What is Penetration Testing?
In its simplest definition, penetration testing is the work performed on these environments in order to detect the security vulnerabilities and vulnerabilities of computer systems. Penetration testing is also referred to by the following names:
Penetration test
Pentest
Ethical Hacking
White Hat Attack
Security Checkup
Bilgi güvenliği testlerinde, bir saldırganın yararlanacağı güvenlik açıklarını tespit etmekamacıyla bir ağın, bilgisayar sisteminin veya web uygulamasının testleri gerçekleştirilir.
Zafiyet testleri çeşitli uygulamalar kullanılarak otomatik hale getirilebilir veya elle (manual) gerçekleştirilebilir. Her iki durumda da süreç, hedef hakkında bilgi toplamayı, olası giriş noktalarını belirlemeyi, içeri girmeyi (sızmayı) denemeyi ve bulguları paylaşmayı içerir. Testlerde en iyi yöntem olarak, testlerin birden fazla otomatize edilmiş yazılım ile gerçekleştirilmesi ve sonrasında elle yapılan çalımalar ile sonuçların doğrulanması adımları izlenir.
Zafiyet taramaları, bir kuruluşun güvenlik politikasını, uyumluluk gereksinimlerine bağlılığını, çalışanlarının güvenlik farkındalığını ve kuruluşun güvenlik olaylarını tanımlama ve bunlara yanıt verme yeteneğini tespit etmek için de kullanılabilir.
Typically, information gathered about security vulnerabilities identified and/or abused through penetration testing is made available to the organization's authorities, allowing the organization to prioritize strategic decision-making and improvement efforts.
Güvenlik testi, bir kurumun bilgi teknolojileri (BT) ortamlarındaki ağlara, sistemlere ve uygulamalara yönelik yapılacak kötü niyetli saldırılara karşı önlem almak amacıyla, ortamlardaki güvenlik açıklarını, tasarım zayıflıklarını ve riskleri ortaya koymak için gerçekleştirilir.
In addition to the main objective of the penetration test to identify security weaknesses, it is to audit the compliance of the security policy of information technology (IT) environments, to reveal the awareness of the personnel about security issues, and to determine the risk of the organization to suffer from security disasters.
On the other hand, penetration tests can also reveal weaknesses in a company's security policies. For example, although the security policy focuses on detecting and preventing an attack on the organization's systems, this policy may not include the process of neutralizing a hacker.
The penetration testing process consists of seven basic steps:
- Step-1: Scoping
- Step-2: Information Gathering / Intelligence
- Step-3: Vulnerability Detection
- Step-4: Information Analysis / Planning
- Step-5: Infiltrating the System
- Step-6: Results Analysis / Reporting
- Step-7: Cleaning the Traces
The aim is to identify the objectives of the penetration testing to be performed and the IT environments in which the tests will be conducted.
At this stage, necessary preliminary information is obtained from the institution where the test will be conducted in order to plan the study. In line with the information obtained, subjects such as the nature of the test, its scope, the targeted environments, and the date and time at which the test would be appropriate for the institution are determined.
After the scope of the penetration test work is determined, the following steps are followed before the tests are started:
- The teams that will participate in the study and the contact persons related to the tests are determined from the institution and the company that will perform the test.
- Test plan is created
- In line with the information received from the institution, the dates and time intervals where the studies will be carried out are determined.
- In case of emergencies, the contact persons to be reached are determined.
- An agreement is reached with the institution to be served on the scope of the service, the working methodology and the tests to be performed.
- In order to provide mutual legal protection, a service agreement is signed with the institution.
Information collection is the most important step in the test steps and constitutes 80-90% of the studies in the whole penetration test. The more accurate and sufficient information is obtained at this stage, the more accurately and efficiently the tests can be performed.
Information collection is carried out using two different methods:
- Passive Information Gathering
- Active Information Gathering
In passive information collection, the target is not aware of the information collector during the information collection process and information environments are used to collect information, which are public and include the following sources:
- Forums
- Dictionary Sites
- Community Sites
- Social Media
- News Sites
- Search Sites
Active information is in total, while the information is collected, contact is established with the other party and records regarding this transportation are created at the target. The following sources are generally used for active information collection:
- Websites
- Scans
- Port scan
- Vulnerability scan
- OS scan
- Service scan
After the purpose and scope of the test is determined, if information is given about the institutions and systems where the test will be conducted, this process will take a shorter time as the steps in the information gathering phase will not be necessary.
