Penetration testing It is simulated a cyber attack against your computer system to check for vulnerabilities. In the meaning of web application security, penetration test, also known as a pen test. and a penetration test can include the tried breaching of any number of the application system to reveal vulnerabilities.
PENETRATION TESTING STAGES
Planning & Preparation
- To identify the vulnerability and improve the security of the technical systems.
- Have IT security confirmed by an external third party.
- Increase the security of the organizational/personnel infrastructure.
The next step is Scanning how the target application will respond to various intrusion attempts.
- Static analysis – Inspecting an application’s code to estimate the way it behaves while running. These tools can scan the entirety of the code in a single pass.
- Dynamic analysis – Inspecting an application’s code in a running state. This is a more practical way of scanning, as it provides a real-time view of an application’s performance.\
In this step, tester analyzes and assesses the information gathered before the test steps for dynamically penetrating the system
- The defined goals of the penetration test.
- The potential risks to the system.
- The estimated time required for evaluating potential security flaws for the subsequent active penetration testing.
However, while documenting the final report, the following points needs to be considered −
- Overall summary of penetration testing.
- Details of each step and the information gathered during the pen testing.
- Details of all the vulnerabilities and risks discovered.
- Details of cleaning and fixing the systems.
- Suggestions for future security
The results of the penetration test are then compiled into a report detailing:
- Specific vulnerabilities that were exploited
- Sensitive data that was accessed
- The amount of time the pen tester was able to remain in the system undetected
This information is analyzed by security personnel to help configure an enterprise’s WAF settings and other application security solutions to patch vulnerabilities and protect against future attacks.
Types of Pen Testing
- Black Box Penetration Testing
- White Box Penetration Testing
- Grey Box Penetration Testing
What is Penetration Testing Tools?
The following table collects some of the most significant penetration tools and illustrates their features −
Tool Name Purpose Portability Expected Cost Hping ort Scanning
Remote OC fingerprinting
Free Nmap Network Scanning
Linux, Windows, FreeBSD, OS X, HP-UX, NetBSD, Sun, OpenBSD, Solaris, IRIX, Mac, etc. Free SuperScan Runs queries including ping, whois, hostname lookups, etc.
Detects open UDP/TCP ports and determines which services are running on those ports.
Windows 2000/XP/Vista/7 Free p0f Os fingerprinting
Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, Windows, and AIX Free Xprobe Remote active OS fingerprinting
Linux Free Httprint Web server fingerprinting SSL detection
Detect web-enabled devices (e.g., wireless access points, switches, modems, routers)
Linux, Mac OS X, FreeBSD, Win32 (command line & GUI Free Nessus Detect vulnerabilities that allow remote cracker to control/access sensitive data Mac OS X, Linux, FreeBSD, Apple, Oracle Solaris, Windows Free to limited edition GFI LANguard Detect network vulnerabilities Windows Server 2003/2008, Windows 7 Ultimate/ Vista, Windows 2000 Professional, Business/XP, Sever 2000/2003/2008 Only Trial Version Free Iss Scanner Detect network vulnerabilities Windows 2000 Professional with SP4, Windows Server 2003 Standard with SO1, Windows XP Professional with SP1a Only Trial Version Free Shadow Security Scanner Detect network vulnerabilities, audit proxy and LDAP servers Windows but scan servers built on any platform Only Trial Version Free Metasploit Framework Develop and execute exploit code against a remote target
Test vulnerability of computer systems
All versions of Unix and Windows Free Brutus Telnet, ftp, and http password cracker Windows 9x/NT/2000 Free