What Is Penetration Testing? Tools and Techniques

We live in an online world in which more and more people rely on services provided over the internet. Being able to access so much through a smartphone has certainly ushered in a great deal of convenience. No more trips to the bank to deposit paychecks and no more weekends stuck behind a shopping cart—today, with a few clicks, we can transfer money and order much-needed supplies online from Amazon. 

What many people do not realize, however, is that with these online conveniences come risks in the form of data breaches and security threats. To keep our sensitive information safe, companies must routinely run penetration tests (or pen tests) to reveal security flaws.

Purpose of Penetration Testing

A penetration test is sometimes called a “white hat” attack (or ethical hacking) because system managers in the organization are trying to circumvent their own security measures to expose security vulnerabilities. This pen testing is a preemptive strategy, also referred to as offensive security. 

In the world of IT, such tests are critical because they identify security risks that hackers and identity thieves may try to exploit. In a way, penetration tests are like medieval knights, walking the perimeter of their castle, testing for cracks or any weaknesses that might allow enemies to gain access.

In addition to spotting vulnerabilities in a system, testing penetration also reveals how well employees of the organization adhere to the organization's security policy and how they confront data breaches or attempted data breaches. Penetration tests are like simulations or drills that expose weaknesses within a system while training authorities on proper penetration testing response measures.

Armed with the results of a pen test, organizations can better allocate resources and, therefore, maximize security protocols.

Causes of Computer System Vulnerabilities

1. Communication Devices: Telephones, internet connections, and mobile networks present possible areas of weakness in a system. Many of these electronic devices do not have any testing software to protect against viruses and malware, so they are especially susceptible to attack by hackers who exploit vulnerabilities.
2. Poor Staff Training: If staff members do not receive training to follow proper security protocols, they can inadvertently put the company at risk. Weak staff passwords and susceptibility to phishing make employees a possible target.
3. Lack of Security Test Professionals: Some companies fail to implement adequate penetration-testing security staff. Without this oversight, breaches in the network can often go unnoticed and without a proper test. 
4. Data Input: The normal flow of data through a system can contain malicious code and attack the system. Without pen tests, this code can sit unnoticed and record sensitive information, like usernames and passwords.
5. Passwords: Unfortunately, not everyone keeps passwords secure, which makes a system vulnerable to attack. Moreover, many passwords are weak and easy to crack. A test requiring that passwords meet certain thresholds can improve the overall integrity of a network.
6. Intricacy: Systems that are complex and feature-rich present more areas of attack. Today, with more and more services and data accessible through mobile devices, testing experts have a uniquely challenging responsibility.
7. Connections: Computers that are part of a network are vulnerable to hacking. Systems must connect with outside ports, but each external login port represents a possible breach point.
8. Human Error: Sharing passwords, coding errors, failure to destroy documents properly—these types of mistakes can lead to a compromised computer system.
9. Poorly Designed Computer Network: How a computer system is configured can impact its security measures--well-designed systems eliminate loopholes. Pen tests look for installation weaknesses before hackers can exploit them.
10. A Hardware, Software, or Web Application Error: Flaws in computer hardware and software can leave open pathways that criminals can use to gain mainframe access.   

How Often You Should Perform a Penetration Test (Simulated Attack)

Pen testers suggest that security teams perform penetration tests at least once a year. Smaller companies may not be able to afford pen tests every year, opting to test every other year; anything beyond that is really putting network security at risk. Other times to order a penetration test:

• If the company has changed its user policy, penetration testing is necessary
• After installing or updating new hardware or software, a company should perform penetration testing
• If the organization has opened a new location, then penetration testing needs to happen
• After adding a patch or new code to the network infrastructure or web application, a company should use penetration testing tools

Some companies and industries store extremely sensitive information, and the law actually requires them to perform testing penetration a certain number of times a year to maintain proper network security.

Types of Pen Tests and Simulated Attack (Vulnerabilities Penetration)

For a penetration test to be effective, the pen testers (the security team) should be focused and specific. Any attempt to test all systems leads to superficial results. It is always best to zero in on various aspects of computer systems like social engineering, networks, IoT, and web applications.

