A Short Practice Guide for PenTestsDefinition:A penetration test is a proven method that looks for security weaknesses, potentially gaining access to the computer's features and data.
Typical starting points for penetration tests are:
- Active components like router, switches or gateways
- Security gateways like firewall, packet filter, intrusion detection systems, antivirus software etc.
- Server like database server, mail server, file server etc.
- Telecommunication systems
- Web- Application
- Wireless LAN
Usually, penetration tests are sub-classified into two methods. The “Blackbox-Test” and the “Whitebox-Test.”The difference between those Tests are the underlying information about the available systems.During the “Blackbox-Test,” the penetration tester has got insufficient knowledge about the target system. During the “Whitebox-Test,” the penetration tester has got a lot information about the system.The depth of a penetration test varies, but “avoid destructive tests.” That means: do not crash the target system.Normally, penetration tests are limited in time and scope. Organizational requirements:
- The contract should include the audit period, the audit objects and the scope.
- Costs incurred should be listed. The obligation to co-operate must be given by purchaser.
- It should continue to underscore the understood agreements and liability of secrecy will.
- The contract should include the results obtained at that time the only.
Penetration tests are valid and because of possible restrictions on the time,money and human resources is not ensured that all existing errors are found.
A “Non - Disclosure Agreement” has to be defined, also guidelines about privacy.The institution and the penetration tester should specify exactly which areas will be tested.,
Subject requirements:Determination of the specimen between penetration tester and institution. The current threat of assessment and protection requirements of the business process provides a basis. Typical test objects are similar to the typical starting points for penetration. The institution may wish to identify any possible attack and eliminate them. However, this is very time consuming and expensive. Therefore, consideration should be given where an attack is most likely and the identified interfaces should be tested first. As penetration testers, you cannot assume quality assurance and Blindness have to be avoided. The same test objects should not multiply by the same penetration testers as tested. Defining the scope of testing:Here, the following aspects are agreed upon:
Scope of testing:If it's mutually agreed, carry out a technical safety audit, based on the versions of the employed IT applications and the existing configurations for possible vulnerabilities pointed out. The end results can be based on the found versions and implemented security measures for possible vulnerabilities closed.A non-invasive vulnerability scanning is the next possible inspection.For the pentesters, this scans its own devices on the network for vulnerabilities. He sets this vulnerability scanner that uses vulnerabilities not out.
- scope of testing
- test location
- test period
- test conditions
This can observe how a device behaves on a foreign network and what it looks like.In the next test depth in invasive vulnerability scanning are also so-called Exploits used. These are programs that are specially designed to exploit known vulnerabilities were written.
This is demonstrated that an IT system is vulnerable. The Disadvantage is that exploits may interfere with the IT systems.Note:
In determining the audit depth to weigh up should be taken, what the most benefit promises.Moderate attack strength should be selected and identify possible gaps with vulnerability scanners and if at all only at accurately tested exploits to use these also.Test locationThe place must be determined, where the penetration test takes place.It needs to be clarified, whether it is possible to test an IT application over the Internet, or whether the test spot in takes place institutions to be audited.It is recommended when possible to perform penetration tests on site.Unless it concerns with the test object to a Web application, which is to be tested on the internet.
Test conditionsIf the production system is being tested, it can be considered if the test period on aPeriod is placed in the little impairment for normal operation can be expected.
Here, however, it must be noted that then, if appropriate, the necessary traffic could be missing for the tests.The client should ensure that any changes to the system during the test be performed.If the contact person of the client by observing the penetration testing or discussions on vulnerabilities attention, so he has to wait,until the penetration test is completed before it eliminates the gap, otherwise theTest result can be falsified. Should such a serious gap to be discovered that it is imperative to fill this immediately, so the penetration test should be stopped and be performed at a later time.When tested on the internet, access the penetration testers must be enabled to test IT systems. Any blockages of security gateways need for the test period will be switched off.This serves regarding accurate results. Of the tested obtain IT application. If the security gateway holds additional safeguards, is the good for the operation.An accurate test results, where what weaknesses need to be removed, can lighter and thus more economical produce the penetration tester when the IT systems separately testing each other.The function of the security gateway should be in a separate Penetration test are tested.Test periodIt is important before any penetration testing a time frame for the implementation define,on the one hand the institution to prepare and plan the penetration testing exactly can on the other hand the penetration tester has a default.There should be sufficient training period in which to be tested technology and time for reporting is scheduled.
DocumentationThus, the penetration tester get a quick overview of the test objects, should the documents listed below by client are made available.1. Networks with communication link with other IT systems and IT applications.All interfaces for humans and machines should be clearly identifiable. Interfaces, which can be reached by external (eg connection to the Internet Services, WiFi, network outlets in meeting rooms), should pay special are identified.
2. Description of the test objectA documentation of the specimen should be available. Here will be described, what the test object is required.The documentation should at least describe, which participants have access to the object, at what times, accesses,which data are personal or may need to be treated in accordance with confidentiality and which IT systems are important for the functioning of the IT application.IT applications to be divided and described in clearly defined functions.Special security measures regarding the IT application should be described.3. List of IT systems with description of hardening measuresSince most IT systems consist of running processes, for example, by regular updates to remain changeable, sufficient for the preparation of penetration testing is a status-quo image of IT systems.For servers, this means that a list of installed programs and services will be created and the current processes be documented. For the assessment of network components Configuration files and rules important.4. ResponsibilitiesFinally, those responsible must be set on both sides which must be available at a penetration test.Sequence of a penetration testIn the following, as far as possible, the practical course of a penetration test described.In most cases, especially in the practical part of other aspects added, which are determined individually based on the test object.
1. Incorporation of the penetration TesterThe institution must provide detailed documentation available to penetration testers for incorporation.2. Test of the test objectIt will recommended to divide the test in the following work packages:Start conversationSetting up the work environmentPractical ExamConcluding discussionDepending on the scope of the tests also can be necessary or various intermediate calls individual packages such as setting up of the working environment and the practical test multiple times is performed.In several days of tests every morning to be held a short conversation between the penetration testers and the participating technical staff of the client, in clarifies what is planned.After completion of the work, should be a short summary done.
Practical ExamBelow are some recurring elements which basically occur in the practical part of a penetration test, described.The modules described below are intended to provide an overview of the core elements of a penetration test.During the test must at all times the possibility to be kept open, go beyond these core elements, if an attack on another way is possible.Conceptual weaknessesMostly the penetration testers at the sighting of the documentation of the test object in the preparation time will notice open issues and questions.This can on conceptual Weaknesses of the test object point, which might not have noticed the person in charge on site is.Implementation hardening measuresIn this module it is determined whether the information necessary for the test objects hardening measures are implemented.Here, at least the following points should be clarified:1. Open ports2. Interfaces3. Timeliness of patch levels and the software versions used4. Admission Requirements for programs / authentication5. Service Hardening / regulationsKnown vulnerabilitiesIn this module, the test object is inspected for known vulnerabilities. This can happen because of the encountered in Module 2 (Implementation hardening measures) Patch stands or in association withso-called vulnerability scanners can be performed.ExploitsThe exact evidence that a vulnerability exists, only takes place when it is also used, so an exploit has been used successfully.Penetration testers should only use such exploits, which Action they have already studied and tested.
After testing, a conversation between penetration testers and the contact persons to be held by the client.The aim is to inform you of the progress and outcome of the practical test. Report:The last work package a penetration test constitutes the report. The report should be made available because of the potentially explosive contents only the penetration tester and its quality as well as a select group of the client. Depending on criticality must be performed confidentiality markings of the document.