External Penetration Testing: What It Is & How It’s Done

In an external penetration test, the pen tester tries to break into the network from outside the perimeter. Where an internal pen test examines network security from the inside, an external pen test focuses chiefly on perimeter security.

Once the scope of the test has been clearly defined, the external pen tester begins by probing the perimeter for vulnerabilities and compiling them into a list. They then draw up attack plans and attempt to exploit these vulnerabilities. This is no mere vulnerability scan: a penetration test simulates a real-world attack.

Once finished, the pen testers compile their findings into a report, which the company being tested can then use as a jumping off point to shore up their network perimeter security.

How to Conduct an External Penetration Test

1. Scoping

Before the test can begin, the company being tested works with the pen testers to determine the scope and objectives of the penetration test. The scope outlines the networks and systems that the tester will target, and identifies any devices or assets the organization wishes to exclude.

The objectives might hone in on specific types of exposure, such as network or application vulnerabilities. A key question is whether the test should include social engineering. This is one of the most common attack vectors, so it’s absolutely worth considering. But it can be disruptive, and entails engaging employees that might not otherwise be involved in pen testing — so some companies may prefer not to include it.

2. Reconnaissance

The penetration testers begin by gathering information. That includes passive reconnaissance, in which they focus on publicly accessible information, such as employee names and email address structures found on company websites or social media. Pen testers may also seek out available password dumps, as those can reveal usable employee credentials.

The pen testers will also engage in enumeration at this stage, using tools and scanners to extract information on the system being tested. This can include details on information on users, network devices, operating systems, software and more. At this stage, the pen testers begin to identify security measures, such as firewalls.

3. Vulnerability Attack Plan

As the pen testers gather information, they begin to compile a list of vulnerabilities. To aid in this, they’ll also use vulnerability scanning tools to identify at-risk systems and viable attack vectors. These tools are especially adept at detecting common vulnerabilities and exposures (CVEs), but a skilled pen tester will dig deeper to probe for any vulnerability they can turn up.

Now the pen tester begins drawing up an attack plan. Where a vulnerability scan might stop at identifying vulnerabilities, a pen test goes further, attempting to exploit these vulnerabilities.

4. Exploitation

Now the pen testers launch their attacks, attempting to exploit the vulnerabilities they have identified so they can gain access to the network. They’ll start by engaging their plan as written, but their tactics might shift as the test progresses. They might encounter something unexpected, such as a previously unnoticed security mechanism, that causes them to adapt their attack strategy on the fly.

Not every simulated attack will pan out. That’s a key benefit of penetration testing: through manual exploitation, the pen testers will discover any false positives the vulnerability scan might have turned up.

5. Escalation

In many tests, the simulated attacks described above will stop once they breach the network. The primary focus of external pen testing is on perimeter security, so it does not always fit the scope of the test to escalate attacks once the perimeter has been breached.

But there can be benefits to pushing further. Even if the pen testers merely maintain access, they can assess the network’s detection mechanisms simply by remaining unnoticed on the network.

The pen testers might even try new attacks from within the perimeter. For example, they may try to elevate any acquired credentials to gain additional access or modify data or systems while remaining undetected. Some companies prefer to handle those tests separately, during internal penetration testing, so this isn’t always part of the external penetration test.

6. Cleanup

As the test finishes, the pen testers and the organization will clean up the network, restoring it to its state before the test. That means deleting any accounts that were created as part of the test, and restoring any changes that were made to network settings or associated systems.

7. Reporting

Finally, the pen testers compile their findings into a report. This will detail the scope of the test, all vulnerabilities that were identified, how the pen testers attacked those vulnerabilities, and, of course, the results. This usually includes a severity score for each vulnerability, based on industry standards and independent risk assessments.

8. Remediation & Retesting

With the report in hand, the organization can now focus on improving their network perimeter security. That might include applying software patches, or reconfiguring network hardware to mitigate vulnerabilities.

Once remediation is complete, it’s best to retest the network. By doing so, organizations can confirm that any corrective actions successfully protect the organization’s systems and assets. The simplest starting point is to recreate the attacks simulated in the initial pen test. If more substantial changes were made to the network, it might be best to do a new pen test from scratch.

In some cases, retesting will surface new vulnerabilities as a result of changes to the system. It’s not uncommon to open a new vulnerability while fixing another one – all the more reason to retest until you’re confident your network perimeter is secure.

External Pen Testing vs Automated Vulnerability Scanning

Automated vulnerability scanners search for known weaknesses in an organization’s perimeter, though they don’t attempt to directly exploit any vulnerabilities they detect. These scanners can be deployed on their own, or as part of a penetration test.

Automated vulnerability scanning can be very useful for identifying issues in network security. It’s especially adept at detecting issues in real-time; you can’t run a full penetration test every day of the year.

External penetration testing must be done manually. Since it incorporates vulnerability scanning, it is by its nature more thorough. By involving a human expert who manually conducts the test and follows through on any vulnerabilities, you can get a much clearer and more substantial picture of your network’s perimeter security.

For more information, see our full comparison of pen testing and vulnerability scanning.

Popular External Pen Testing Tools

External penetration testing typically involves a variety of tools designed to gather specific information on company systems or assets and identify vulnerabilities. Port scanners, specialized web proxies, vulnerability scanners, and similar tools can all play a role in the equation.

Here is a list of some of the more popular external penetration testing tools:

  • Aircrack-ng
  • Arachini
  • BurpSuite
  • Ettercap
  • Hashcat
  • Hydra
  • Intruder
  • Invicti
  • John the Ripper
  • Kali Linux
  • Metasploit
  • Nikto
  • Nmap
  • SQLmap
  • W3AF
  • Wireshark
  • Zed Attack Proxy
  • Zenmap

External Penetration Testing Cost

External penetration testing costs vary quite a bit, especially depending on the size and complexity of the network being tested. Naturally, a narrower focus can lead to a less expensive test.

As a general rule, you can assume that external penetration testing will cost a minimum of $4,000. However, for larger or more complex systems, the price of testing can reach $50,000 or more.

For more information, see our full guide to the different types of pen test.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.