Social Engineering: One of the most vulnerable aspects of a company’s system is the staff. Human error is very often responsible for security breaches in the form of phishing. When criminals use phishing techniques, they attempt to trick employees into revealing their security credentials by sending them fake emails. 

Sometimes, phishing attacks include malware that sits unnoticed on electronic devices, collects information, and transfers it to hackers. Pen tests that examine employees include phishing attacks to discover penetration testing vulnerabilities. This information is then useful for pen testers to train organization employees to avoid such tactics.

Testing Networks: A company network (and wireless networks) presents some challenging security testing obstacles because it has openings that criminals can exploit--like routers, switches, and network hosts--configured incorrectly. Other parts of a network that present vulnerabilities are customer login ports, websites, and mail servers. Any time a system contacts an outside source, a chance exists for a breach.

Testing IoT (Internet of Things): Many devices connect to the internet in our modern world. Today, people control their lights, alarms, and security cameras remotely. This remote access presents unique challenges for security experts doing penetration testing. 

Each of these devices is a potential entry point of attack, so pen testers need to make sure that each of these devices implements the highest level of protection. The physical device and firmware need close examination because any misconfigurations can lead to potential organization breaches.

Testing Web Application Attacks (Vulnerabilities Penetration): Pen tests that examine web applications are looking for injection vulnerabilities, coding errors, and broken authentication. These pen tests look closely at the source code and possible vulnerabilities in the application and its relationship with the entire infrastructure and web application firewall.

Penetration Testing Stages Planning and Reconnaissance: A well-executed pen test begins by discussing goals and answering some fundamental questions, like what part of the system to test and who will know about the network penetration testing. 

All penetration testing needs to begin with a review of all architecture in order to understand the system. Testers and security experts need to understand its function and the security risks if it should become compromised.

Testing Scanning Network Infrastructure (Information Gathering): In this phase, a pen tester, like an ethical hacker, gathers information—as much as they can—before pen-testing. Just as real-world criminals gather information, the penetration tester wants to learn a lot about the operating systems, security policies, the organization, and employees. This test information can help them exploit weaknesses.

Gaining Access: This is the active part of the testing. Armed with data and system knowledge, penetration testers begin looking for weaknesses. They should explore every possible entry vector. Hackers who exploit vulnerabilities in the real world are tenacious, so penetration testers must be just as diligent when pen-testing.

Maintaining Access: The most effective attacks allow criminals to gain access for long periods of time; therefore, penetration teams should focus on establishing a long-term presence in the system and maintaining access to sensitive data.

Test Reports and Analysis: When all testing is over, the time comes to gather the data and form a penetration-testing report. The testing analysis should be very thorough and include specific details about the test techniques used. Organizations need to know just how far into the system penetration testers were able to get and what information they were able to uncover. 

Lastly, the report should provide suggestions for improvement, ways the company might avoid an actual cyber attack in the future, and guidelines for remediation efforts and potential penetration-testing vulnerabilities.

Sanitation after Penetration Testing: Penetration testers and security experts should remove any code or software tools the team has used. If they are left behind after a pen test, hackers might use them to gain entry in real time.

Review Testing and Post-Mortem Pen Test: The key to security is repetition. This explains why law enforcement organizations run endless drills, so when the real thing happens, team members can react instinctually. Cyber security is no different; the most secure systems receive constant tests. After every pen test, an organization's security leadership should consider the findings of penetration testing thoughtfully. 

A pen tester is an ethical hacker who prepares detailed notes on methods, and this information often points to systemic issues. For example, many employees fail to recognize the danger of phishing attacks, and as a result, they expose their login details to criminals. Effective remediation would include staff training and policy changes. 

A single pen test is like a snapshot in time. Multiple tests need to occur to see a more comprehensive view of a company’s security profile. To get the most out of each pen test, the data needs prioritization. Not every security issue has the potential of causing as much damage, so the security testing team should focus on penetration testing areas that present the greatest threat to the organization.

Penetration Testing Tools and Software Applications

For penetration testers (ethical hackers and security professionals) to be effective, they need to think creatively in their information gathering and penetration testing. Such professionals must rely on several types of automated tools that do most of the number-crunching for them. 

