Manage Learn to apply best practices and optimize your operations.

Types of penetration tests

Learn about different types of penetration tests in part four of our series on this ethical hacking technique that can help security professionals evaluate the effectiveness of information security measures within their organizations.

A penetration test entirely depends on the scope of operation -- i.e., the level of intrusion is directly related to the scope. For example, sometimes just finding vulnerability in a particular system is enough. Therefore, it is really important for a security professional to choose the right type of penetration test, based on the agreed scope. Learn about different penetration testing options in this section.

Read all of the installments in this penetration testing guide: 

Types of penetration tests

  • Denial of Service (DoS) testing
    Denial of service testing involves attempting to exploit specific weaknesses on a system by exhausting the target's resources that will cause it to stop responding to legitimate requests. This testing can be performed using automated tools or manually. The different types of DoS can be broadly classified into software exploits and flooding attacks. Decisions regarding the extent of Denial of Service testing to be incorporated into a penetration testing exercise depend on the relative importance of ongoing, continued availability of the information systems and related processing activities. Denial of service can take a number of formats; those that are important to test for are listed below:
    • Resource overload – these attacks intend to overload the resources (i.e. memory) of a target so that it no longer responds.
    • Flood attacks – this involves sending a large amount of network requests with the intention of overloading the target. This can be performed via:
      ICMP (Internet Control Message Protocol), known as "smurf" attacks
      UDP (User Datagram Protocol), known as "fraggle" attacks
    • Half open SYN attack - this involves partially opening numerous TCP connections on the target, so that legitimate connections could not be started.

  • Out-of-band attacks – these attempt to crash targets by breaking IP header standards:
      • Oversized packets (ping of death) – the packet header indicates that there is more data in the packet than there actually is.
      • Fragmentation (teardrop attack) – sends overlapping fragmented packets (pieces of packets) which are under length.
      • IP source address spoofing (land attack) – causes a computer to create a TCP connection to itself.
      • Malformed UDP packet header (UDP bomb) – UDP headers indicate an incorrect length.
  • Application security testing
    With the growth of ebusiness, core business functionality is now being offered through Web-based applications. While Internet facing applications give an organization the much needed global customer reach, providing access to partners inside the intranet introduces new security vulnerabilities because, even with a firewall and other monitoring systems, security can be compromised, since traffic must be allowed to pass through the firewall. The objective of application security testing is to evaluate the controls over the application (electronic commerce servers, on-line financial applications, distributed applications, and Internet front ends to legacy systems) and its process flow. Topics to be evaluated may include the application's usage of encryption to protect the confidentiality and integrity of information, how users are authenticated, integrity of the Internet user's session with the host application, and use of cookies – a block of data stored on a customer's computer that is used by the Web server application.

    Let's take a look at some important components of application testing:

    • Code review: Code reviews involve analysing all the application-based code to ensure that it does not contain any sensitive information that an intruder might use to exploit an application. For example: Publicly available application code may include test comments, names or clear text passwords that will give an intruder a great deal of information about the application.
    • Authorization testing: Involves testing the systems responsible for the initiation and maintenance of user sessions. This will require testing:
      • Input validation of login fields – bad characters or overlong inputs can produce unpredictable results;
      • Cookie security – cookies can be stolen and legitimate sessions can be used by an unauthorised individual; and
      • Lockout testing – testing the timeout and intrusion lockout parameters set in the application, to ensure legitimate sessions cannot be hijacked.
      This is performed to discover whether the login system can be forced into permitting unauthorised access. The testing will also reveal whether the system is susceptible to denial of service attacks using the same techniques.
    • Functionality testing: This involves testing the systems responsible for the application's functionality as presented to a user. This will require testing:
      • Input validation – bad characters, specific URLs or overlong inputs can produce unpredictable results; and
      • Transaction testing – ensuring that the application performs to specification and does not permit the user to abuse the system.
    • War dialing
      War dialling is a technique for systematically calling a range of telephone numbers in an attempt to identify modems, remote access devices and maintenance connections of computers that may exist on an organization's network. Using war dialing tactics, a hacker maybe able to locate vulnerable out of band entry points into an organization and manipulate them to access the network. The ignorance of IT staff in considering the phone network, as a possible primary access point is one of the main factor in the growth of these attacks. For example: leaving open modems on critical network servers, routers and other devices can inadvertently expose an entry point inside the organization's network. In this testing, once a modem or other access device has been identified, analysis and exploitation techniques are performed to assess whether this connection can be used to penetrate the organization's information systems network.
    • Penetration testing for wireless networks
      The introduction of wireless networks, whether inside corporate network infrastructure or common homes, introduces additional security exposures that are much more threatening than wired network attacks. Since, the only boundary wireless networks know are their signals, it becomes easy for hackers to identify wireless networks simply by "driving" or walking around office buildings with their wireless network equipment- this technique is known as "war driving". Once an open wireless access point is found, the war driver usually maps it, so at the end he would have a map of access points with their properties (SSID, WEP, MAC etc.). The goal of wireless network testing is to identify security gaps or flaws in the design, implementation or operation of the organization's wireless network.
    • Social engineering
      Often used in conjunction with blind and double blind testing, social engineering refers to techniques of exploiting the very human nature (the most exploited of all being the human sense of trust and helping gesture) with the objective of gathering information. This is done using social interaction, typically with the organization's employees, suppliers and contractors, to gather information and penetrate the organization's systems. Such techniques could include:
      • Non face-to-face: Posing as a representative of the IT department's help desk and asking users to divulge their user account and password information;
      • Face-to-face or advanced social engineering: Posing as an employee and gaining physical access to restricted areas that may house sensitive information; intercepting mail, courier packages or even trash (dumpster diving) to search for sensitive information on printed materials.

      Social engineering activities can test a less technical, but equally important, security component: the ability of the organization's people to contribute to or prevent unauthorized access to information and information systems. This also helps determine the level of security awareness among employees.

    Continue to Part 5: Penetration testing methodology and standards

This was last published in February 2010

Dig Deeper on Network Security Monitoring and Analysis