Penetration Testing: Process and Tools

Organizations use penetration testing to understand how information security personnel and processes perform in the event of an attack scenario. Penetration tests most commonly simulate an attack against a network, to discover weaknesses in an organization’s security posture, and ensure their security team is battle-tested. Read on to understand the benefits of penetration testing, how a pentester simulates an attack against an organization, and some of the common tools used in a real penetration test.

In this post you will learn:

• What is penetration testing
• Penetration testing phases
• Four common pentesting tools

What is Penetration Testing?

Penetration testing (also called pentesting) is a security practice in which ethical hackers attempt to breach an organization’s systems, in a controlled manner in what is known as the red team/blue team exercises. Objectives of a penetration test may include testing the procedures, readiness and teamwork of security staff, cooperation between in-house and outsourced security providers, security vulnerabilities and gaps, security tools and defenses, and incident response processes.

There are two sides to a penetration test:

• It is a realistic test that helps an organization discover its security weaknesses and remediate them
• It ensures security teams and tooling are up to date and “battle tested” — this is extremely important since real, large scale security incidents are rare, and attacker tools, techniques and procedures (TTPs) change over time.

Instead of waiting for a real breach to help an organization discover its weaknesses and test its security practices, a penetration test can do it in a controlled manner, allowing the organization to prepare.

Penetration tests are not limited to networks — they can also be performed against single web applications, or subsets of the network or infrastructure. Here are three common variations of penetration tests:

• Internal penetration test—the attack starts from within the network
• External penetration test—the attack begins from outside the perimeter
• Physical penetration test—the tester gains physical access to the organization using techniques like social engineering

Network Penetration Testing Phases

The penetration testing process emulates the cybersecurity kill chain. Penetration testers begin by planning their attack, scanning the target system for vulnerabilities, penetrating the security perimeter, and maintaining access without being detected.

1. Planning and Reconnaissance
The planning stage involves discussions with company stakeholders who ordered the test, to understand the goals and scope of the test, the systems to be tested, and testing methods. Some penetration tests may be open-ended and some may test specific malicious tactics, techniques and procedures (TTPs). Pentesters will also gather intelligence at this stage to understand the architecture of the target system, its network structure and security tooling.

2. Scanning
The scanning stage involves using automated tools to analyze the target systems. Pentesters commonly perform static analysis or dynamic analysis, checking the system’s code for bugs or security gaps. They also run vulnerability scans, looking for old or unpatched components that may be vulnerable to known exploits.

3. Gaining Access
Based on the previous stage, the pentester selects a weak point in the target system that they can use to penetrate. They may perform brute force or password cracking attacks to break through weak authentication, perform SQL injection or cross site scripting to run malicious code on the target system, or deliver malware into a system inside the security perimeter.

4. Maintaining Access
The pentester will typically act like an advanced persistent threat (APT), looking for ways to escalate privileges and perform lateral movement to gain access to sensitive assets. In this way, they can help the organization discover vulnerabilities of internal systems (not just those deployed on the security perimeter or network edge), and the security team’s ability to detect malicious activity inside the network.

5. Analysis
At the end of the penetration test, the pentester will compile a report detailing what vulnerabilities they discovered in their test (including those that were not actually exploited), how they breached the system, which internal systems or sensitive data they were able to compromise, whether they were detected, and how the organization responded. The organization can then use this data to remediate vulnerabilities, bolster security processes and adjust security tool configuration.

Four Common Penetration Testing Tools

Just like attackers, penetration testers cannot do their work without automated tools. Pentesters use tools to automatically scan a website to discover weak points, and to carry out their simulated attack. Here are a few highly effective tools commonly used in penetration tests.

Kali Linux
Kali is a free tool developed by Offensive Security, and is the most common penetration testing operating system. It can be run directly on a machine, or as a virtual machine on Windows or OS X. Kali comes with over 100 penetration testing tools, which can help with information gathering, vulnerability analysis, exploitation, wireless attacks, forensics, web application attacks, stress testing, sniffing, password attacks, and more.

Burp Suite
Burp Suite is a commercial web vulnerability scanner that can identify over 100 vulnerabilities, including SQL injection, cross-site scripting (XSS) and the rest of the OWASP top 10. It provides a web application crawler with a full JavaScript analysis engine, including both static (SAST) and dynamic code analysis (DAST), to detect vulnerabilities in client-side JavaScript.

nmap
nmap (Network Mapper) is a free tool that shows which ports are open, what’s running on the ports, understanding network paths and performing an inventory of assets on a target network. An advantage is that nmap is a legitimate tool that is legal and commonly used on corporate networks for legitimate purposes.

John the Ripper
John the Ripper is an open source tool that cracks encryption and carries out brute force password attacks. It can crack passwords using lists of common words in over 20 languages, custom keyword lists, using mangling rules to try different variations of each word. It is a very robust tool that can run on a local machine for as long as needed to crack a set of passwords.

Catching Penetration Testers — and Real Attackers

Like real-world attackers, penetration testers only need to find one chink in the armor in order to break through perimeter defenses. Once they are in the network, they will carry out privilege escalation and lateral movement to deepen their hold and gain access to critical systems.

Traditional security tools are not enough to identify compromised accounts and see lateral movement as it happens across numerous IT systems and user accounts. The Exabeam Security Management Platform provides Advanced Analytics that can help your organization detect advanced threat techniques and insider threats and rapidly react to them. Whether it’s an external attacker, insider threat or penetration tester, Exabeam will help triage, investigate and block threats with minimal investment of security analyst resources.

Want to learn more about Information Security?
Have a look at these articles:

• Information security (InfoSec): The Complete Guide
• The 8 Elements of an Information Security Policy
• PCI Security: 7 Steps to Becoming PCI Compliant
• Cloud Security 101
• Threat Hunting: Tips and Tools
• IT Security: What You Should Know
• Machine Learning for Cybersecurity : Next-Gen Protection Against Cyber Threats
• Cyber Kill Chain: Understanding and Mitigating Advanced Threats