These real-time testing tools scan code and look for entry points or areas of weakness that might allow access. The best penetration tools are adaptable, easy to configure, and able to generate detailed test reports.

John the Ripper is a penetration-testing package of open-source, pen-testing tools designed to crack offline passwords. The pen-testing software starts with a likely word list, which it then mutates. Most people use brief passwords, so John the Ripper is often successful in overcoming encryption.

Wireshark is for testing the strength of a company’s network. It focuses on pen testing TCP/IP connection problems and analyzes decryption for many different pen test protocols.

Nmap, which stands for “network mapper,” scans ports and looks for organization vulnerabilities. It is an industry testing standard and uses software that continually tests the security of public open ports.

The Metasploit Project is an open-source program useful for finding security weaknesses on servers, networks, and applications. Users program the software to test specific areas of the network and then let the program automate the pen-test workload.

Kali Linux, formerly called BackTrack Linux, is a penetration-testing foundational test tool for aggressive pen testing. 

Hashcat is a competitor to John the Ripper; an ethical hacker uses it to break hashed organization passwords in pen tests.

Hydra works to test and break online passwords such as RDP, IRC, IMAP, FTP, and SSH.

Burp Suite is an expensive web vulnerability test tool used by pen-testing professionals. After selecting a web target, this pen-test software goes to work, relentlessly testing and looking for vulnerabilities in the system.

Zed Attack Proxy attempts to gather information by sitting on a web application and monitoring traffic during pen tests.

Sqlmap, an open-source tool, looks for sql injection flaws so that it can take over organization database servers while pen testing.

Aircrack-ng is useful to test the strength of a wifi network during a pen test.

Penetration Test Strategies, Application Security, and IT infrastructure

Before initiating any penetration test, a tester should define the breadth of the third-party attack scenarios and the pen-testing methodology--in other words, what specific systems and security policies will go through penetration testing and what techniques the company will implement to maximize network application security posture.

Real-Time Targeted Testing is sometimes called “lights turned on” because it tests a system in plain sight; both the company security team and the penetration testing team are aware of the test and observe the pen testing progress and results.

As the name suggests, external testing focuses on the elements that exist on the outside, like web application servers, firewalls, email servers, and domain name servers. Pen testers work to gain access through these vectors and travel as deep as they can into the system.

Internal penetration testing combats the occasional disgruntled employee who may try to cause damage to a company’s network. A pen tester gets the appropriate level of clearance and then explores how many sensitive systems could be in jeopardy.

Blind testing provides just the company name to those doing penetration testing. The pen team and ethical hackers need to perform all the penetration-testing reconnaissance, which can take a long time and cost a lot of money. However, this pen testing is very realistic because it mirrors the type of situation that most criminals encounter when trying to gain access to computer systems and potential vulnerabilities.

Double-blind testing is when a minimal number of people know about the test. Departments aren’t able to prepare for penetration testing, so pen testing reveals how a security team responds to security gaps and data vulnerabilities.

Black box testing is similar to blind testing, but the penetration team does not receive any information. It can only use data gathered once the security pen testing begins.

White box testing provides information like source code, infrastructure schematics, and IP addresses to penetration testing teams.

User Risk—Phishing, Vishing, Smishing, and Other Security Weaknesses

System users present one of the most vulnerable aspects of a security posture. Human error is easily exploitable, so it is no wonder that criminals focus their efforts there. One of the primary ways criminals gain entry to a system and bypass security controls is by cracking usernames and passwords on a mainframe or web application. Unfortunately, many people have weak, easily broken passwords. Companies also see phishing attacks that trick employees into entering their data, which hackers then use to enter the system. 

Phishing is one of the easiest ways for criminals to penetrate a system. Basically, the attack comes in the form of an email. It includes a message that seems official and important, often about a password reset. The email is designed to appear official and, at first glance, seems to have all the right criteria. Upon closer examination, however, it becomes clear the email address is misspelled, pointing to a URL that is close to the company website but just slightly off. These phishing emails trick people into entering their usernames and passwords, which phishers use to hack websites.

