By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objectives: Explain the techniques used in penetration testing. Topics: - white box - black box - gray box - rules of engagement - lateral movement - privilege escalation - persistence - pivoting - bug bounty program - war flying - war driving - footprinting - OSINT - teaming (red, blue, white, purple) Penetration testing differs from vulnerability scanning. Vulnerability scanning seeks to merely programmatically identify vulnerabilities. A penetration test takes testing further by trying to exploit the vulnerabilities to gain access. As a result, penetration testing might be preceded by an attempt to assess vulnerabilities. Both vulnerability scanning and penetration testing present risk to an organization, but penetration testing is considered a much higher risk. Mimicking real-world attacks can have real-world consequences for systems, so an organization conducting penetration testing must follow a carefully planned program and properly understand the potential trade-offs and risks. Testing Methodology Penetration testing, also commonly known as pen testing, is sometimes used as part of an organization’s information security program to better understand the systems. Pen tests often incorporate real-world attacks to identify methods and weaknesses in the systems, with the aim of gaining deeper access or gaining access to specific targets. Penetration test results can be valuable. For example, they help organizations better understand how their systems tolerate real-world attacks. Identifying the required level of sophistication and the potential threats can help an organization allocate resources properly. Where required, penetration tests can also help quickly identify areas of weakness that need to be strengthened. Organizations can then quantify the adequacy of security measures that are in place and provide meaningful insight into specific threats against the environment. Based on its penetration test program, an organization can also measure its responses, including how quickly it can identify and mitigate attempts. Systems administrators who perform amateur or ad hoc pen tests against networks to prove a particular vulnerability or evaluate the overall security exposure of a network do so at their peril. This is a bad practice because it generates false intrusion data, can weaken the network’s security level, and can even violate privacy laws, regulatory mandates, or business entity guidelines. Certainly, regularly conducted penetration tests can help assess the effectiveness of an organization’s controls, but these tests should always be performed within a defined program of governance that involves senior management. Bug bounty programs, which are a form of penetration testing, have gained a lot of traction in recent years. A bug bounty program is a formalized program to identify the bugs that lead to a vulnerability or an exploit. While bug bounties can be public or private, they have gained widespread appeal as they are often open to the public for externally facing applications and services delivered from the web. Unlike a penetration test, a bug bounty program is offered only on externally facing applications and is not performed on internal applications unless the program is internal to employees, for example. Bug bounty programs have the advantage of providing continuous security testing. Further, the company running the program is free to set not just its own terms but also the dollar amount to be paid. Many bug bounty hunters are mostly seeking recognition. Like a penetration test, a bug bounty program is well defined. Governance, terms, and the rules of engagement are critical and must be made very clear to those who might want to participate. The participants in a bug bounty program also have no understanding of the inner workings of the systems, which have traditionally been known as black boxes because the systems are opaque to the participants. Penetration testing can be conducted using various techniques, classified as follows: - Black box (unknown environment): In a black box test, the assessor has no knowledge of the inner workings of the system or the source code. The assessor simply tests the application for functionality as if he or she were a regular user of the system. An easy way to think about this is to imagine that you cannot see through or inside a black box. - White box (known environment): White box testing, also called clear box or glass box testing, provides more transparency than black box testing. In white box testing, the assessor has knowledge of the inner workings of either the system or the source code. This can be thought of as testing from the perspective of the developer. - Gray box (partially known environment): Gray box testing combines white and black box techniques. Think of this approach as translucent: The tester has some understanding or a limited knowledge of the inner workings. As you can see, the categories refer to varying degrees of knowledge about the systems or applications being tested. Black box testing consumes less time and is less exhaustive than white box testing, and gray box testing falls in between. Figure 8.1 provides a comparison of the three testing types. Comparison between unknown, known and partially known penetration testing environments. The industry is moving away from the use of boxes as metaphors. The exam will likely refer to each type by their environment state. A black box or unknown environment hides the contents (no knowledge). A white box or known environment is see-through (complete knowledge of inner workings). A gray box or partially known environment combines the two (limited knowledge). Penetration testing includes the following components: - Verifying that a threat exists: A penetration test seeks to exploit vulnerabilities. Before you can exploit a vulnerability, you must first understand the threat and its extent. As an analogy, a sheep farmer in an isolated location might be less concerned about locking his front door than about losing his sheep to wolves. - Bypassing security controls: Penetration tests should seek