network Scanning Port Scanning OS Detection
||Linux, Windows, FreeBSD, OS X, HP-UX, NetBSD, Sun, OpenBSD, Solaris, IRIX, Mac, etc.
||Runs queries including ping, whois, hostname lookups, etc. Detects open UDP/TCP ports and determines which services are running on those ports.
||Os fingerprinting Firewall detection
||Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, Windows, and AIX
||Remote active OS fingerprinting Port Scanning TCP fingerprinting
||Web server fingerprinting SSL detection Detect web-enabled devices (e.g., wireless access points, switches, modems, routers)
||Linux, Mac OS X, FreeBSD, Win32 (command line & GUI
||Detect vulnerabilities that allow a remote cracker to control/access sensitive data
||Mac OS X, Linux, FreeBSD, Apple, Oracle Solaris, Windows
||Free to limited edition
||Detect network vulnerabilities
||Windows Server 2003/2008, Windows 7 Ultimate/ Vista, Windows 2000 Professional, Business/XP, Server 2000/2003/2008
||Only Trial Version Free
||Detect network vulnerabilities
||Windows 2000 Professional with SP4, Windows Server 2003 Standard with SO1, Windows XP Professional with SP1a
||Only Trial Version Free
|Shadow Security Scanner
||Detect network vulnerabilities, audit proxy and LDAP servers
||Windows but scan servers built on any platform
||Only Trial Version Free
||Develop and execute exploit code against a remote target Test vulnerability of computer systems
||All versions of Unix and Windows
||Telnet, FTP, and Http password cracker
What are the different methods of Penetration Testing?
1) External Testing: This method aims the assets of an organization that is visible on the internet to gain access and also extra valuable data.
2) Internal Testing: The tester with this access to an application or system behind its firewall ais simulated by an attack by the malicious insider.
3) Blind Testing: The pen tester here is only given the name of the organization so that the system security personnel get a real-time look at how an actual application or system assault happens.
4) Double-Blind Testing: Here, the security personnel within the organization would have no idea regarding the assault same as like it happens in real attempted breaches.
Read: What is Unit Testing? Unit Testing Tutorial Guide for Beginners
5) Targeted Testing: In this method, the pen tester and the security personnel both work together for the vulnerabilities. This is a valuable method as it offers instant suggestions from the hacker’s point of view.
Manual Penetration vs. Automated Penetration Testing
As the name suggests, manual pen-testing is performed by human beings who are expert in this field, and automated pen-testing is performed by machine only.
|Manual Penetration Testing
||Automated Penetration Testing
|Manual Testing requires expert professionals to run the tests
||Automated test tools provide clear reports with less experienced professionals
|Manual Testing requires Excel and other tools to track it
||Automation Testing has centralized and standard tools
|In Manual Testing, sample results vary from test to test
||In the case of Automated Tests, results do not vary from test to test
|Memory Cleaning up should be remembered by users
||Automated Testing will have comprehensive cleanups
|The methods included in manual pen-testing are data collection, vulnerability assessment, actual exploit, report preparation, etc.
||The automated pen-testing is performed by using pen-testing tools like Nmap, Aircrack-ng, Wifiphisher, Burp Site, OWASP ZAP, etc.
|Manual penetration testing is of two types- Focused manual pen-testing and Comprehensive manual pen-testing.
||Automated pen-testing can be any of the three types: Black box pen-testing, white box pen-testing, and grey box pen-testing.
Penetration Testing Sample Test Cases
- Check if the web application can identify spam attacks on contact forms used on the website
- Proxy server – Check if network traffic is monitored by proxy appliances. The proxy server makes it difficult for hackers to get internal details of the network thus protecting the system from external attacks
- Spam email filters – Authenticate if incoming and outgoing email traffic is filtered and unsolicited emails are blocked. Many email clients come with inbuilt spam filters which need to be configured as per your needs. These configuration rules can be applied to email headers, subject, or body.
- Firewall – Make sure the entire network or computers are protected with Firewall. A Firewall can be software or hardware to block unauthorized access to a system. A Firewall can prevent sending data outside the network without your permission.
- Try to exploit all servers, desktop systems, printers, and network devices.
- Authenticate that all usernames and passwords are encrypted and transferred over secured connection like https.
- Authenticate information stored in website cookies. It should not be in a readable format.
- Authenticate previously found vulnerabilities to check if the fix is working.
- Authenticate if there is no open port in the network.
- Authenticate all telephone devices.
- Authenticate Wifi network security.
- Authenticate all HTTP methods. PUT and Delete methods should not be enabled on a web server.
- Authenticate if the password meets the required standards. The password should be at least eight characters long containing at least one number and one special character.
