Penetration testing is the act of checking computer system for exploitable vulnerabilities and other security risk. Penetration test or Pen test is usually undertaken by ethical hacker to find the vulnerabilities in computer systems. Organizations hire professional hacker to pen test their system using pen testing tools before the attackers do. To test organization’s system, Ethical Hacker performs vulnerability assessment and/or penetration testing through both external and internal attacks that is intended to break the system security just as attackers do but attacker intents after this step is to steal or damage data or disrupt normal function the system. Penetration testing is related to ethical hacking but can be used interchangeably, Ethical hacking covers all areas of hacking and techniques used in hacking, cyber crimes and other related cyber attack techniques.
Types of Penetration Testing
- Network Penetration Testing
- Web Penetration Testing
- Host / Server Penetration Testing
- Mobile Penetration Testing
The type of penetration testing depends on organizational’s requirements. The followings are major conditions for Penetration testing.
- Black Box Penetration Testing: Black box penetration testing is a type test conducted without prior information, meaning that organization does not any information to a penetration tester before doing the job. Penetration tester is responsible or agreed on gathering information by himself to carry out the test on organization’s system.
- White Box Penetration Testing: White Box Penetration Testing (also known as clear box and open box testing) is when organization provides some information or whole range of information about the systems and/or network such as Username, running service, OS details, IP address, etc. This information are provide before carrying out the test.
- Gray Box Penetration Testing: Gray Box Penetration Testing is a type of testing in which partial or limited information about the system are provided to a penetration tester before the test. This type of test is usually carried out by an illicit external hacker who does not have full details about organization’s system but trying to gain access to organization’s system/network with the limited information illegally acquired.
Penetration testing stages
Penetration testing process can be separated into five phases. The followings are stages in pen testing.
- Planning and reconnaissance: This is the first stage of penetration testing in which goals and objectives are set for the penetration testing, documenting and identifying of the systems, gathering of information about the systems/network and the testing methods to be used for scanning to know all possible vulnerabilities and other security risk.
- Scanning: Scanning is the second stage, a penetration tester uses automated pen testing tools to scan target assets for discovering vulnerabilities. Tester discovers additional systems, servers and other devices that determines open ports and running services.
- Gaining access: This is a stage where penetration tester makes active attempt on target’s vulnerabilities. Tester exploits these vulnerabilities, typically bypassing authentication, intercepting traffic, etc.
- Maintaining access: The goal of this stage is to achieve a persistent presence and remain undetectable in the exploited system using a backdoor.
- Analysis and Report: In this stage penetration test are review and documented into a report detailing. Information in a report may include vulnerabilities that were exploited, data that was accessed and amount of time taken and remain undetectable.
In penetration testing, report writing is important and comprehensive task that clarifies organization about the security risk and solution that must be must be carried out. Report must also include proper explanation of report content and design, risks and critical vulnerabilities discovered and countermeasures that must take place, detailed example of testing report, and penetration tester’s personal experience.