Targets of Penetration Tests
Penetration tests sometimes target specific technologies or environments.
- E.g. web applications, networks, or hardware
Network Penetration Testing
Network penetration testing is often used as an overarching penetration testing term for the broad testing of hosts for vulnerabilities, issues specific to web applications, and even employees who might be vulnerable to social engineering attacks.
- tend to have broad scopes but often take place in limited time frames (time boxed)
- shallower than a specifically focused test
- common type of pentest
Application Penetration Testing
Application penetration testing focuses directly on an application or application environment.
- involves a more specialized set of tools and skills than for network penetration testing
- common pentest
2 Approaches
Static analysis involves directly analyzing the application source code and resources.
- tester might pore through the code, looking for issues such as logic errors or vulnerabilities that exist due to the specific lines of code and libraries in use
- tester must have a strong development background and grasp of the languages used
Dynamic analysis involves testing the application while it’s in operation: testing the compiled binary form or the running web application.
- doesn’t give the tester the same insight into the code that static analysis does
- more closely resembles real attacks against the application
Physical Penetration Testing
Physical penetration testing involves directly testing physical security measures.
- E.g., picking locks or bypassing alarm systems
- requires a particular set of tools and skills to test well
- less common
- will have particular scope and with a specific goal in mind
- E.g., get access to a data center, office, or to plug your hostile device into the network
- often conduct physical penetration testing in conjunction with other penetration testing
- E.g., an attacker can get into a facility and enter a locked network closet, they may be able to plug a device into the network and leave it behind, which then allows them to perform attacks from the network itself without needing to be present.
Social Engineering Testing
- often takes place in conjunction with other tests
- so effective that the testers almost always succeed
- many organizations refuse to allow them
- frequently involve:
- phishing attacks
- Impersonating employees
- attempting to gain unauthorized access to facilities or resources
Hardware Testing
- unusual kind of penetration test
- typically occurs in organizations that manufacture hardware devices
- E.g., network gear, TVs, IoT devices
- test the device, the firmware on the device, associated mobile apps, and APIs the device uses
- Hardware devices are typically equipped with Universal Asynchronous Receiver/Transmitter (UART) or Joint Test Action Group (JTAG) debug ports, which are accessible on the circuit boards after you open the device
- provide terminal access to the device, in many cases without any sort of authentication, and you can use them to manipulate the device
- discovery phase for hardware devices can be slightly more involved
- Testers may investigate the firmware of the device itself or they may test a module or application controlling the device or even an associated web application
- software portions of these devices can be quite complex to investigate
- consist of the entire operating systems and all the applications running the device
Bug Bounty Programs
In a bug bounty program, an organization offers rewards to people who discover vulnerabilities in their resources.