- Username should not be like “admin” or “administrator.”
- The application login page should be locked upon a few unsuccessful login attempts.
- Error messages should be generic and should not mention specific error details like “Invalid username” or “Invalid password.”
- Authenticate if special characters, HTML tags, and scripts are handled properly as an input value.
- Internal system details should not be revealed in any of the error or alert messages.
- Custom error messages should be displayed to end user in case of web page crash.
- Authenticate use of registry entries. Sensitive information should not be kept in the registry.
- All files must be scanned before uploading to the server.
- Sensitive data should not be passed in URLs while communicating with different internal modules of the web application.
- There should not be any hard-coded username or password in the system.
- Authenticate all input fields with long input string with and without spaces.
- Authenticate if reset password functionality is secure.
- Authenticate application for SQL Injection.
- Authenticate application for Cross-Site Scripting.
- Critical resources in the system should be available to authorized persons and services only.
- All-access logs should be maintained with proper access permissions.
- Authenticate user session ends upon log off.
- Authenticate that directory browsing is disabled on the server.
- Authenticate that all applications and database versions are up to date.
- Authenticate URL manipulation to check if a web application is not showing any unwanted information.
- Authenticate memory leak and buffer overflow.
- Authenticate if incoming network traffic is scanned to find Trojan attacks.
- Authenticate if the system is safe from Brute Force Attacks – a trial and error method to find sensitive information like passwords.
- Authenticate if system or network is secured from DoS (denial-of-service) attacks. Hacker can target network or a single computer with continuous requests due to which resources on the target system gets overloaded resulting in the denial of service for legit requests.
- Authenticate application for HTML script injection attacks.
- Authenticate against spoofing attacks. Spoofing can be of multiple types – IP address spoofing, Email ID spoofing, ARP spoofing, Referrer spoofing, Caller ID spoofing, Poisoning of file-sharing networks, GPS spoofing.
- Check for uncontrolled format string attack – a security attack that can cause the application to crash or execute the harmful script on it.
- Authenticate XML injection attack – used to alter the intended logic of the application.
- Authenticate if the error pages are displaying any information that can be helpful for a hacker to enter into the system.
- Authenticate if any critical data like the password is stored in secret files on the system.
- Authenticate if the application is returning more data than it is required.
What to do next?
So, at the end of this write-up, you are now familiar with what Penetration testing is, its phases, types, tools, and the various penetration testing test scenarios. Penetration testing has always been a bumpy ride. But remember, to create new standards and enjoy this ride. Tell us in the comments section below when are you planning to perform your first hack?
Read: Load Testing Tutorial Guide for Beginner
Testing Vs. Different Technologies
- AWS & Fundamentals of Linux
- Amazon Simple Storage Service
- Elastic Compute Cloud
- Databases Overview & Amazon Route 53
6 days 28 Sep 2020
- Intro to DevOps
- GIT and Maven
- Jenkins & Ansible
- Docker and Cloud Computing
4 days 26 Sep 2020
- Data Science Introduction
- Hadoop and Spark Overview
- Python & Intro to R Programming
- Machine Learning
2 days 24 Sep 2020
- Architecture, HDFS & MapReduce
- Unix Shell & Apache Pig Installation
- HIVE Installation & User-Defined Functions
- SQOOP & Hbase Installation
17 days 09 Oct 2020
- Salesforce Configuration Introduction
- Security & Automation Process
- Sales & Service Cloud
- Apex Programming, SOQL & SOSL
-0 day 22 Sep 2020
- Introduction and Software Testing
- Software Test Life Cycle
- Automation Testing and API Testing
- Selenium framework development using Testing
8 days 30 Sep 2020
- BA & Stakeholders Overview
- BPMN, Requirement Elicitation
- BA Tools & Design Documents
- Enterprise Analysis, Agile & Scrum
3 days 25 Sep 2020
MS SQL Server
- Introduction & Database Query
- Programming, Indexes & System Functions
- SSIS Package Development Procedures
- SSRS Report Design
3 days 25 Sep 2020
- Features of Python
- Python Editors and IDEs
- Data types and Variables
- Python File Operation
7 days 29 Sep 2020
- Components of AI
- Categories of Machine Learning
- Recurrent Neural Networks
- Recurrent Neural Networks
2 days 24 Sep 2020
- Introduction to Machine Learning & Python
- Machine Learning: Supervised Learning
- Machine Learning: Unsupervised Learning
5 days 27 Sep 2020
- Introduction to Tableau Desktop
- Data Transformation Methods
- Configuring tableau server
- Integration with R & Hadoop
3 days 25 Sep 2020
Receive Latest Materials and Offers on QA Testing Course