Modern days IT needs are changed according to 80’s and 90’s. In the old days just operating IT was enough for success but today’s situation it is changed. We need to secure the IT environment to in order to be successful. There are different methodologies, standard, architectures to design, plan, implement, evolve the security of the corporates. Penetration tests provide very useful input and metrics for different type of the practical security issues and vulnerabilities.
What is Penetration Test?
As the name suggest this type of security test is used to penetrate into systems, applications, networks, information, corporates etc. (put here whatever you want) to implement real world cyber attacks.Penetration test is know as Pentest. Penetration test may have different attributes according t different factors. We will look some of them below.
Aim is very important aspect of the Penetration test. The whole penetration test attributes like type, scope, implementation, tools, report, … are selected according to the aim. As an example we may want to test our external web applications and related network infrastructure for internal and contractor related vulnerabilities. This will mainly changes the attributes of the penetration test.
There are 3 most known and used type of Penetration test.
Black Boxpenetration test is done where Penetration testers do not know any specific information about scope. They have very little information.
Gray Boxpenetration test is done with more information about scope and related IT systems. But this information is not complete as White Box.
While Boxtest is done with a lot of information known by pentesters. They generally skip reconnaissance step of the penetration test
Scope is another important aspect of the penetration test. Scope draws or sets the boundaries of the test. Scope is also important factor to decide the penetration test value. Scope is generally defined as following metrics
- IP address,
- System counts,
- Applications interface count
- Applications source code count
- Wireless SSID count
- Social Engineering mail receiver count
- End User System count
.There are 4 steps for a penetration test. But keep in mind that penetration tests do not have very formal structure so these steps can be implemented in different times and phases
- Thread Modelling
- Post Exploit
There are may tools to use in penetration tests but some of them very popular in hacker and penetration tester community. These tools are used to implement phases Reconnaissance, Exploit and Port Exploit. Here are some of them
- Linux tools
- Burp suite
A penetration test report provides useful information about the findings of penetration test. All the penetration test outcome is putted in the report. So good penetration test are expressed with good penetration test reports, if not the penetration test feasibility lowers and the gain will be less then the expected.