Software Testing | Penetration Testing
Introduction to penetration test :
It is commonly known as pen test or pentest in ethical hacking. It is a form of a cyberattack that is basically done to check what is the situation of the security of a system. Often people confuse this penetration test or pen test with the vulnerability assessment test.
History of the Penetration test :
In 1965 security concerns rose, because many thought that communication lines can be penetrated and the attacker/hacker might be able to get the data that is being exchanged between one person to another person. In an annual joint conference of 1967 various computer experts stated this point that communication lines can be penetrated. The idea of penetration testing came into mind when a corporation found a major threat to internet communications. This is what lead many organizations to assign a team who would try to find the vulnerability in computer networks or systems which will lead to the protection from any unauthorized access.
What is a penetration test?
It is a form of cyberattack done to understand the situation of the security of the system. People often confuse this test with the vulnerability assessment test. So penetration test is composed of some methods or instructions whose main aim is to test the organization’s security. This test much proved to be helpful for the organizations because it helps to find the vulnerabilities and check if the attacker /hacker will be able to exploit and be capable of enough of gaining unauthorized access.
Difference between vulnerability Assessment and penetration test
Vulnerability Assessment:- This test should not be confused with the penetration test. The main aim of the penetration is to find the vulnerability in an asset and document them in an organized manner.
Penetration test:- This test is basically done to see the attacker/hacker can exploit the vulnerabilities or not. If the exploit is possible then those vulnerabilities are documented.
Penetration Testing Process:
The penetration testing process includes five phases:
This phase is also known as the planning phase. In this phase, important information about the target system is gathered.
In this phase, different scanning tools are used to determine the response of the system towards an attack. Vulnerabilities of the system are also checked.
- Gaining Access:
In this phase using the data gathered in the planning and scanning phases, a payload is used to exploit the targeted system.
- Maintaining Access:
This phase requires taking the steps involved in being able to be continuously within the target environment to collect as much data as possible.
- Be hidden from the user
This is the moment where the attacker will have to clear the trace of any activity done in the target system. It is done in order to remain hidden from the user/victim.
Rules in penetration testing
There are rules that have to be followed when conducting the penetration test like the methodology that should be used, the start and the end dates, the goals of the penetration test, and more. To make the penetration test possible, there should be a mutual agreement between both the customer and the representative. These are some of the things which are commonly present in rules which are as follows:-
- There will be a non-disclosure agreement where there will be written permission to hack. This non-disclosure agreement will have to be signed by both parties.
- There should be a start and end date for penetration testing.
- What methodology should be used for conducting the penetration test?
- There should be the goals of the penetration test.
Categories of the Penetration test :
The categories of a penetration test actually based on what the organizations want to test. So the categories can be divided into three types:-
- Black Box:- In this case very little or no information is provided about the specified target.
- White Box:-In this case all the information is provided about the target.
- Gray Box:- In this case, some information is provided and some information is hidden about the target.
Types of the Penetration test :
- Social Engineering Penetration test:- This test can also be considered as a part of the Network Penetration Test. In this case, an organization might ask the penetration tester to attack its users. This is the moment where the penetration tester eligible to use the speared phishing attack and more to trick the user to do unthinkable.
- Physical penetration test:- In this case, the penetration tester will be asked to check the physical security controls of the building like locks and RFID mechanisms.
- Network penetration test:- in this case, the penetration tester will have to test the network environment for potential security vulnerabilities and threats.
- Web Application penetration test:- This test is nowadays considered to be common as application hosts data’s which can be considered as critical as it can be. The data can be like the username, passwords, or more.
- Mobile Application penetration test:- This test is done because every organization nowadays used Android or Ios mobile-based applications. So the goal is to make their mobile applications are secured and to make it reliable for the customer to provide personal information when they are using any applications.
Advantages of the Penetration test :
- The penetration test can be done to find the vulnerability which may serve as a weakness for the system.
- It is also done to identify the risks from the vulnerabilities.
Disadvantages of the Penetration test :
- The penetration test which is not done properly can expose data that might be sensitive and more.
- The penetration tester has to be trusted, otherwise, the security measures taken can backfire.
Penetration Testing Tools: