Penetration Testing: A Guide

Penetration testing is an evaluation technique in which ethical hackers simulate real-world cyberattacks on a system with its owner's permission to determine its security.

Penetration testing is performed by highly skilled individuals who have experience searching for, identifying, exploiting and reporting vulnerabilities in information systems. Although the activity of pen testing can be done for good or bad, the term is universally used to refer to the legal and well-intentioned practice. The expert carrying out the tasks in pentesting aimed ultimately to secure IT systems can be called “pen tester,” “ethical hacker” or “security analyst,” among other names. We will use them interchangeably in this post.

Pen testers may or may not have formal education and training. They may have earned a diploma in computer science or engineering, or may have completed a study program on cybersecurity. They may have earned certifications such as OffSec Certified Professional (OSCP) or even Offensive Security Exploitation Expert (OSEE). Or they may not. The one condition to be a pen tester is effectively proving to have cybersecurity knowledge by using it creatively to bypass security defenses.

By the way, pen testing is also known as “manual pen testing” (MPT). Indeed, we have published our stance on "automated penetration testing" (APT), and it is that it does not really exist yet: MPT is the only kind of penetration testing, as only humans can carry out and achieve what is expected with this security testing technique.

While vulnerability assessment is the name given to the systematic evaluation of IT system security and thus responds to the "what," pen testing refers to a specific evaluation methodology and thus responds to the "how." There is no use in trying to compare them. Instead, comparisons like the one in the above section, between two vulnerability assessment methodologies, can be useful. Again, we recommend using both penetration testing and automated testing, as this will help achieve comprehensive vulnerability assessments.

Every organization that has Internet-facing assets is automatically and constantly exposed to the attacks of cybercriminals. The activity of malicious hackers, specially of advanced persistent threats and ransomware gangs, is growing so strong that every year the previous cybercrime cost record is broken. Throughout 2024, this cost will likely be 302,000 USD per second. Aware of the risks, organizations worldwide are implementing security testing. Some of them go merely for tools to test their technology. And tools are alright but not enough. Even having more than 50 tools does not guarantee those organizations they will feel better prepared to detect and respond to attacks. What they need is to see the security of their technology through the eyes of the attacker.

Penetration testing is important because it subjects technology to realistic attack simulations. The ethical hackers performing it are up to date with the changing threat landscape and are just as capable as malicious hackers of finding business-critical vulnerabilities, as they use the same techniques and know the way of thinking of cybercriminals. Organizations having pen tests performed in their systems can make them less vulnerable to attacks. We see this frequently as our annual reports repeatedly show that manual reviews discover most of our clients' systems' risk exposure. For example, in our State of Attacks 2023, we present that it was ethical hackers who reported 72% of the critical vulnerabilities in the systems assessed by them and tools. Therefore, pentesting contributes significantly to organizations having a more realistic view of their technology cybersecurity.

The organization shares the source code with the hacker as well as other resources that can help testing by giving context. The security analyst can then add performing code review to their tasks, which also include attacking the software product as it runs. This agreement yields the best results, as the hacker can progress more rapidly and has a better chance to find every vulnerability.

Pen testers may use tools to keep gathering information. They may scan part of the ToE with free tools to find out about, for example, its software versions and databases, third-party components and hardware types. These professionals have a wide range of options. Just look at the OSINT framework to get an idea. Let's say the hacker uses the tool Zenmap. This program will help them perform a port scan to recognize which ports are open and the services and operating systems to which they are related. Further, the hacker may use enumeration tools (e.g., Angry IP Scanner, Cain and Abel, SuperScan), which help them find out the servers, devices, folders, files, users, and more, within the ToE.

Other tools will help the pentester scan for security vulnerabilities. If they have (or gained) access to source code already, they may use a static application security testing (SAST) tool to scan for insecure code. For example, using Gitleaks, they can learn if there are exposed secrets and sensitive data in Git repositories. There is also vulnerability scanning that does not need the source code. A dynamic application security testing (DAST) tool might be useful, as it would test the running software from the outside, simulating actual use. For example, hackers can choose Burp Suite Professional, if the ToE is a web application, to find flaws and assist them with the exploitation of such flaws. While automation is great to make progress fast, it is up to the hacking expert to do their own code review and probing having the business logic in mind, as well as actually combining vulnerabilities to achieve a greater impact than otherwise possible, thus outsmarting any tool. Since they will have to report it, the hacker needs to calculate the impact of each vulnerability considering factors like attack scenario, difficulty of exploitation, privileges required, effect on the availability, confidentiality and integrity of the information resources managed by the software product, and influence on any nearby systems.

