what is penetration testing | 12 best pentesting tools | pentesting methode

penetration testing                                                  

Penetration testing It is simulated a cyber attack against your computer system to check for vulnerabilities. In the meaning of web application security,  penetration test, also known as a pen test. and a penetration test can include the tried breaching of any number of the application system to reveal vulnerabilities.

PENETRATION TESTING STAGES

PENETRATION TESTING STAGES

Planning & Preparation

  • To identify the vulnerability and improve the security of the technical systems.
  • Have IT security confirmed by an external third party.
  • Increase the security of the organizational/personnel infrastructure.

Scanning

The next step is Scanning how the target application will respond to various intrusion attempts.

    • Static analysis – Inspecting an application’s code to estimate the way it behaves while running. These tools can scan the entirety of the code in a single pass.
    • Dynamic analysis – Inspecting an application’s code in a running state. This is a more practical way of scanning, as it provides a real-time view of an application’s performance.\

Gaining Access

In this step, tester analyzes and assesses the information gathered before the test steps for dynamically penetrating the system

  • The defined goals of the penetration test.
  • The potential risks to the system.
  • The estimated time required for evaluating potential security flaws for the subsequent active penetration testing.

Maintained Access

However, while documenting the final report, the following points needs to be considered −

  • Overall summary of penetration testing.
  • Details of each step and the information gathered during the pen testing.
  • Details of all the vulnerabilities and risks discovered.
  • Details of cleaning and fixing the systems.
  • Suggestions for future security

Analysis

The results of the penetration test are then compiled into a report detailing:

      • Specific vulnerabilities that were exploited
      • Sensitive data that was accessed
      • The amount of time the pen tester was able to remain in the system undetected

This information is analyzed by security personnel to help configure an enterprise’s WAF settings and other application security solutions to patch vulnerabilities and protect against future attacks.

Types of Pen Testing

  • Black Box Penetration Testing
  • White Box Penetration Testing
  • Grey Box Penetration Testing

    What is Penetration Testing Tools?

    The following table collects some of the most significant penetration tools and illustrates their features −

    Tool Name Purpose Portability Expected Cost
    Hping ort Scanning

    Remote OC fingerprinting

    Linux, NetBSD,

    FreeBSD,

    OpenBSD,

    Free
    Nmap Network Scanning

    Port Scanning

    OS Detection

    Linux, Windows, FreeBSD, OS X, HP-UX, NetBSD, Sun, OpenBSD, Solaris, IRIX, Mac, etc. Free
    SuperScan Runs queries including ping, whois, hostname lookups, etc.

    Detects open UDP/TCP ports and determines which services are running on those ports.

    Windows 2000/XP/Vista/7 Free
    p0f Os fingerprinting

    Firewall detection

    Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris, Windows, and AIX Free
    Xprobe Remote active OS fingerprinting

    Port Scanning

    TCP fingerprinting

    Linux Free
    Httprint Web server fingerprinting SSL detection

    Detect web-enabled devices (e.g., wireless access points, switches, modems, routers)

    Linux, Mac OS X, FreeBSD, Win32 (command line & GUI Free
    Nessus Detect vulnerabilities that allow remote cracker to control/access sensitive data Mac OS X, Linux, FreeBSD, Apple, Oracle Solaris, Windows Free to limited edition
    GFI LANguard Detect network vulnerabilities Windows Server 2003/2008, Windows 7 Ultimate/ Vista, Windows 2000 Professional, Business/XP, Sever 2000/2003/2008 Only Trial Version Free
    Iss Scanner Detect network vulnerabilities Windows 2000 Professional with SP4, Windows Server 2003 Standard with SO1, Windows XP Professional with SP1a Only Trial Version Free
    Shadow Security Scanner Detect network vulnerabilities, audit proxy and LDAP servers Windows but scan servers built on any platform Only Trial Version Free
    Metasploit Framework Develop and execute exploit code against a remote target

    Test vulnerability of computer systems

    All versions of Unix and Windows Free
    Brutus Telnet, ftp, and http password cracker Windows 9x/NT/2000 Free