In line with the information obtained in the second step, security vulnerability detection processes are started. Studies are carried out to learn about situations such as what kind of vulnerabilities exist in the target environments, how to use these vulnerabilities and what kinds of attacks can be made, how to respond to these attacks, and whether the system protects itself against these attacks.
During the vulnerability detection phase, a general scan is made about the system using utilities/tools. Thanks to these programs, detailed information such as open ports in the systems, which service is running on which port, which version of this service is used, and if there is a security vulnerability in the obtained version information, it is directly detected.
By using the security vulnerabilities identified in the previous step, necessary research, planning and preparatory studies are carried out to infiltrate the system.
At this stage, exploit attempts are made for the security vulnerabilities identified in the previous steps. By using auxiliary software (exploit, payload, etc.) prepared for this purpose, it is tried to enter (infiltrate) the target system.
Privilege Escalation : If access to the system can be obtained, attempts are made to increase the authorization level within the system to control more domains and perform more operations, but this may not always result in success.
Horizontal Navigation: After infiltrating one machine, examining whether other machines can be accessed by jumping is called horizontal crawling. In order to maintain the connection established with the system thanks to the infiltration process, various methods are tried and open points (backdoors) are tried to be detected.
At this stage of the penetration test work, the results of the work performed in the previous steps are evaluated. Systems that can be affected by the identified security vulnerabilities and potential damages that may occur, and measures that can be taken to eliminate the identified risks are reported.
If any changes are made to the systems during the penetration test, they will be reverted to, for example, if the file has been created or the user has been defined, they will be deleted.
How Often Should A Penetration Test Be Performed?
Organizations should perform penetration testing regularly – at the latest annually or, as a best practice, once every 6 months – to ensure more consistent IT environment security and management.
Penetration tests, in addition to the analyzes and evaluations required by legal (regulatory) regulations, can also be performed in the following cases:
- After adding new network infrastructure, systems or applications to IT environments
- After significant software and hardware changes to applications or infrastructure
- After applying security patches
- After changing end user policies
- After the establishment of new working environments in different locations
Penetration tests should be tailored specifically to the organization as well as the industry in which the testing organization operates, and the test results should include identified vulnerabilities, monitoring and evaluation tasks.
However, while determining the eligibility of the institution for the penetration test, evaluation is made according to the following factors:
Companies with a greater presence on the Internet have more attack vectors and are therefore more attractive targets for hackers.
Penetration tests can be costly, depending on the size of the targeted coverage. Therefore, a company with a smaller budget may not be able to perform penetration tests more than once a year in the absence of legal requirements. On the other hand, a company with a larger budget may perform penetration testing on a semi-annual or annual basis, or after changes where testing becomes necessary.
Organizations in certain industries are required by law to perform certain security duties, including penetration testing.
For a company whose infrastructure is in the cloud, testing of cloud service provider infrastructure may not be allowed. However, the service provider may be performing penetration tests on its own.
Penetration tests should be tailored specifically to the organization as well as the industry in which the testing organization operates, and the test results should include identified vulnerabilities, monitoring and evaluation tasks.
Sızma Testi Uzmanı Nedir? Araçları Nelerdir?
Penetration testing tools scan code to identify malicious code in potentially compromised applications. It also examines data encryption techniques and can identify hard-coded values such as usernames and passwords to verify vulnerabilities in the system.
