Ethical Hacking by Penetration Testing

Cybersecurity professionals face daunting challenges to protect system availability and network integrity. Almost weekly, media report breaches to major corporate networks where confidentiality of valuable information becomes exposed. In defense of these attacks, an arsenal of tools is required. Application testing, vulnerability assessments, and patch management are used as protective measures. Penetration testing is another tool available.

With slight adaptations by individual authors, literature shows consensus in the conceptual definition of penetration testing. Many describe it as a preventive measure that attempts to use an attacker’s similar methods to foresee possible attack vectors capable of penetrating existing defenses. Others suggest penetration testing is used to “identify and fix holes” to mitigate the damages of cyberattacks. Penetration testing must be based on a systematic plan rather than randomly selecting several assessment methods to test vulnerabilities. It requires various tools and methods to detect system, network, and web-facing application vulnerabilities. The human element must be part of a comprehensive penetration test. However, they restrict the definition by limiting tester knowledge of “normal access tools” such as username/password combinations. This restriction would not allow full-knowledge testing. The definition may include vulnerability exploitation for data extraction, privileges escalation, and other hostile actions.

Internal cybersecurity teams must perform any tests strictly according to policies and procedures. Scope of engagement is mandatory for any external penetration testing performed by outside consulting teams. The engagement scope is the mutual agreement between an organization and the penetration test team. Senior management must explicitly agree to the breadth and limitations of access and techniques. There are three different styles of engagement, each with different levels of knowledge given to testers: Black-box, white-box, and gray box.

Black-box teams are given no knowledge of system purpose or network topology. Any needed information must be obtained from publicly available sources. Network scans, social engineering, and others are methods to obtain information required to conduct a successful penetration test. Black-box, sometimes called “zero-knowledge” testing, resembles the techniques used with actual external.

As opposed to black-box teams, white-box teams fully know what is needed to perform a penetration test successfully. They could be provided with application source code, current patch levels, and network topologies. As they know, pre-test reconnaissance time and expenses are reduced, and testing efficiency improves.

The third style of engagement is the hybrid gray-box penetration testing. Sometimes called a partial-knowledge scope, the information provided to the testers is limited to certain areas and systems.

Testing Stages

Though the terminology varies in the literature, conceptual models of testing stages appear consistent. A five-step process is usually discussed as stages of penetration testing. A summary of steps in each of those process stages follows:

1. Planning/Reconnaissance — Agreement of scope and development of explicit rules of engagement occurs during this phase. Specific target information to include domain/subdomain names, IP addresses, firewalls, and other relevant information.

2. Scanning/Enumeration — Information is obtained directly from target networks and systems. Network topologies are mapped, open, and target ports are determined. Vulnerabilities are considered for open ports.

3. Access/Exploitation — The primary goal is defeating target security mechanisms during this phase. Identified vulnerabilities are specifically targeted.

4. Maintaining access/privilege escalation — Once a system is successfully penetrated, access must be maintained while exploiting vulnerabilities. Privilege escalation and pivoting, depending on the engagement’s scope; however, harvesting data is usually the primary goal of this stage.

5. Exfiltration/Reporting — Any network or system access leaves traces of evidence. Some hackers purposely leave evidence found during incident response and later analysis outside of a penetration test. Others take great care to hide all of their activities. Whether removal of digital forensic evidence is helpful for penetration testers depends on prior agreement. It could be beneficial to leave log traces to demonstrate successful access and aid in implementing countermeasures. During this phase, reporting of all activities of the penetration testing process is reported, both successful and unsuccessful.

Testing Methods

Methods used while performing penetration testing vary widely. A selected methodology depends on the particular device or component and its suspected vulnerabilities. For example, web application testing uses different methods than the methods used to test network components, operating systems, databases, or while attempting privilege escalation. Depending on the stage, component, or device, methods could include vulnerability and port scans, packet sniffing, DoS attacks, and social engineering tactics. While maintaining access attempting to pivot or escalate privileges, the tester will try to obtain authorization to access data within scope. Also, if in scope, obtaining remote access for further data exfiltration would be attempted during this stage. If the rules of engagement permit this, a tester ensures access for further examination or data exfiltration of the targeted system.

Penetration testers commonly use a Linux operating system. Numerous distributions exist that focus on tool suites containing capable methods used in the various stages of penetration testing. Kali Linux, developed and is maintained by Offensive Security, is well-known for its rich and encompassing toolsets for penetration testers and hackers, ethical or otherwise. Parrot Security OS is another testing distribution that focuses on cloud security. Other frequently used distributions include Samurai’s Web Testing Framework, Pentoo Linux, and ArchStrike. Further, proprietary systems dedicated to penetration testing are commonly used. Also, a tester with scripting knowledge may moderate existing code to meet the exact specification for a particular vulnerability as needed.

The method of choice varies according to the particular stage. For example, during planning and reconnaissance, a combination of online tools and frameworks and information gathering via social engineering could be utilized. A commonly used tool during the scanning/enumeration is Nmap. It offers ease of fingerprinting aids evading Intrusion Detection System evasion (Nagendran et al., 2019). In the access/exploitation stage, manual exploitation may be more appropriate than automated tools. Automation will detect numerous exploitable vulnerabilities; however, tester intervention usually selects the most appropriate exploit method. Finally, and perhaps most important, is accurate reporting of results. A summative document is sufficient for senior-level management; however, a detailed explanation of all activities is required for cybersecurity management.

Web applications expose different vulnerabilities than system hardware and operating systems. Common methods to exploit a web application and extract data include SQL injection, cross-site scripting, cross-site request forgery, insecure direct object reference, and remote code execution.

Despite best attempts by network administrators, firewalls are frequently breached. Metasploit, part of the Kali Linux distribution, may be used by penetration testers to bypass firewall security. Penetration testers may also use Nmap and Hping to locate firewalls. After the firewall is located, methods other than Metasploit may be used. For example, traceroute, port scanning, banner grabbing, and access control enumeration may help bypass firewall protection.