The penetration testing process
Penetration testing is a point-in-time security assessment, where a suitably skilled tester uses a combination of pen-testing tools and manual exploit techniques to uncover real-world security vulnerabilities in your IT infrastructure. The penetration tester will look at the target systems from the viewpoint of a potential threat actor, assessing infrastructure, networks and applications to identify and exploit attack vectors, vulnerabilities and weaknesses.
The process of a penetration test is typically five-fold: reconnaissance, discovering vulnerabilities, exploiting weaknesses, analysis of the findings and, lastly, reporting to the client, including recommendations to remediate vulnerabilities. To complete each step, a penetration tester relies on a wide range of tools, as well as specialist knowledge.
Pen Test tools
These tools typically come in the form of software applications that can assist the tester in finding and exploiting vulnerabilities. The tools the tester deploys will depend on their personal preference, company guidance, and penetration test type. Some tools are commercial and need to be licensed and paid for, others are open-source and can be used without cost. One noteworthy platform is Kali Linux, a Linux-based Operating System that amalgamates various penetration-testing tools into one cohesive platform. This operating system helps pen testers to streamline their workflows, enabling them to make use of one central interface to perform an array of testing exercises. Many of the tools we mention below can be found in Kali Linux.
As well as this, testers often create their own in-house tools, such as scripts for specific tasks. Given this, testers will use a wide range of tools depending on the use case, but the main types of tools used can be categorised, as set out below. For more information on how penetration testing works, please refer to our guide to penetration testing.
Once the tester and client have defined the scope of the test, the test begins with the reconnaissance phase. Here, the tester collates as much open-source intelligence as possible about their target. They often turn to public search engines and social media to do this. However, penetration testers don’t simply comb through Google or Facebook as you or I would. Instead, they use OSINT services that speed up the data mining process.
One of the most well-known tools for this is Spyse – a specialist cyber security search engine designed to assist security professionals in discovering technical information about different internet entities and businesses. Many penetration testers also use Shodan, a tool that searches for devices connected to the internet. Unlike search engines, which identify websites, Shodan discovers data about laptops, servers and other connected devices. This information includes metadata, like the software used by each device.
Another well-known reconnaissance tool is Maltego, which excels at information gathering and data mining. The tool uses graphical analysis to create patterns and multiple order connections from the information it finds. Lastly, theHarvester works to mine email accounts, subdomain names, open ports and more corporate information from public sources.
Ports are virtual locations within an operating system that facilitate network communications. Every computer has two kinds of network ports: TCP and UDP. Each port has a unique port number, which is also associated with the host’s Internal Protocol (“IP”) address. These numbers enable the network to know where to send data packets.
Internet-connected devices rely on ports to function and communicate. However, open ports can become a gateway for malicious actors if the service that listens on the port is misconfigured or unpatched. Therefore, port scanning is an essential part of penetration testing.
Port scanners automatically and rapidly discover open ports within a system. This, in turn, helps the penetration tester to understand how the network works and what applications run on it. From there, they can assess for potential infiltration points, diagnose network issues and discover application misconfigurations. Typically, penetration testers use port scans early in the penetration testing process – during the reconnaissance and discovery phases. Perhaps the best-known port scanning tool is Nmap but vulnerability scanning tools like Nessus can also be used for port scanning.
In addition to, and sometimes as part of, a port scanner – but with different objectives – is an SSL scanner. As context, SSL is an acronym for Secure Sockets Layer. This is a security protocol used to encrypt the connection between a web server and web browser. SSL certificates are necessary to secure data, including customer credit or debit card data, during online transactions. However, SSL is not immune to misconfigurations or vulnerabilities.
In order to achieve assurance that SSL has been implemented effectively and in line with best practices, penetration testers can use SSL scanners. These are automated tools used to discover common vulnerabilities or misconfigurations relating to SSL, such as the POODLE or beast vulnerabilities, or the use of outdated ciphers or inappropriate certificates. One of the most popular tools is Testssl, which scans ports for TLS/SSL ciphers, protocols and cryptographic flaws.
A vulnerability scan is an automated process that proactively identifies security vulnerabilities within a network or individual system. Most organisations regularly perform vulnerability scans as part of their vulnerability management programmes, but they are also an essential tool for penetration testing. Many people get penetration testing and vulnerability scanning confused, but it’s important to know the difference – we explain this in our blog: penetration testing vs vulnerability scanning.
Because vulnerability scans do not involve human intervention, they are quick and fast. Once complete, the scanner creates a prioritised list of security flaws for the pen-tester to review, typically prioritised on the CVSS 3.1 vulnerability scoring methodology. The pen-tester uses these results to identify potential vulnerabilities for manual testing. Standard tools for vulnerability scanning include OpenVAS, Rapid7 and Qualys. For web application vulnerability scanning, a go-to tool is Nikto. Please read our blog on the differences between vulnerability scanning and penetration testing for a detailed overview of vulnerability scanning.
For web application pen testing, another well-known tool is dirsearch – a command-line tool that penetration testers can use to discover hidden files within the directories and sub-directories of the targeted web server.
Network protocol analyser
A network protocol analyser – colloquially known as a network sniffer – monitors and captures data packets as they pass through the network. Testers use it to passively collect information about the contents and sources of data packets. These can include sensitive information relating to email traffic, chat sessions, web traffic and even exposed credentials and passwords.
With this data, the tester can determine where information is going, the devices it came from, and the systems, applications, services and protocols it uses. The pen tester can discover vulnerable packets and broader network vulnerabilities by capturing granular details about these data packets. Common weaknesses found using these tools include parameter pollution, SQL injections, insufficient input validation, and buffer overflows. The most well-known network protocol analyser is Wireshark.
A web proxy is an essential tool for web application penetration testing. These tools act as a middleman between the browser and the web application, capturing users’ actions as they navigate through an application. Using these details, the proxy builds a virtual map of the application and how it is used. It will then flag any vulnerabilities discovered as requests and responses are sent to each page – such as a hidden form field or weak HTML features. Standard web proxy tools include Burpsuite and OWASP’s ZAP.
When a user enters their password onto a device or into an application, the hashed version is compared with a stored hash of the user’s authentic password. If the two matches, then the user is authenticated and allowed to use the device or application. However, even hashed passwords are vulnerable to threats.
Password crackers are tools that penetration testers use to discover weak passwords, putting the organisation at risk of exploitation. There are several methods of password cracking. Firstly, as noted above, testers can use network protocol analysers to intercept passwords as they are transmitted over the network. If this data is transmitted in clear text, the pen tester can quickly log in to the impacted account.
Another means of exploiting weak passwords is known as a dictionary attack. This involves using an automated tool that attempts to log in to an account using a pre-defined set of words. This can be the dictionary or a database of combinations put together by the pen-tester. This type of tool is only effective for cracking weak and common passwords. Moreover, in cases where multi-factor authentication or lock-out mechanisms are enabled, these tools have their limitations. The most well-known password cracking tools are John the Ripper and Hashcat.
As well as these types of tools, penetration testers will also utilise reporting and note-taking tools, such as Scratchpad, OneNote and Circacode. The testers use these tools to record their findings accurately and deliver valuable recommendations at the end of the test.
Do you need to discuss pen testing with an expert?
If your organisation needs help running a penetration test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test. We can also advise you on any follow-up actions or remediations from our findings.