Penetration Testing: What It Is & How It Works

A penetration test is a simulated attack on a network or system. In a typical pen test, a company hires a team of penetration testers to seek out and attempt to exploit security vulnerabilities. The pen testers will then compile their findings into a report, which the company can then use to shore up their defenses.

The purpose of a pen test is to discover vulnerabilities, so that the company being tested can fix these issues and strengthen its security. Many compliance standards, such as SOC-2 and PCI DSS, require businesses to regularly conduct pen tests. More importantly, rigorous testing ensures your systems are secure, protecting your customers, your employees, and your business.

Penetration Testing Stages: The Full Process

Step 1: Scoping the Test

Before a pen tester can begin the test, they must work with the company to carefully define the scope of the test.

Because pen tests closely simulate real cyberattacks, they have the potential to cause damage and take systems offline. To ensure the company being tested is clear on the potential impact – and to protect the pen testers from legal liability – both parties need to get clear on what will be tested and how the test will proceed.

Now is also the time to discuss any measures to mitigate the impact of testing. For instance, many companies schedule pen tests for their off-hours, or conduct pen tests in a testing environment which replicates the systems in question.

At this stage, you might also define success criteria: at what point can the pen tester call an attack ‘successful’ and stop escalating? By drawing a line, you can ensure pen testers don’t go too far, causing unexpected damage.

Step 2: Identifying Vulnerabilities

Once the scope of the test has been defined, the pen testers begin to look for vulnerabilities. Especially in a black box pen test, they’ll often start by doing passive reconnaissance, searching out publicly available information on places such as the company website and LinkedIn. Even if they don’t find any vulnerabilities via reconnaissance, the information they uncover will often prove invaluable in the course of testing.

The pen testers will engage in active reconnaissance as well. For instance, they might deploy scanning tools, such as Nmap and Wireshark, to search for open network ports and scout for vulnerabilities.

Because white box pen testers start with access, at this stage they can run scans from within the system being tested. They can scan software, for instance, searching for vulnerabilities in code other testers might never get the chance to examine.

As they work, the pen testers will document any vulnerabilities they uncover and draw up an attack plan, which will then serve as the basis for the upcoming exploitation phase.

Step 3: Exploitation

The pen testers will then proceed to launch their attacks. They’ll attempt to exploit each vulnerability in turn, using an array of techniques ranging from SQL injection attacks to phishing attempts.

A skilled pen tester will adapt their techniques in real time. A failed attack might give them an idea for a new strategy, which could then prove successful. A successful attack will reveal new information and grant new levels of access, enabling them to escalate their attacks. From their new vantage point, they can pivot their efforts to exploit any new opportunities that might have been revealed.

Privilege escalation is one common technique: a tester with basic credentials will use what leverage they have to attain a higher level of access. If they get the login credentials for a base-level employee, for instance, they might impersonate that employee and attempt to break into new areas.

Step 4: The Pen Test Report

As they wrap up their attacks, the pen testers will compile their findings into a report. A typical pen test report will typically include the following sections:

  • Executive Summary: Brief summary, focused on key findings.

  • Statement of Scope: Describes the scope of the pen test, as agreed upon prior to testing.

  • Statement of Limitations: Documents any restrictions or issues that may have limited testing.

  • Testing Narrative: Goes into detail on testing methodology, describing each attack attempt and the results.

  • Findings: Documents all vulnerabilities uncovered, whether the vulnerability was successfully exploited, and a risk rating for each issue. Often presented in table format.

A pen test report may include additional sections, documenting methodology in greater detail, describing tools used in the testing process, or including any other information the parties involved might deem relevant.

Many companies will focus on the findings; this section will be the most useful going forward, as they work to remedy any issues that were uncovered in the pen test.

Step 5: Remediation & Retesting

With the pen test report in hand, the company can now address each vulnerability in turn. They’ll often look to the risk ratings so that they can prioritize the highest-risk issues first. This is the most important step for the company being tested – what use is a pen test if you don’t learn from it and make improvements?

Once all vulnerabilities have been addressed, you should retest each vulnerability to ensure they have all been fully resolved. If you substantially overhauled your systems, it may even make sense to conduct a new pen test from scratch.

Even with a clean bill of health, you’ll want to schedule a follow-up pen test to keep your business secure; many compliance standards, such PCI DSS, call for annual pen testing.

Security is never a one-and-done effort. To maintain a high standard of security, you’ll need to conduct regularly scheduled penetration tests.

Black Box vs White Box vs Gray Box Testing

Penetration tests come in three broad types: black box, white box, and gray box.

In a black box pen test, the pen testers start with minimal knowledge of, or access to, the systems being tested. Black box testing closely simulates an actual attack: just like a real hacker, the pen tester starts entirely on the outside, and has to break in on their own.

