A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker or Cracker.
A penetration tester should perform a penetration test when the penetration tester has written permission from the network owner.
Penetration testing actively tests security controls and can cause system instability.
Active reconnaissance refers to the act of attempted to gather information from a group, website, etc. by the use of scanners, software, or a similar method requiring technical knowledge.
Passive reconnaissance is characterized by the lack of technical expertise used to glean information.
As an example, finding employee names from a business’s public-facing website.
Pivot & Initial Exploitation
A Penetration testing pivot is the first steps into a network or system. The pivot point is the point where the hacker can then branch out and compromise other parts of the system or other devices on the network.
The pivot is basically the initial exploitation that is required to a hacker to compromise the rest of the network.
After this initial exploitation takes place, the attacker/ tester will either hit the systems they planned to hit and go, or use this pivot point as a persistent means to continue to compromise the system.
In a Persistent Penetration Attack, after the initial attack, the attacker will continue to monitor the target network.
As the threatscape changes due to new exploits, or as improved methodologies are developed, these new attacks are compared against the target network to identify new risks.
This more accurately simulates the approach of real-world methods
Privilege escalation is the act of exploiting a bug or design flaw in a software application to gain access to resources which normally would have been protected from an application or user.
Privilege escalation is a type of attack that occurring when the attacker uses an account that has read-only access to gain access to an account that has full control access.
White box testing is a testing technique whereby explicit knowledge of the internal workings of the item being tested is used to select the test data.
Black box testing is a testing technique where the internal workings of the item being tested
are not known by the tester. You are working “in the dark”.
Grey box testing is the combination of black box and white box testing.
A vulnerability scanner is a computer program designed to search for and map systems for weaknesses in an application, computer, or network.
These utilities are the least intrusive and check the environment for known software flaws.
Scheduling vulnerability scans is a management control type.
Examples of some vulnerability scanner programs are: Nessus and Microsoft Baseline Security Analyzer
One way that vulnerability scanning distinguishes itself from penetration testing is the amount of work involved in conducting it.
When a vulnerability scan is conducted it runs on its own to search for compromises based on a database without active involvement.
Ends up not being as thorough, but allows for regular business operation to continue.
The primary purpose for vulnerability scans is going to be to search a system, check back to it’s database of filed vulnerabilities, and point out flaws that match.
An important practice to observe when scanning is to run additional scans after vulnerabilities are found as there may others that have surfaced since the last ones were found and removed.
A possible result from a vulnerability scan is identifying a lack of security controls.
Running a second scan is especially important in these cases as you would need to check if the new controls you put in place still present vulnerabilities.
Attackers often look for systems that are misconfigured, but vulnerability scanners can detect some common misconfiguration settings.
Some scanners can also detect if certain sensitive data is being sent over the networks when it should not.
Authenticated vs. Unauthenticated
There are two approaches to vulnerability scanning, authenticated and unauthenticated scans.
An unauthenticated scan is performed the same way an intruder would be expected to scan the network. No credentials are used. This way, the company can get an accurate view of the vulnerabilities that are present and exploitable without ever logging into the network.
An authenticated scan is performed with internal network credentials. This can usually see a more full picture of the network and can also simulate a scan from an internal threat,
Intrusive vs Non-intrusive
As compared to a penetration test, a vulnerability scan tends to simply glance over a system to reveal compromises where the latter attempts to break through systems to reveal them.
While a scan has the capability of slowing down a system during its operation it still allow for regular business operation to continue.
Sometimes when a scan is conducted it may yield results that are misleading in the form of false positives and negatives
A false negative is when a system reports that a verified user is unauthorized.
A false positive is when a system identifies an unauthorized user and allows them access.