Skip to main content

Get to Know Penetration Testing

Learning Objectives

After completing this unit, you’ll be able to:

  • Define penetration testing terms.
  • Explain the purpose of penetration testing.
  • List the phases of penetration testing.
  • Identify the different approaches to penetration testing.
Note

Before diving into penetration testing, you should have a basic understanding of vulnerability scanning, common vulnerabilities, and security testing. We recommend that you first complete the Get Started with Vulnerability Assessment trail before you begin this module.

Penetration Testing Glossary

As a penetration tester, you are responsible for testing, identifying and recommending mitigations for security weaknesses in an organization’s digital systems. Let’s take a look at some terminology before we dig deeper. 

Term Definition

Penetration testing

A simulated cyber-attack against computer systems to identify exploitable vulnerabilities

Network discovery

Identifying active hosts on a network, and understanding the network's design and weaknesses

Port scanner

A  tool used to identify open ports on a system and determine if systems allow connections through those ports

Rules of engagement (ROE)

The detailed guidelines and constraints regarding the execution of penetration testing within legal and ethical boundaries

Target

An application, business process, IT infrastructure, environment, or system that the tester attempts to penetrate

Vulnerability

A security gap in automated systems’ security procedures, administrative controls, internet controls, and so on, that can be exploited

Exploit

A piece of code or a tool used to take advantage of a vulnerability in the target system

Enumeration

Actively connecting to systems to gather detailed information about entry points

Attack vector

A path or method used to gain access to a system or network

Payload

Data used to carry out a malicious act on a system or network (e.g., executable file, malware, script, exploit code)

Shell

A piece of code or a script that enables command execution on a target system

Goals and Benefits of Penetration Testing

As a penetration tester, you’re responsible for being an expert in real-world threats, attack paths, and vulnerabilities. You assess an organization’s resilience to real-world attacks and produce reports that help the organization better protect itself. Penetration testing is an invaluable tool to help organizations secure their infrastructure, networks, applications, systems, and data, but also for ensuring compliance with various regulations and standards such as General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI-DSS). This compliance aspect is critical as it helps organizations meet legal obligations and avoid hefty penalties. 

Penetration testing can also help organizations better understand where to focus their limited time and resources in mitigating threats. For example, an organization deliberating between increasing staff for the organization’s security operations center, or implementing two-factor authentication for all network logins can make a more informed decision based on the insights gained from penetration tests. 

These tests pinpoint the most critical system and network vulnerabilities enabling organizations to prioritize their security efforts. Penetration testing can help paint a picture of holistic cyber risk by pointing out how a weakness in one business system can lead to a breach in other connected technologies. 

Penetration Testing Phases

In conducting penetration testing, you typically follow five phases. 

Phase Definition Example Activity Example Tools
Permission Ensures explicit authorization to test from the network and/or system owner before commencing any penetration testing activities Signing a contract or agreement that clearly authorizes the test and defines its scope, boundaries, and limitations Contract management tools to ensure clear documentation of communication and agreements

Plan

Involves defining the scope and goals of the test, including the systems to be tested and the testing methods to be used

Identifying specific systems within the agreed scope and gathering publicly available information about them WHOIS, nslookup for domain information and Google Dorks for advanced search queries

Discover

Involves gathering information to identify vulnerable hosts, ports, and network services

Running port and vulnerability scans on the identified systems Nmap for network mapping, Nessus or OpenVAS for vulnerability scanning

Gain Access

Involves exploiting vulnerabilities within the agreed scope to gain access to the system or network, simulating an attacker’s actions

Exploiting a known vulnerability to access a network Metasploit for exploiting vulnerabilities

Report

Occurs simultaneously with other phases for evidence collection, and consists of documenting the ROEs, steps taken during the test, results, and recommended risk responses (e.g., mitigate, avoid, transfer, accept)

Preparing a comprehensive report detailing the findings and recommendations DRADIS framework for pentesting collaboration and reporting

Penetration Test Styles

Penetration testing is strictly governed by legal and ethical standards. Unlike the illegal and unethical hacking activities conducted by malicious or black hat hackers penetration testing must always be authorized by the system or network owner. Any unauthorized testing, even if not intended for harm, can be considered illegal under laws such as the Computer Fraud and Abuse Act (CFAA) in the United States.

Here's an overview of types of penetration testing:

Black Box

In a black box test, you conduct the assessment with no prior knowledge of the target environment. You may have high-level data such as the company or organization’s name, but no other relevant information. 

Advantage: Helps the business understand what vulnerabilities are exposed to an external attacker and assess the effectiveness of the organization’s external defenses.

Gray Box

In a gray box penetration test, also known as a translucent box test, you have only limited information about the target. It includes both external and internal aspects of the system but with some inside knowledge like architectural diagrams or login credentials. 

Advantage: Provides a balanced view of security from an external and internal perspective. It’s useful for assessing how far an attacker can penetrate with limited knowledge.

White Box

In a white box test, you have full knowledge of the target environment, including the systems, networks, operating systems, IP addresses and source code. Having this knowledge reduces the cost and time of the test, as you don’t need to involve any reconnaissance to ascertain target information. This type of test is a simulation of an internal attack. 

Advantage: Identifies hidden vulnerabilities that require internal knowledge to exploit.

Penetration Testing Methodologies

As a penetration tester, you should be familiar with the different methodologies you can use to perform penetration tests. Let’s take a closer look.

Penetration Testing Execution Standard (PTES) 

A team of information security practitioners developed this penetration testing method with the aim of addressing the need for a complete and up-to-date standard in penetration testing. In addition to guiding security professionals, it also attempts to inform businesses about what they should expect from a penetration test and guides them in scoping and negotiating successful projects. The process includes preengagement interactions, intelligence gathering, and threat modeling.

Open-Source Security Testing Methodology Manual (OSSTMM)

This is a complete methodology for the testing, analysis, and measurement of operational security toward building the best possible security defenses. It’s a peer-reviewed methodology for security testing, maintained by the Institute for Security and Open Methodologies (ISECOM). It provides guidance on how to test the operational security of five channels (Human Security, Physical Security, Wireless Communications, Telecommunications, and Data Networks) so that organizations can understand the full extent of their security and determine how well their security processes actually function.

Information System Security Assessment Framework (ISSAF) 

This is a structured and specialized approach to penetration testing that enables a tester to meticulously plan and document every step of the penetration testing procedure, from planning and assessment to reporting and destroying artifacts. For each vulnerable area of your system, ISSAF offers some complementary information, various vectors of attack, as well as possible results when the penetration tester exploits the vulnerability.

These are just a few examples of methodologies to keep in mind. Others include the National Institute of Standards and Technologies (NIST) guidelines and the Open Web Application Security Project (OWASP) methodology

Sum It Up

Now you understand more about penetration testing terms, goals, and methodologies. In the next unit, you learn more about the responsibilities and qualifications of a penetration tester, and discover the skills that help penetration testers succeed. 

Resources

Compartilhe seu feedback do Trailhead usando a Ajuda do Salesforce.

Queremos saber sobre sua experiência com o Trailhead. Agora você pode acessar o novo formulário de feedback, a qualquer momento, no site Ajuda do Salesforce.

Saiba mais Continue compartilhando feedback