According to the EC-Council definition, “Penetration Testing is a legal, structured procedure to evaluate the security posture of an organization. This practice simulates an attack against the security infrastructure of the enterprise, such as its network, applications, and users, to identify the exploitable vulnerabilities. It determines the efficacy of the company’s security policies, controls and strategies”. Therefore, we can say that the penetration test is the procedure used by the ethical hackers to evaluate the effectiveness of the client’s security.
Relevant methodologies including different penetration testing procedures
- OSSTMM (Open-Source Security Testing Methodology manual)
- OWASP (Open Web Application Security Project)
- ISSAF (Information System Security Assessment Framework)
- NIST (National Institute of Standards and Technology)
- LPT (EC-Council’s License Penetration Tester)
Nevertheless, there are no big differences in how these methodologies structure the penetration test. In general, we can differentiate six phases:
- Scoping and planning: to define the objective of the penetration test, and the time plan for its execution.
- Reconnaissance: first retrieval of information about the organizations and systems in scope, normally based on public data.
- Scanning: based on the information gathered in the reconnaissance, some scanners are used to search for details and to discover vulnerabilities.
- Gaining and escalating access: trying to exploit the vulnerabilities detected, to access to the system and, once inside, to get as much privileges as possible.
- Keeping access: maintaining an open door to access the target systems in the feature. It implies to erase traces, so the unauthorized access is not detected.
- Documenting results: the discoveries of the penetration test must be properly documented for the client to understand the issues. It should not only unveil the vulnerabilities, but also address the solutions and include recommendations to improve the security. Frequently, the penetration test report includes an action plan, which is tracked later, and even verified after a certain time.
Not all the penetration tests pass through all the phases: it is possible that, within the scope defined, gaining access would not be possible, so phases 4 and 5 are skipped. As every phase is based on the results of the previous one, the first steps are really important.
The scoping is key in the process, as determines the extension of the test as well as delimit responsibilities and protects legally both the client and the hacker. The reconnaissance and scanning are conditioned by the agreed scope, and the gaining access is also very dependent on the time scope, as many tools and procedures are time extensive (e.g. for a brute-force attack, the longer time the better).
An important part of the scoping is the decision about the type of penetration test to do:
- External test: the hacker has no regular access to the systems, simulating a black-hat not linked with the client.
- Internal test: the hacker has some level of access to the systems, as if s/he were an employee or external worker.
- Black-box test: the client doesn’t provide any specific information to the hacker, so s/he needs to obtain everything from the reconnaissance and scanning processes.
- Grey-box / White-box test: the client provides some information or, in case of white-box test, full documentation of the systems and processes involved in the scope.
In the picture we can see a summary of the scope of a real penetration test report:
In this example, we can see the certification number of the ethical hacker who did the penetration test, and the tools he used. In the methodology, it is specified that the test was external and grey-box. Some relevant details about the methodology and context are also detailed:
- Active reconnaissance and scanning imply that the hacker will interact with the systems to extract information. That interaction could impact in the performance and could also be detected by the defence systems. As said in the context, the hosting company was not informed about the test, so the perimetral firewall will remain active and the intrusion may be detected.
- No social engineering, session hijacking or man-in-the-middle attacks mean that employees will not be disturbed or involved in the test in any way. That’s very usual in regular penetration tests, unless there are specific interest to evaluate these risks.
- No denial of service attack, to avoid business impact.
You can read our previous post about Ethical Hacking. In the next post, we’ll talk about ethical hacking and penetration tests for SAP systems.
NovisEuforia cooperates with Santa Marta AB to offer an ambitious initiative to improve cybersecurity over SAP systems.