The most basic features that should be found in penetration testing tools are:
- It should be easy to set up, configure and use
- Should be able to scan systems easily
- Should be able to classify security vulnerabilities by severity (eg Urgent, Critical, High, Medium, Low)
- Must have the ability to automate the verification of vulnerabilities
- Should be able to revalidate previous exploits
- Must be able to generate detailed vulnerability reports and logs
Most of the popular penetration testing tools are free or open source software; this gives penetration testers the ability to modify or adapt the code to suit their needs. Some of the most widely used free or open source penetration testing tools include:
- Metasploit Project: Metasploit is an open source project owned by security company Rapid7, which licenses full-featured versions of its software. It incorporates popular penetration testing tools that can be used on servers, online-based applications, and networks. Metasploit can be used to uncover security issues, verify that vulnerabilities have been mitigated or eliminated, and manage security processes.
- Nmap (Network Mapper): Nmap, short for "network mapper", is a port scanner that scans systems and networks for vulnerabilities on open ports. Nmap is directed to the IP address(es) of the system or network to be scanned, and these systems are tested for available ports. In addition, Nmap can be used to monitor the uptime of server computers or services and to map network attack surfaces.
- Wireshark: It is a tool used to profile network traffic and analyze network packets. Wireshark provides full details of all the activities taking place on the networks. This penetration tool is a network analyzer/network detector/network protocol analyzer that evaluates security vulnerabilities in network traffic in real time. Wireshark is often used to examine the details of various levels of network traffic.
- John the Ripper: It is a software that combines different password crackers in one package. It automatically recognizes different types of password hashes and identifies a customizable password cracker. In penetration tests, this tool is often used to launch attacks to find password weaknesses in systems or databases.
Penetration testers use most of the tools that black hat (malicious) hackers use. This is because these tools are widely available, as well as helping penetration testers better understand how these tools can be used against organizations.
Penetration Testing Strategies
The most important issue in any penetration test is defining the scope within which penetration testers must work. Generally, the scope defines which systems, locations, techniques and tools can be used in penetration testing. Good scope of penetration testing will not only help test team members stay focused, but will also ensure complete and satisfactory results. For example, if an organization gains access to a system while performing a penetration test because an employee has left their password open, this will reveal that the employee has violated the security policy, but will not give the penetration testing team any insight into the security of the compromised application.
Using different penetration testing strategies helps penetration testing teams focus on the desired systems and gain insight into the most threatening types of attacks.
Some of the main penetration testing strategies used by security professionals are:
- Targeted testing: Testing is performed by the organization's IT team and collaborative penetration testing team, and anyone can see that testing is being done.
- External testing: It covers a company's externally visible devices and systems that can be accessed via the internet. External penetration testing targets domain name servers, email servers, web servers or firewalls devices. The purpose of this test is to find out if an attacker can break in from the outside and how far they can go by exploiting the vulnerability after gaining access.
- Internal testing: This test simulates an internal (in-house) attack behind a firewall by an internal user with standard access rights. Internal testing is useful for estimating how disgruntled employees can wreak havoc on IT environments.
- Blind testing: By severely limiting the information previously given to the person or team performing the test, the actions of a real attacker are simulated. Typically, penetration testers are simply named after the company. This type of testing can be time consuming and costly, as it may require a significant amount of time for exploration.
- Double-blind testing: In this type of penetration test, only one or two people in the organization may be aware that the test is being performed. Double-blind testing can be useful for testing an organization's response procedures as well as security monitoring and breach event identification.
- Black-box testing: It is basically the same as blind testing, except that the tester does not receive any information before the test takes place. Rather, penetration testers find their own way to reach systems.
- White-box testing: It provides penetration testers with information about the target network before they begin their work. This information may include details such as IP addresses, network infrastructure schemes and protocols used and source code.
- PTaaS – Pen Testing as a Service: With traditional penetration tests, an institution's technical infrastructure is evaluated in terms of its status in the time period when the test is performed. Going one step further, PTaaS allows for continuous testing. In this test method, in order to identify potential security vulnerabilities, a continuous penetration test is performed on information technology infrastructure, computer systems and applications. By using the continuous scanning method, the detection and removal of security vulnerabilities can be done faster. As part of continuous security management, PTaaS service providers generally operate with an annual subscription method that covers the entire technical infrastructure of an enterprise. On the other hand, many service providers offer their customers daily, weekly, bi-weekly, monthly, quarterly, etc. It provides the service of creating regular vulnerability scanning reports at frequent intervals and performing live scans when requested.
