What Is Manual Penetration Testing?

Penetration testing or pentesting is a type of security testing in which one or more ethical hackers attack an information system with the authorization of its owner to identify and report security vulnerabilities. What? Yes, we know. You've probably heard that this is something that can also be performed and achieved by specific automated tools. People usually talk about "manual penetration testing" and "automated penetration testing." However, some of us consider and affirm that what happens in the latter doesn't comply with what pentesting really is and that this name was just a fruit of a marketing strategy. Manual pentesting, as we'll see, is the only pentesting.

Manual penetration testing (MPT) is pentesting carried out by offensive security experts called pentesters or ethical hackers. In their work, they must use proprietary or public tools as support, some of which can be automated tools. On the other hand, automated penetration testing (APT) is supposedly pentesting performed by automated tools. A person with basic knowledge of cybersecurity, let's say from a regular IT staff, could run such tools without any problem.

The pentesters in MPT simulate real-world attacks, employing various tactics, techniques and procedures that malicious hackers might also use. The pentesters show creativity in their ways of attacking. They can make unexpected turns during the tests, depending on their objectives and results. APT tools, in contrast, follow a standard, delimited pattern. They are restricted to delivering reports with predetermined, known vulnerabilities, many of them mere low-hanging fruits. They cannot do what the pentesters can, that is, identify zero-day vulnerabilities (i.e., previously unknown security issues).

In MPT, the pentesters seek to understand the structure and functionality of the target of evaluation (ToE). From there, they are able to identify types of vulnerabilities that are not or hardly detected in APT. For example, the detection and verification of some issues with data handling, such as Cross-site Scripting (XSS) and SQL Injection, as well as business logic flaws and access control vulnerabilities, depend more on MPT. APT focuses more on, for instance, faulty permission rules, missing updates and misconfigurations. ToE responses to certain inputs may appear valid to automated tools when, in fact, they are anomalies in the eyes of the pentesters. Because of its depth and analysis, the MPT can report the most complex and critical vulnerabilities, which, by the way, the pentesters can exploit to assess their impact. Something the tools do not accomplish.

Since it involves humans in deep immersion, MPT usually takes longer and is more expensive. Rented or purchased APT tools perform their tests much faster but superficially. Another problem for the latter is that they often report false positives. Part of the time gained in their evaluations is lost with the need to verify false positives. Developers end up spending hours dealing with lies. Because it is cheaper, APT is often applied more regularly than MPT. However, as in PTaaS (penetration testing as a service), MPT can also be implemented for continuous assessments.

The reports of some APT tools may not be very detailed or provide solution recommendations. This is different from what pentesters can achieve. In addition, by evaluating more attack surfaces through various methods, the pentesters allow development teams to have results in hand to deal with a broader range of cyberattacks. It should be noted that the effectiveness of MPT depends on the capabilities of each ethical hacker hired and may vary from time to time. In APT, on the other hand, the effectiveness is always predetermined.

Merging both presented methodologies allows us to obtain benefits from each of them. Automated tools' fast and superficial work enables pentesters to invest time in complex assessments. In fact, this is how proper pentesting is usually done. The tools contribute in one of its phases to what we could say they actually do: vulnerability scanning. There is no automated penetration testing. That doesn't exist so far. It is the expert humans who do the pentesting, within which, in one of the phases we'll see later, they can call on the assistance of automated tools.

In this mode, also called clear-box or glass-box testing, the pentesters have extensive knowledge of the ToE, as well as access to its source code and other resources that its developers can access. Code review involves the use of tools not employed in black box pentesting. It can then be a more complete and exhaustive assessment for the possible identification of a more significant number of existing vulnerabilities. Indeed, although, in this case, the pentesters perform structural testing (perhaps giving it a higher priority), they can also perform functional or business testing, as in black box mode.

The pentesters begin to collect information about the ToE. This will depend on the mode of testing. Although it is true that in a white box pentesting the pentesters have a large amount of information, further nurturing these resources allows for making it clear what a malicious hacker could access in the ToE. There are many useful free tools for collecting data on, for instance, software versions and databases, hardware types and third-party components used in the ToE. (Some can be found thanks to the OSINT framework.) In their attempt to access the system, the pentesters may also look for ways to obtain data such as usernames and passwords.

Reconnaissance is usually initially passive and then active. In the former, the pentesters gather information about the ToE without direct contact with it. In this process, there is no way to activate some intrusion detection system or to leave any traces. Google searching, social media scanning, and sites such as netcraft.com and archive.org come into play. In active reconnaissance, instead, there is interaction with the ToE. The collection of information is more intrusive, so there is the possibility of the pentesters being detected. The idea is to identify the technology used by the ToE and possible entry and attack vectors. Here, for example, a port scan is usually carried out to determine which ports are open and which services and operating systems they are related to. One of the most recognized port scanners is nmap.

In connection with the above, there is also a process called enumeration. Here, the attack surface is reviewed in detail. The pentesters seek to determine what is in the ToE. Depending on the target, it is then possible to know, for instance, servers and devices involved, as well as users, folders and files. Some enumeration tools are Cain and Abel (as we saw some time ago, it is also used for password cracking), Angry IP Scanner and SuperScan. Apart from port scanners and enumeration tools, the pentesters can also use packet sniffers, which are used to intercept and log network traffic.

At Fluid Attacks, penetration testing is performed by groups of experienced and highly certified pentesters or ethical hackers. Our red team has individuals with diverse skills who assume different roles within the tests. So, for example, what may escape one group may possibly be discovered by another from a different perspective. We make use of our own security scanning tools for SAST, DAST and SCA-type tests. However, as happened last year and we highlighted in our last State of Attacks report, the detection of critical severity vulnerabilities may depend entirely on the manual work of our hackers.

In our pentesting solution, we test, from a threat actor perspective, the security of your web and mobile apps, cloud infrastructure, networks, and IoT devices, among many other information systems. In our platform, you receive continuous reports of our findings with minimal false positive and false negative rates. There you get detailed outcomes, including evidence. You can assign vulnerabilities for remediation to your staff, request as many reattacks as necessary, and also have the support of our hackers.

Pentesting is a thorough assessment by experts that vulnerability scanning cannot replace. (If you want to take the first step in security by trying a scan with our vulnerability scanning software, request our 21-day free trial). It is striking how many believe that both are the same thing. But there are indeed scammers in the market, and they can tell you that they do penetration testing when, in fact, they apply vulnerability scanning. Don't be misled. If you want more details on what to base your choice of the right pentesting provider for your organization, read our blog post "Choosing the Right Pentesting Team." If you are interested in learning about the PTaaS model (which involves continuous penetration testing) and its benefits for your company, we invite you to read "Penetration Testing as a Service." Any doubt? Don't hesitate to contact us.