In addition to collecting login information, phishing vulnerabilities also deliver malware, or malicious software designed to run on a system and collect sensitive information. By opening attachments or links in emails (sometimes called spear phishing), employees can easily allow ransomware, worms, and crypto mining programs to access the servers. 

Criminals also use mobile phones to get important information. This is called Vishing. Either an actual person or computer will call, claiming to be a representative with a company. They ask the target to confirm certain pieces of information over the phone or enter it into the keypad. Attackers often pose as bank or credit card officials. They suggest that your response is urgent and needed to protect your account. Most people are conditioned to obey and trust authority, so they willingly offer up sensitive details about their accounts.

One of the newest vulnerabilities of user risk is Smishing, an attack through mobile devices. The malicious software enters the phone through a message app or text. Most phones do not have any anti-virus software, so the malicious software remains there, undetected, collecting private information and spreading it to other computers and phones. 

10 Recent Cyber Attack Data Breaches

Over the last decade, data breaches and security weaknesses have exposed billions of consumer records, which means that a vast number of Americans have had had one or more of their accounts compromised. When this happens, it shakes consumer confidence, and businesses lose revenue.

1. Yahoo: In 2013, 500 million accounts became compromised, exposing sensitive data, users' real names, birth dates, addresses, and email phone information. The hack cost Yahoo an estimated $350 million in value.
2. UnderArmour: In March of 2018, criminals gained access to this company’s fitness app MyFitnessPal and hacked 143.6 million records. They were able to enter through a backend database and uncovered usernames, addresses, and passwords. 
3. Adobe: In 2013, criminals stole the credit card/debit card information, names, and passwords of 150 million users. 
4. Republican National Committee: In June of 2017, 198 million people living in the United States had their personal information exposed to the public when security firm Deep Root Analytics failed to secure its servers. Exposed to the public were birthdays, home addresses, phone numbers, and political views.
5. Equifax: In September 2017, criminals exposed 147 million records using a weakness in the company's system to retrieve social security numbers, credit card numbers, and birthdates. In the end, Equifax agreed to pay $700 million after an investigation uncovered a vulnerability that the company had never patched.
6. Zynga: In September 2019, hackers were able to retrieve 218 million records—log-in ID’s, phone numbers, and Facebook ID’s.
7. Exactis: 340 million records became compromised. A database flaw in an unsecured server allowed the exposure of sensitive data, email addresses, phone numbers, home addresses, and (probably most disturbing) information about children in the household.
8. Dubsmash: In February of 2019, criminals stole 162 million records that included names, email phone information, and passwords.
9. eBay: In 2014, hackers accessed the entire database of 145 million users, compromising names, birthdates, addresses, and encrypted passwords.
10. LinkedIn: 165 million user accounts became exposed in 2012, which allowed criminals to mine email addresses and passwords and then later post the information for sale on a Russian website. 

Security Controls to Transform Your Long-Term Security Testing Posture

Exposing system vulnerabilities should become part of an organization’s culture. Instead of looking at pen tests as just one more obstacle to overcome or a test to pass, companies should embrace each test as a way to identify weaknesses and prevent catastrophic data loss and possible lawsuits. If a company adopts penetration testing security as part of its culture, it is much less likely to make mistakes. Therefore, pen tests also serve as a constant reminder that threats are ever-present, so diligence to security protocols is paramount.

About Digital Defense

Our Frontline.Cloud SaaS platform supports Frontline Vulnerability Manager™, Frontline Web Application Scanning™, and Frontline Active Threat Sweep™ that together provide:

• Asset discovery and tracking
• OS and web application risk assessment
• Targeted malware threat assessment
• Machine learning features that leverage threat intelligence
• Agentless & agent-based scanning
• Penetration testing for networks, mobile applications, and web applications
• Compliance management. One of the world’s longest tenured PCI-Approved Scanning Vendors

The Frontline.Cloud platform virtually eliminates false-positives associated with legacy vulnerability management solutions, while also automating the tracking of dynamic and transient assets and prioritizing results based on business criticality.

Featured Resources

Blog
Develop a Comprehensive Cybersecurity Strategy, Starting with VM