A penetration test entirely depends on the scope of operation -- i.e., the level of intrusion is directly related to the scope. For example, sometimes just finding vulnerability in a particular system is enough. Therefore, it is really important for a security professional to choose the right type of penetration test, based on the agreed scope. Learn about different penetration testing options in this section.
Read all of the installments in this penetration testing guide:
- Introduction to penetration testing
- Performing a penetration test
- Penetration testing strategies
- Types of penetration tests
Types of penetration tests
- Denial of Service (DoS) testing
Denial of service testing involves attempting to exploit specific weaknesses on a system by exhausting the target's resources that will cause it to stop responding to legitimate requests. This testing can be performed using automated tools or manually. The different types of DoS can be broadly classified into software exploits and flooding attacks. Decisions regarding the extent of Denial of Service testing to be incorporated into a penetration testing exercise depend on the relative importance of ongoing, continued availability of the information systems and related processing activities. Denial of service can take a number of formats; those that are important to test for are listed below:
- Resource overload – these attacks intend to overload the resources (i.e. memory) of a target so that it no longer responds.
- Flood attacks – this involves sending a large amount of network requests with the intention of overloading the target. This can be performed via:
ICMP (Internet Control Message Protocol), known as "smurf" attacks
UDP (User Datagram Protocol), known as "fraggle" attacks
Half open SYN attack - this involves partially opening numerous TCP connections on the target, so that legitimate connections could not be started.
- Out-of-band attacks – these attempt to crash targets by breaking IP header standards:
- Oversized packets (ping of death) – the packet header indicates that there is more data in the packet than there actually is.
- Fragmentation (teardrop attack) – sends overlapping fragmented packets (pieces of packets) which are under length.
- IP source address spoofing (land attack) – causes a computer to create a TCP connection to itself.
- Malformed UDP packet header (UDP bomb) – UDP headers indicate an incorrect length.
- Application security testing
Let's take a look at some important components of application testing:
- Code review: Code reviews involve analysing all the application-based code to ensure that it does not contain any sensitive information that an intruder might use to exploit an application. For example: Publicly available application code may include test comments, names or clear text passwords that will give an intruder a great deal of information about the application.
- Authorization testing: Involves testing the systems responsible for the initiation and maintenance of user sessions. This will require testing:
- Input validation of login fields – bad characters or overlong inputs can produce unpredictable results;
- Cookie security – cookies can be stolen and legitimate sessions can be used by an unauthorised individual; and
- Lockout testing – testing the timeout and intrusion lockout parameters set in the application, to ensure legitimate sessions cannot be hijacked.
- Functionality testing: This involves testing the systems responsible for the application's functionality as presented to a user. This will require testing:
- Input validation – bad characters, specific URLs or overlong inputs can produce unpredictable results; and
- Transaction testing – ensuring that the application performs to specification and does not permit the user to abuse the system.
- War dialing
War dialling is a technique for systematically calling a range of telephone numbers in an attempt to identify modems, remote access devices and maintenance connections of computers that may exist on an organization's network. Using war dialing tactics, a hacker maybe able to locate vulnerable out of band entry points into an organization and manipulate them to access the network. The ignorance of IT staff in considering the phone network, as a possible primary access point is one of the main factor in the growth of these attacks. For example: leaving open modems on critical network servers, routers and other devices can inadvertently expose an entry point inside the organization's network. In this testing, once a modem or other access device has been identified, analysis and exploitation techniques are performed to assess whether this connection can be used to penetrate the organization's information systems network.
- Penetration testing for wireless networks
The introduction of wireless networks, whether inside corporate network infrastructure or common homes, introduces additional security exposures that are much more threatening than wired network attacks. Since, the only boundary wireless networks know are their signals, it becomes easy for hackers to identify wireless networks simply by "driving" or walking around office buildings with their wireless network equipment- this technique is known as "war driving". Once an open wireless access point is found, the war driver usually maps it, so at the end he would have a map of access points with their properties (SSID, WEP, MAC etc.). The goal of wireless network testing is to identify security gaps or flaws in the design, implementation or operation of the organization's wireless network.
- Social engineering
Often used in conjunction with blind and double blind testing, social engineering refers to techniques of exploiting the very human nature (the most exploited of all being the human sense of trust and helping gesture) with the objective of gathering information. This is done using social interaction, typically with the organization's employees, suppliers and contractors, to gather information and penetrate the organization's systems. Such techniques could include:
- Non face-to-face: Posing as a representative of the IT department's help desk and asking users to divulge their user account and password information;
- Face-to-face or advanced social engineering: Posing as an employee and gaining physical access to restricted areas that may house sensitive information; intercepting mail, courier packages or even trash (dumpster diving) to search for sensitive information on printed materials.
Social engineering activities can test a less technical, but equally important, security component: the ability of the organization's people to contribute to or prevent unauthorized access to information and information systems. This also helps determine the level of security awareness among employees.
Continue to Part 5: Penetration testing methodology and standards