Network Penetration Testing: How It Works

In a network penetration test, a cybersecurity professional searches a network for vulnerabilities and attempts to exploit them, in a simulated attack on the network. They will then document their findings and compile them into a report, which the company being tested can then use to improve their network security.

The primary goal of a penetration test is to identify issues so that they can be fixed, thus preventing future cyberattacks. You can’t fix what you don’t know about. By uncovering vulnerabilities, pen testing helps companies protect their business, their customers, and their employees.

Though pen testing isn’t cheap, it usually costs less to prevent attacks than it does to fix the damage – especially when attacks can cost up millions of dollars in legal fees. Furthermore, regular pen testing is required by numerous compliance standards, such as PCI DSS and SOC 2. For many companies, pen testing isn’t a nice-to-have; it’s an essential part of doing business.

How to Conduct a Network Penetration Test

Step 1: Choosing a pen tester

Before you can launch a network penetration test, you need to determine who will be conducting the test. That should be someone who isn’t involved in maintaining or securing the network being tested. For most companies, that will mean hiring an outside firm.

You’ll likely vet several companies in your search for a qualified pen tester who fits your needs. Look for certifications such as OSCP and CEH, and make sure to ask about prior experience. For another perspective, you can ask for references and talk to prior customers about their experiences working with the company in question.

At this stage, you’ll need to get clear on exactly what kind of network pen test you’re looking for. Network pen tests often come in two subtypes:

  • An external pen test focuses on evaluating perimeter security. The pen tester starts on the outside of the network, and has to break in with no prior knowledge of the network being tested.

  • An internal pen test focuses on vulnerabilities from within the network. The pen tester starts with access, which they then use to thoroughly probe the network from the inside.

A combination of both approaches provides the highest level of security – but depending on the needs of your business, you may opt for one approach or the other. As you discuss the pen test with qualified firms, they can help you hone in on exactly what type of test your organization needs.

Once they have a sense of the system being tested, they’ll offer a price quote reflecting the expected workload to accomplish the test. With two or three quotes in hand, you’ll have to decide for yourself which firm you want to work with through the rest of the pen testing process.

Step 2: Scoping the Test

Once the deal has been signed, you’ll work with the pen tester to define the scope and objectives of the test. A pen test’s scope covers everything that is – or isn’t – subject to testing. In a network pen test, this will often include network hardware, firewalls, access controls, and any other systems used to maintain or secure the network.

As part of this discussion, you’ll also agree on which methods the pen tester can use, such as password attacks or social engineering. You’ll also decide on when the test will take place, how both parties will communicate, and settle any other matters that will structure the test and ensure everything runs smoothly.

You might set success criteria at this stage, defining what counts as a ‘successful’ attack. These criteria will serve as stopping points during the test, preventing the testers from going further in their simulated attacks than the company would want them to go.

Because pen tests simulates real world attacks, it’s crucial to set boundaries up front. By clearly defining the scope of the test, both parties can feel confident the test won’t cause any unexpected damage to the company being tested.

Step 3: Identifying Vulnerabilities

Now the pen testers will proceed to search high and low for vulnerabilities, which they’ll compile into a list that will then be used to plan their simulated attacks.

They might start by conducting passive reconnaissance, uncovering publicly available information on the company. They’ll also assess the network’s existing security measures, such as firewalls and access controls, to see if they can spot any vulnerabilities. To aid in their search, the pen testers will use automated network scanners, such as Nmap and Wireshark.

As the pen testers compile these vulnerabilities, their attack plan will slowly begin to form. Next, they’ll attempt to exploit these vulnerabilities in a simulated attack on the network.

Step 4: Exploitation

Now the pen testers will launch their simulated attacks in earnest. They’ll leverage a variety of techniques, such as web application attacks, SQL injections, and phishing emails, as they attempt to exploit any vulnerabilities they uncovered in their reconnaissance.

Often, the pen testers’ first priority will be to break into the network from outside. Once they’ve succeeded in one of their attacks, they will then pivot: now that one attack has been successful, what new avenues are available to them? A skilled pen tester will adjust their tactics on the fly, as successive attacks uncover new opportunities to escalate the test.

As they work, the pen testers will carefully document their findings. Once finished, they will clean up the network, restoring it to the state it was in prior to the test.

