Penetration Testing
see also
Software
What can be penetration tested?
Web Applications
When testing against a web application, the tester will map the site to understand the application and run tests against it such as trying open ports or any default or misconfigured settings. Testers will look for verbose error messages and scrutinize login pages or online forms. Some of the vulnerabilities testers are looking for include SQL injections, cross-site scripting, encryption flaws, or XML and template injections.
Mobile Applications
Similar to web application testing, mobile testing includes an OS assessment and application mapping. Penetration testers will analyze various factors such as file system, runtime, or open ports. Possible vulnerabilities that can be revealed are insecure APIs, sensitive file artifacts, plain text traffic, and SQL injections.
Infrastructure and network
The objective of an infrastructure penetration test is to identify exploitable vulnerabilities in network devices, systems, and hosts. Penetration testers will want to identify protocols in use such as CDP, WEP, and SNMP. They will also look to discover network device models and what software versions are in use. Vulnerabilities most likely to be discovered include the use of weak or default passwords, missing patches, unnecessary open ports, and SNMP v1 or v2 still in use.
Cloud Applications
Pentesting public cloud applications means you must notify the provider before beginning any testing and some restrictions as to what types of tests can be performed is common. Pentesting in the cloud can include applications, storage, virtualization, and compliance. So depending on what is in the scope of the test, testers could be checking items such as data access, virtual machine isolation, and regulation compliance. Results of the test could include encryption not compliant, virtual machines not properly isolated, API vulnerabilities, and weak passwords.
Colours of Pentesting
Black Box
When conducting a black box assessment, penetration testers have limited knowledge of the network. For example, they will know the hostname and IP of a public server, but not have information for the network infrastructure, operating systems, or security protections. In attempting to penetrate the network to discover as many vulnerabilities as they can find, this method imitates a real world environment to find vulnerabilities using many of the same tools attackers would use.
White Box
In this scenario, the testers have more access to and information about the environment such as admin login data and configuration files. This usually also includes unhindered physical access.
This type of testing is less time consuming than black box testing, but doesn't reveal how attackers can gain unauthorized access externally. It can provide insight into vulnerabilities if an attacker has gained internal access and rights.
Gray Box
Gray box testing falls somewhere between black box and white box testing. The customer shares some limited information, such as a user login or an overview of the network. The scope and what information and access is provided all depends on the testing requirements of the customer. Grey box has the benefits of black box testing but can also do deeper testing where needed with additional information provided.
Red Team, Blue Team
Red team members perform offensive security techniques based on specific objectives such as attempting to penetrate a database and extract sensitive records. The red team simulates an attacker and look for exploitable vulnerabilities.
The blue team is tasked with defending against attacks by the red team. They make use of logs, traffic captures, SIEM and threat intelligence data to detect and defend against red team attacks. The blue team is the internal security team of an organization and exercises with the red team are to improve the internal team’s defense and response to attacks.
Purple Team
The idea of the red team and blue team working together is a purple team. This type of engagement allows the blue team to gauge their detection and incident response capabilities against real-world-like threats.
Learning resources
see also: Chaos Communication Congress
Talks
- I'll Let Myself In: Tactics of Physical Pen Testers – Wild West Hacking Fest
- No-tech hacking – DefCon 15 T112
companies doing penetration tests
this is a non-exhaustive list and we by no means endorse any of these companies.
- X41 D-Sec GmbH – security research, application security services, penetration tests, red teaming
- Cure53 – web application tests
- Code Blau – analysis of computer systems relevant to information security