Understanding penetration testing approaches
A white box assessment is typical of web application testing but can extend to any form of penetration testing. The key difference between white, black, and gray box testing is the amount of information provided to the penetration testers prior to the engagement. In a white box assessment, the penetration tester will be provided with full information about the application and its technologies, and will usually be given credentials with varying degrees of access to quickly and thoroughly identify vulnerabilities in the applications, systems, or networks. Not all security testing is done using the white box approach; sometimes, only the target company's name is provided to the penetration tester.
Black box assessments are the most common form of network penetration assessment and are most typical among external network penetration tests and social engineering penetration tests. In a black box assessment, the penetration testers are given very little or no information about the target networks or systems they are testing. This particular form of testing is efficient when trying to determine what a real hacker will discover and their strategies to gain unauthorized access to the organization's network and compromise their systems.
Gray box assessments are a hybrid of white and black box testing and are typically used to provide a realistic testing scenario while also giving penetration testers enough information to reduce the time needed to conduct reconnaissance and other black box testing activities. In addition, it's important in any assessment to ensure you are testing all in-scope systems. In a true black box, it's possible to miss systems, and as a result, they are left out of the assessment.
Each penetration test approach is different from the others, and it's vital that you know about all of them. Imagine a potential client calling to request a black box test on their external network; as a penetration tester, we must be familiar with the terms and what is expected.
Types of penetration testing
As an aspiring penetration tester, it's important to understand the difference between a vulnerability assessment and penetration testing. In a vulnerability assessment, the cybersecurity professional uses a vulnerability scanner, which is used to help assess the security posture of the systems within the organization. These vulnerability scanners use various techniques to automate the process of discovering a wide range of security weaknesses on systems.
The downside of vulnerability scanning is its incapability to identify the issues that manual testing can, and this is the reason that an organization hires penetration testers to conduct these assessments. Within the industry, organizations may hire a cybersecurity professional to perform penetration testing on their infrastructure. However, if the cybersecurity professional delivers scans instead of manual testing, this is a form of fraud and is, in my opinion, highly unethical. If you can't cut it in penetration testing, then practice, practice, and practice some more. You will learn legal ways to improve your tradecraft later in this book.
Web application penetration testing
Web application penetration testing, hereafter referred to as WAPT, is the most common form of penetration testing and is likely to be the first penetration testing job most people reading this book will be involved in. WAPT is the act of conducting manual hacking or penetration testing against a web application to test for vulnerabilities that typical vulnerability scanners won't find. Too often, penetration testers submit web application vulnerability scans instead of manually finding and verifying issues within web applications.
Mobile application penetration testing
Mobile application penetration testing is similar to WAPT but is specific to mobile applications that contain their own attack vectors and threats. This is a rising form of penetration testing with a great deal of opportunity for those who are looking to break into penetration testing and have an understanding of mobile application development. As you may have noticed, the different types of penetration testing each have specific objectives.
Social engineering penetration testing
Social engineering penetration testing, in my opinion, is the most adrenaline-filled type of testing. Social engineering is the art of manipulating basic human psychology to find human vulnerabilities and get people to do things they may not otherwise do. During this form of penetration testing, you may be asked to do activities such as sending phishing emails, make vishing phone calls, or talk your way into secure facilities to determine what an attacker targeting their personnel could achieve. There are many types of social engineering attacks, which will be covered later on in this book.
Network penetration testing (external and internal)
Network penetration testing focuses on identifying security weaknesses in a targeted environment. The penetration test objectives are to identify the flaws in the target organization's systems, their networks (wired and wireless), and their networking devices such as switches and routers.
The following are some tasks that are performed using network penetration testing:
- Bypassing an Intrusion Detection System (IDS)/Intrusion Prevention System (IPS)
- Bypassing firewall appliances
- Password cracking
- Gaining access to end devices and servers
- Exploiting misconfigurations on switches and routers
Now that you have a better idea of the objectives of network penetration testing, let's take a look at the purpose of cloud penetration testing.
Cloud penetration testing
Cloud penetration testing involves performing security assessments and penetration testing on risks to cloud platforms to discover any vulnerabilities that may expose confidential information to malicious users. Before attempting to directly engage a cloud platform, ensure you have legal permission from the cloud provider. For example, if you are going to perform penetration testing on the Microsoft Azure platform, you'll need legal permission from Microsoft as your actions may affect other users and services who are sharing the data center.
Physical penetration testing
Physical penetration testing focuses on testing the physical security access control systems in place to protect an organization's data. Security controls exist within offices and data centers to prevent unauthorized persons from entering secure areas of a company.
Physical security controls include the following:
- Security cameras and sensors: Security cameras are used to monitor physical actions within an area.
- Biometric authentication systems: Biometrics are used to ensure that only authorized people are granted access to an area.
- Doors and locks: Locking systems are used to prevent unauthorized persons from entering a room or area.
- Security guards: Security guards are people who are assigned to protect something, someone, or an area.
Having completed this section, you are now able to describe the various types of penetration testing. Your journey ahead won't be complete without understanding the phases of hacking. The different phases of hacking will be covered in the next section.