About penetration testing

What is Penetration Testing?

Penetration testing, also known as pen testing, security pen testing, and security testing, is a form of ethical hacking. It describes the intentional launching of simulated cyberattacks by “white hat” penetration testers using strategies and tools designed to access or exploit computer systems, networks, websites, and applications.

  • In the case of networks, the high-level goal is to strengthen security posture by closing unused ports, troubleshooting services, calibrating firewall rules, and eliminating all security loopholes.
  • In the case of web applications, pen testing is designed to identify, analyze, and report on common web application vulnerabilities such as buffer overflow, SQL injection, cross-site scripting, to name just a few.
  • Pen testing can also be used to attempt to gain privileged access to sensitive systems or to steal data from a system that is believed to be secure.

Stages to Penetration Testing

1. Planning and Reconnaissance

This stage involves defining the scope and goals of the test and gathering intelligence to better understand how a target works

2. Scanning

This next step is to understand how the target application will respond to various intrusion attempts. This is done using Static analysis which is inspecting the code to estimate the way it behaves while running and Dynamic analysis which is inspecting the code in a running state.

3. Gaining Access

This stage uses web application attacks such as SQL Injection and backdoors to uncover a target's vulnerabilities. Testers then try and exploit these vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic, etc., to understand the damage they can cause.

4. Maintaining access

The goal of this stage is to see if the vulnerability can be used to achieve a persistent presence in the exploited system long enough for a bad actor to gain in-depth access. The main idea is to imitate advanced persistent threats.

5. Analysis

The results of the penetration test are them compiled into a report detailing specific vulnerabilities that were exploited, sensitive data that was accessed and the amount of time the oen tester was able to remain in the system.