to bypass security controls, just as a real attacker would. Verifying that a battering ram cannot penetrate a stone wall is worthless if a back gate is left wide open. Similarly, network firewalls might be protecting the pathways into the network, but an attacker might find an easier method of entry through a rogue wireless access point or modem. Another common method of bypassing security controls is to render them ineffective. For example, a DoS attack can be mounted on security controls to overload the controls, possibly enabling potentially easier access. - Actively testing security controls: Active techniques include direct interaction with a specific target. Passive techniques seek to identify gaps that could lead to missing or misconfigured security controls. Active techniques, on the other hand, seek to identify whether controls are implemented properly. Consider a lock on a door. Passive testing might uncover documentation and policies indicating that locks are installed, whereas an active test would involve trying to open the door. - Exploiting vulnerabilities: Unlike vulnerability scanning, penetration testing does not just check for the existence of a potential vulnerability but attempts to exploit it. A resulting exploit verifies the vulnerability and should lead to mitigation techniques and controls to deal with the security exposure. Most exploited vulnerabilities are likely to result from misconfigurations, kernel flaws, buffer overflows, input validation errors, and incorrect permissions. Careful planning is required before conducting penetration testing. A penetration test involves four primary phases: planning, discovery, attack, and reporting (see figure below). Keep in mind that planning provides major input into the final reporting phase. In addition, the attack phase can lead to a loop for further discovery and subsequent attack. Phases of a penetration test Planning The planning phase does not involve actual testing. Its purpose is to set expectations and provide clarity regarding the plan and goals. This phase is an important part of the overall process because of the risks of penetration tests. The planning phase is the time to clearly define the rules of engagement—specifically, how the testing will be conducted, including expectations, and how potential situations should be handled (if, for example, sensitive data is revealed). An important output of this phase is a documented plan that includes the rules and expectations. Discovery With planning complete, the discovery phase of penetration testing begins. Discovery consists of two fundamental areas: information gathering and scanning and vulnerability analysis. Information gathering and scanning involve conducting reconnaissance on the target through observation and other outside discovery tools. Many techniques and tools are available for potentially gaining important information; those resources will later serve as the intelligence needed for executing the attack, which is the next phase in the penetration test. While gathering information, reconnaissance is considered either passive or active. Passive techniques are less risky than active ones because they do not require actively engaging with the targeted systems. Passive reconnaissance is often aptly referred to as footprinting. This phase is similar to the phase when a burglar first stakes out a neighborhood to find unoccupied homes or surveilling a specific home to understand when the residents come and go. A penetration test could well use similar techniques in physically observing a data center. OSINT tools are an ideal resource for passive reconnaissance. For example, an organization’s website and public user directory could potentially provide a great deal of pertinent information. Online tools such as whois can easily gather technical contacts, hostname, and IP address information. Remember that footprinting is part of the reconnaissance process. It is used to gather as much information about a target as possible in order to penetrate it. Whois is a free and publicly accessible directory from which domain names can be queried to discover contact and technical information behind registered domain names. Lookups can easily be performed at https://whois.icann.org. Active reconnaissance, on the other hand, requires engaging with a target. Examples include port scanning and service identification. At a minimum, port scanners identify one of two states for a port on a host system: open or closed. These scanners also identify the associated service and, potentially, the application name being run. For example, this can include the specific FTP application name running on port 21 on a specific host. Such information reveals potential targets for penetration testing. Given the ubiquity of wireless networks, two common reconnaissance missions may employ either active or passive methods to look for wireless attack vectors: - War driving: War driving is the act of searching for wireless networks by using a portable computer or other mobile device from a moving vehicle on the ground. - War flying: War flying is the act of searching for wireless networks by using a portable computer or other mobile device from an aircraft, such as a drone or another unmanned aerial vehicle (UAV). The next step involves vulnerability identification and analysis. Databases of publicly known vulnerabilities are available. Vulnerabilities can be manually identified, or automated scanners can be used. Attack During the attack phase, the tester tries to gain access or penetrate the system, often as a result of exploiting an identified vulnerability during the previous phase. The idea is to at least perform an initial exploitation, even if it does not reveal the ultimate goal or data of value. During this initial exploitation, the tester commonly has only regular user access and does not have access to high-value areas. However, this initial exploit provides the opportunity for the penetration tester to execute privilege escalation. The tester can then gain access at a higher authorization and conduct more advanced commands and routines. From there, the tester