The pen tester is able to come up with custom exploits or find some already in use to gain access and reach high-value objectives in their ToE. They can use a tool like Metasploit to help them develop such exploits and launch their attacks. During this stage, the hacker focuses on XSS and SQL injection attacks, among others, with which they can bypass security controls. Having, for example, hijacked a user account, they can work to see if it is possible to escalate privileges (i.e., get permissions beyond what is assigned for the account they are using), view and transmit sensitive data, and more. From this stage, it is all about demonstrating the impacts of security vulnerabilities. Although the objective of pen tests is to find vulnerabilities in systems through highly realistic attacks, the ethical hacker may ensure that these attacks do not actually halt or disrupt operations in the target company. At Fluid Attacks, for example, our hacking team operates in "safe mode," unless otherwise requested by the target company, so that the latter does not stop generating functionality while security tests are performed.

The parties agree to part of the organization's security team not knowing that penetration testing has been requested. This will greatly support the operation being as realistic as possible. The organization's defenders would not know the times and places of the hackers' intrusions nor be asked for permissions. We advise this setting for red teaming operations.

Penetration testing is classified into different types. There is no universal consensus on which classification to use. Like in our post "Security Testing Fundamentals," we have chosen the one that indicates the target of evaluation. We have expanded more on the penetration testing types in another blog post.

Ethical hackers can perform pentesting in web and mobile applications. This ingenious methodology can detect complex security vulnerabilities such as injection, business logic and deployment configuration flaws.

To look for known web vulnerabilities fast, pen testers may use website security scanners such as Burp Scanner, ffuf, Nuclei and Vega. With those taken care of, the experts may spend most of their time looking for the most complex vulnerabilities, which tools cannot find.

Mobile app pentesting can be performed on operating systems such as iOS, Android and Windows UI. As with web apps, the authority is OWASP with its Mobile Top 10 list. The following are some important security requirements for this type of ToE.

Hackers can take advantage of automation when testing this ToE too. Some tools to perform both automated SAST and DAST in multiple OS are MobSF and Objection.

In this type of assessment, pen testers simulate attacks to see if the network can be breached (external penetration testing or external testing) and/or find out what damage they are able to cause while inside (internal penetration testing or internal testing). While testing the former, the hacker may try offensive attacks like password spraying (i.e., testing a default password with multiple usernames looking for a match) and credential stuffing (i.e., testing access with breached credentials). Internal pentesting involves different actions, such as man-in-the-middle attacks (i.e., intercepting and/or modifying data exchanged between two parties unbeknownst to them).

In some cases, for example, when doing reconnaissance, hackers may resort to social engineering. Basically, they would use weapons of influence, such as scarcity of time, to persuade unsuspecting employees to take cybersecurity risks. Common attacks in these operations include phishing, where the hacker impersonates legit organizations or persons through email to get the targeted person to share information, install malware, etc.

We have referenced throughout this blog post a few tools that hackers use. We have some lists you can access for reference in our main post about red teaming and the one about ethical hacking. For this section, we will just mention the classification often used for these tools.

There is point-in-time and continuous penetration testing. There are benefits of the latter over the former. One of them is that, if assessed continuously, the organization can get real-time security posture identification. This is key, as threats are persistent and evolving, and therefore a snapshot of the ToE's security can become outdated pretty quickly. Another benefit is that it costs less, as organizations do not have to spend time with every pen test looking for the right professionals available and establishing the rules of engagement (ROE). Continuous pen tests, unlike point-in-time, also allow for adjustable scope, so that, if hackers discover assets that were unknown before setting the ROE, they can include them in the tests. Lastly, continuous operations allow for ongoing support from experts, so that those responsible for remediation can have advice on many of the vulnerabilities found and not only in the few ones they have to prioritize during a shorter support period offered by point-in-time pen tests. (For more on the benefits and how we overcome the challenges of this modality, read our post "Continuous Penetration Testing.")

Penetration testing is required in some industries. The standards that mandate it also say how often it should be done. For example, the Gramm Leach Bliley Act (GLBA) requires financial institutions to conduct pentesting annually. So does the Payment Card Industry Data Security Standard (PCI DSS), while requiring service providers specifically to do it once every six months and after changes to segmentation controls/methods. We expand on the subject in our post "Penetration Testing Compliance." At Fluid Attacks, we advise organizations to go beyond mere compliance and test their applications and other systems continuously.

The above are among the benefits of our Continuous Hacking Advanced plan, which also includes other manual techniques (secure code review and software reverse engineering), besides our vulnerability scanning. If you want to test the benefits of continuous security testing first, by only performing scans to your application, we invite you to start a 21-day free trial of our scanner. To enjoy more than vulnerability scanning, you can upgrade to the paid Advanced plan at any moment.