In a white box pen test, on the other hand, the pen testers start with full knowledge of, and access to, the systems being tested. This enables them to be very thorough, looking high and low for potential vulnerabilities, checking corners a black box pen tester might never be able to reach.

Gray box pen tests land in the middle: the testers start with some access, but not a complete view of the target systems. In that sense, gray box pen tests approximate an insider threat, or a long-term threat that has gained partial access to the system in question.

As a general rule, white box pen tests are often the most thorough – and often the most intensive, in terms of both labor and money. Black box tests are often less expensive, and more closely approximate real-world attacks. But they’re not quite as comprehensive as white box pen tests, especially when it comes to examining the system internally.

Because the testers start on the outside, black box pen tests are often more squarely focused on perimeter security – and on that front, they can be even more thorough than white box tests, trying techniques, such as social engineering, which a white box pen tester might never try. White box pen tests, on the other hand, are more internal in their focus.

More Types of Penetration Testing

Pen tests also vary based on the system being tested, whether that be a network, application, or even a physical environment.

As you might expect, network penetration tests focus on the network environment; the pen testers will examine network hardware, configurations, firewalls, and more.

Network pen tests come in two further subtypes. In an external pen test, the tester starts outside the network perimeter, and hones their efforts on breaking in. An internal pen test, on the other hand, offer testers access to the network so they can focus on vulnerabilities within the network.

Wireless pen tests are another subset of network pen tests, focused in this case on wifi networks and wireless devices, such as keyboards, mice, and printers.

Other pen tests focus on applications. A mobile app pen test will vet the security of an iOS or Android app, so as to ensure the app and its users are secure. Web app pen tests focus on web apps, like Spotify or Google Docs. Other tests focus on client-side applications, meaning the software installed on your computer.

Though we often think of pen tests in terms of cybersecurity, you can also test physical environments and assets. In a physical pen test, the testers attempt to break into physical environments, deploying techniques such as on-the-ground surveillance, lockpicking, and social engineering.

Manual Pen Testing vs Automated Vulnerability Scanning

By its nature, penetration testing is a manual process. A pen test involves not only identifying vulnerabilities, but attempting to exploit them. Though pen testers use automated scanners such as Nmap, it takes real experts to conduct simulated attacks on a target system.

Pen testing is often compared against automated vulnerability scanning. Tools such as Nessus and Astra scan systems for vulnerabilities and notify their users when issues are detected. Some vulnerability management services even provide assistance with remediation. For the most part, however, these tools do not run simulated attacks, as a pen tester would.

Because they’re automated, a single vulnerability scan is typically much faster and less expensive than your average pen test. This means these scanners can run on a weekly, daily, or even a continuous basis. For maximal security, many companies use both: annual pen testing to rigorously vet their security, combined with continuous vulnerability scanning to detect new issues as they arise.

Pen Testing Tools

Pen testers use an array of tools in the course of their work, many of them open-source. These are some of the most widely used:

  • Kali Linux is a Linux-based operating system designed expressly for pen testing. It includes several popular open-source tools in one place, such as Wireshark, Metasploit, and more.

  • Wireshark analyzes network protocols and packets in real time, monitoring traffic on a given network.

  • Nmap is a network mapping tool. It sends out packets of data, and collects information on the network based on the responses.

  • SQLMap runs automated scans to identify vulnerabilities that could be exploited in an SQL injection attack.

  • Metasploit is a framework for detecting and exploiting vulnerabilities. It includes a set of over 500 payloads that can be used in exploit attempts.

  • Aircrack-ng is a suite of tools focused on testing wifi networks. It can identify vulnerabilities and exploit them via techniques such as brute force attacks.

  • Burp Suite is a pen testing toolkit that includes automated scanning capabilities, as well as tools to support in manual penetration testing.

  • John the Ripper is a password tool that attempts to crack passwords via several different methods.

  • Hashcat is a password recovery tool that can also be used to crack passwords, which can aid in identifying weak passwords.

  • Zed Attack Proxy, or ZAP, is a web app scanner with a special focus on man-in-the-middle attacks.

Why Pen Test?

The primary purpose of a pen testing is to identify security vulnerabilities so that you can shore up your defenses. You can’t fix what you don’t know. Discovering your weaknesses is an essential first step to fixing them; doing so protects your customers, your employees, and ultimately, your business.

Pen testing is especially critical for companies that process sensitive user data. Should that data be exposed in a breach, you could face lawsuits numbering millions of dollars. Even worse, that data could be used to perpetrate fraud against your former customers.

Many compliance standards, such as SOC-2 and PCI DSS, require regular pen testing. When pen testing for a particular standard, pay close attention to their requirements – you wouldn’t want to spend thousands on a test only to discover it did not match the compliance standard you hoped to achieve.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.