can likely begin to gain further access deeper into the network, in a process known as lateral movement. Moving laterally requires pivoting, often through multiple systems and in different directions in order to continue moving more deeply into the system. Throughout these pivots, the tester might try to install additional tools. This process, known as persistence, enables the tester to gain additional compromising information once an objective has been achieved or to ensure continuance despite temporary opposition. Achieving persistence may also involve, for example, planting backdoors to allow continued remote access into the systems. Finally, the last step is cleanup. Attackers usually want to remove any mess or signs left behind that they have been in the systems, particularly if they expect to remain persistent. During penetration testing, cleanup is important to ensure that systems are back to their original state and that no new vulnerabilities have been introduced. The following are the progressive steps you should remember during the attack phase: Initial exploitation Escalation of privilege Pivoting and lateral movement Persistence Cleanup Reporting Reporting is an important component of a penetration test. Specifically, as activity is documented, and depending on the plan, reporting might be required in the discovery and attack phases. After any penetration test, a comprehensive report should be delivered that includes, at a minimum, vulnerabilities identified, actions taken, and the results, mitigation techniques, and some sort of quantification of the risk. Team Exercises Organizations with mature security programs may find that assessments around teaming are beneficial. An assessment that is similar to a traditional penetration test but is more targeted is known as a red team assessment. Such exercises have a specific goal and may last longer than a scoped-out penetration test. A red team assessment is concerned specifically with vulnerabilities that will help accomplish a goal. The red team acts as the adversary, attacking and trying to remain unnoticed. Teaming exercises are fun, though, because they include additional teams. The blue team is the defenders. Their job is to counter the red team and keep the red team from accomplishing its mission. Teaming has an additional advantage as it makes it possible for an organization to measure and improve alerting and responses. Recently, the idea of purple teams has become common. With purple teaming, the red and blue teams work together, often sitting down side-by-side to identify vulnerabilities, test controls, and explore ways to defeat and improve the controls. An additional team, known as the white team, should be involved as a neutral team. This team defines the goals and the rules and adjudicates the exercise. White teams tend to not be as technical as the red and blue teams; the members of the white team drive an exercises through their knowledge and involvement across governance and compliance. The white team, as a result, is the team that steers the exercise with its knowledge of overall risk strategy, including the goals and requirements of the business.
This figure provides a brief summary of these team. A summary of red, blue, purple, and white teams Know that the red team attacks, the blue team defends, and the white team referees. The purple team combines the skills and knowledge of the red and blue teams to achieve maximum effectiveness. Quiz: 1. You are conducting a penetration test on a software application for a client. The development team has provided you with complete details around the source code and development process. What type of test will you likely be conducting? A. Black box B. Vulnerability C. White box D. Answers A and B 2. A ______ team is ______, and a ______ team is ______. A. blue, offensive, red, defensive B. red, offensive, blue, defensive C. red, offensive, white, defensive D. white offensive, blue defensive 3. Place the following steps in the correct order for the attack phase: a. Persistence, b. Cleanup, c. Lateral movement, d. Privilege escalation, e. Initial exploitation. A. a, b, c, d, e B. e, d, c, a, b C. e, a, c, d, b D. a, e, d, b, c 4. Which of the following is part of a passive reconnaissance process and is used to gather as much information about a target as possible in order to penetrate it? A. Footprinting B. War driving C. War flying D. Bug bounty Answer 1: C. White box testing (known environment) is transparent. Because you are provided with source code, you have more knowledge about the system before you begin your penetration testing. Answer A is incorrect because black box testing (unknown environment) assumes no prior knowledge. Answer B is incorrect because this refers to a weakness. Therefore, answer D is also incorrect. Answer 2: B. In teaming exercises, red teams are offensive, and blue teams are defensive. Answer A is incorrect. Answers C and D are also incorrect, as white teams are neutral. Answer 3: B. The steps during the attack phase of a penetration test are 1. Initial exploration, 2. Privilege escalation, 3. Pivoting and lateral movement, 4. Persistence, and 5. Cleanup. Answers A, C, and D are incorrect as they are not ordered correctly. Answer 4: A. Footprinting is part of a reconnaissance process. This process is used to gather as much information about a target as possible in order to penetrate it. This is similar to a burglar first staking out a neighborhood to find unoccupied homes or surveilling a specific home to understand when the residents come and go. Answer B is incorrect. War driving is the act of searching for wireless networks using a portable computer or other mobile device from a moving vehicle on the ground. Answer C is incorrect. War flying is the act of searching for wireless networks by using a portable computer or other mobile device from an aircraft, such as a drone or another unmanned aerial vehicles. Answer D is incorrect because a bug bounty is a form of penetration testing; it is a formalized program to identify bugs that lead to a vulnerability or an exploit.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.