Step 5: The Pen Test Report

Finally, the pen testers will compile a report based on what they uncovered in the course of the test.

Following a brief executive summary, the opening sections of this report will cover the scope and methodology of the test. They’ll describe how the test went, including any obstacles they encountered in their work.

The “findings” section is the meat of the report. Here, the pen testers will list every vulnerability they identified, how they attempted to exploit each vulnerability, and what the results of their attacks were. Many pen test reports will also include a severity score, highlighting the most critical vulnerabilities so that the company can prioritize fixing these high-risk issues first.

Step 6: Remediation & Retesting

With the report in hand, the company can now proceed to shore up any vulnerabilities that were exploited in the test. This can include patching outdated hardware, reconfiguring network settings, closing open network ports, and any other measures that could strengthen their defenses.

Once any issues have been fixed, it’s best to retest each vulnerability to ensure the new security measures are working correctly. If the network’s security systems have been overhauled substantially, it may even make sense to run a fresh pen test from scratch.

Types of Network Penetration Testing

Just like any penetration test, network pen tests come in different types, such as white box, black box, and gray box pests.

In a white box penetration test, the pen tester starts with full knowledge of and access to the system being tested. This allows them to thoroughly scour the system, checking every corner for potential vulnerabilities.

In a black box penetration test, on the other hand, the pen tester starts with no knowledge of or access to the system being tested.  Their focus is on perimeter security, as they attempt to break into the system from the outside, just like a real hacker would. This approach aligns with external penetration testing, in which the pen tester starts with no network access and must breach the perimeter on their own.

There’s also gray box pen testing, in which a pen tester starts with limited access and must launch and escalate their attacks from there. This approach resembles an insider threat, or a hacker who has already gained basic access, and corresponds with an internal penetration test.

As a general rule, black box pen tests are often faster and less expensive than white box tests. They more closely simulate real world attacks, but are less thorough than the typical white box test.

The decision comes down to the needs of your business – though you can always get advice from the firms you interview in your search for a pen tester. For the utmost security, many firms offer a combination of pen testing approaches.

Network Pen Testing vs Vulnerability Scanning

Penetration tests are often compared against automated vulnerability scans – and in fact, most pen tests include vulnerability scanning as part of the process. These scans search the target system for known vulnerabilities, examining devices, security measures, and hardware configurations.

On its own, a vulnerability scan only identifies potential vulnerabilities; it does not manually attempt to exploit them, as a pen tester would. As a result, these scans often turn up false positives, which a full pen test would determine are not actually exploitable.

Because vulnerability scans are automated, they’re naturally much faster and less expensive than manual pen testing. They can be run continuously; though it’s not practical to run a pen test every day, you can keep a vulnerability scanner running around the clock, searching out security issues in real time.

These two methods go hand-in-hand. Automated vulnerability scans are a key part of penetration testing, and they offer round-the-clock monitoring that manual pen testing can’t hope to offer. But these scanners are far less involved than pen testing. The most secure approach is to deploy continuous vulnerability scanning in tandem with regular pen testing.

For more info, see our full comparison of vulnerability scanners and penetration tests.

Network Pen Testing Tools

Network pen testers rely on a variety of free and paid tools to conduct their work, including the following:

  • Nmap is a network mapper. It sends packets and analyzes the responses to learn about hosts and services on the network.

  • Burp Suite is a pen testing toolkit used to identify and exploit vulnerabilities. It can run automated tests as well as support manual penetration testing.

  • Intruder is a cloud-based vulnerability scanner that finds and prioritizes a variety of security issues. It supports continuous vulnerability scanning as well as manual pen testing.

  • Nessus is a remote vulnerability scanner. It scans ports in search of security issues, with an eye on internet-facing attack surfaces and cloud infrastructure.

  • Wireshark is a network protocol analyzer. It analyzes packets and network protocols to assess network environments and activity, offering pen testers a granular understanding of how traffic passes through the network.

  • Metasploit is a framework for detecting vulnerabilities. It offers hundreds of exploits and payloads that can identify security issues in a given system.           

  • Ettercap is a security suite focused on man-in-the-middle attacks. It can simulate common network attacks, and analyze protocols and network traffic.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.