Scribd
Upload
16 views10 pages

2. Penetration Testing

Penetration Testing, or Pen Test, is a security testing method aimed at identifying vulnerabilities in software applications, networks, and web applications. It is crucial for organizations, especially in financial sectors, to ensure data security and proactively safeguard against potential attacks. The process involves several stages including planning, discovery, attack, and reporting, with various types of tests such as black box, white box, and grey box testing.

Uploaded by

monishasekar438
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
16 views10 pages

2. Penetration Testing

Penetration Testing, or Pen Test, is a security testing method aimed at identifying vulnerabilities in software applications, networks, and web applications. It is crucial for organizations, especially in financial sectors, to ensure data security and proactively safeguard against potential attacks. The process involves several stages including planning, discovery, attack, and reporting, with various types of tests such as black box, white box, and grey box testing.

Uploaded by

monishasekar438
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 10

1. What is Penetration Testing?

• Penetration Testing or Pen Testing is a type of


Security Testing used to cover vulnerabilities, threats
and risks that an attacker could exploit in software
applications, networks or web applications.
• The purpose of penetration testing is to identify and
test all possible security vulnerabilities that are
present in the software application.
• Penetration testing is also called Pen Test.
2. Why Penetration Testing?
Penetration is essential in an enterprise because –
• Financial sectors like Banks, Investment Banking, Stock Trading
Exchanges want their data to be secured, and penetration testing
is essential to ensure security
• In case if the software system is already hacked and the
organization wants to determine whether any threats are still
present in the system to avoid future hacks.
• Proactive Penetration Testing is the best safeguard against
hackers
3. Types of Penetration Testing
The type of penetration test selected usually depends on the scope and whether the
organization wants to simulate an attack by an employee, Network Admin (Internal
Sources) or by External Sources. There are three types of Penetration testing and they
are
 Black Box Testing
 White Box Penetration testing
 Grey Box Penetration Testing
• In black-box penetration testing, a tester has no knowledge about the systems to be
tested. He is responsible to collect information about the target network or system.
• In a white-box penetration testing, the tester is usually provided with complete
information about the network or systems to be tested including the IP address
schema, source code, OS details, etc. This can be considered as a simulation of an
attack by any Internal sources (Employees of an Organization).
• In a grey box penetration testing, a tester is provided with partial knowledge of the
system. It can be considered as an attack by an external hacker who had gained
illegitimate access to an organization’s network infrastructure documents.
4. How to do Penetration Testing- Activities needs to be performed to execute Penetration Test

Step 1) Planning phase


1.Scope & Strategy of the assignment is determined
2.Existing security policies, standards are used for defining the scope
Step 2) Discovery phase
3.Collect as much information as possible about the system including data in the system, usernames and
even passwords. This is also called as FINGERPRINTING
4.Scan and Probe into the ports
5.Check for vulnerabilities of the system
Step 3) Attack Phase
6.Find exploits for various vulnerabilities You need necessary security Privileges to exploit the system
Step 4) Reporting Phase
7.A report must contain detailed findings
8.Risks of vulnerabilities found and their Impact on business
9.Recommendations and solutions, if any
5. Penetration Testing - Prime task

The prime task in penetration testing is to gather system information. There


are two ways to gather information –
1. ‘One to one’ or ‘one to many’ model with respect to host: A tester
performs techniques in a linear way against either one target host or a
logical grouping of target hosts (e.g. a subnet).

2. ‘Many to one’ or ‘many to many’ model: The tester utilizes multiple


hosts to execute information gathering techniques in a random, rate-
limited, and in non-linear.
6. Penetration testing stages
6.Penetration testing stages
1.Planning and reconnaissance
The first stage involves:
• Defining the scope and goals of a test, including the systems to be addressed and the testing
methods to be used.
• Gathering intelligence (e.g., network and domain names, mail server) to better understand
how a target works and its potential vulnerabilities.
2. Scanning
The next step is to understand how the target application will respond to various intrusion
attempts. This is typically done using:
• Static analysis – Inspecting an application’s code to estimate the way it behaves while
running. These tools can scan the entirety of the code in a single pass.
• Dynamic analysis – Inspecting an application’s code in a running state. This is a more
practical way of scanning, as it provides a real-time view into an application’s performance.
6. Penetration testing stages
3. Gaining Access
This stage uses web application attacks, such as cross-site scripting, SQL injection and backdoors, to uncover a
target’s vulnerabilities. Testers then try and exploit these vulnerabilities, typically by escalating privileges, stealing
data, intercepting traffic, etc., to understand the damage they can cause.

4. Maintaining access
The goal of this stage is to see if the vulnerability can be used to achieve a persistent presence in the exploited
system— long enough for a bad actor to gain in-depth access. The idea is to imitate advanced persistent threats,
which often remain in a system for months in order to steal an organization’s most sensitive data.

5. Analysis
The results of the penetration test are then compiled into a report detailing:
• Specific vulnerabilities that were exploited
• Sensitive data that was accessed
• The amount of time the pen tester was able to remain in the system undetected
• This information is analyzed by security personnel to help configure an enterprise’s WAF settings and other
application security solutions to patch vulnerabilities and protect against future attacks.
7. Role and Responsibilities of Penetration Testers
• Testers should collect required information from the
Organization to enable penetration tests
• Find flaws that could allow hackers to attack a target machine
• Pen Testers should think & act like real hackers albeit ethically.
• Work done by Penetration testers should be reproducible so that
it will be easy for developers to fix it
• Start date and End date of test execution should be defined in
advance.
• A tester should be responsible for any loss in the system or
information during the Software Testing
• A tester should keep data and information confidential
8. Manual Penetration vs. automated penetration testing

Manual Penetration Testing Automated Penetration Testing

Automated test tools provide clear


Manual Testing requires expert reports with less experienced
professionals to run the tests professionals

Manual Testing requires Excel and other Automation Testing has centralized and
tools to track it standard tools

In Manual Testing, sample results vary In the case of Automated Tests, results do
from test to test not vary from test to test

Memory Cleaning up should be Automated Testing will have


remembered by users comprehensive cleanups.

You might also like