What is Penetration Test ? A Guide for Beginners
If you are from a hacking background or you are interested in hacking then you must have heard the term Penetration Test. So What is Penetration Test ? If you don’t know then no need to worry. Here I am going to tell you everything about Penetration Test. What Is Penetration Test ? History of Penetration Test ? What do Hackers do in this Process. Also if you know about Penetration Testing then you must only be knowing about its process. This article is going to provide you complete information about Penetration Testing from Beginning to End.
In simple language Penetration Test is a process performed by Ethical Hacker to find out flaws in a System. The main thing in this process is to find out the weakness or such loop holes which a attacker can use to harm the system. It is not only performed on a System rather it is also used to find out weakness on any kind of network or web application and lot more.
Many people thinks that Penetration testing is a difficult task and yes it is because you have to very much creative in this task. It also requires knowledge about Programming Languages. Many companies hire such experts to find out whether there are any flaws in their system or not. The Hackers perform penetration test and creates a report along with it he also provides how the security can be enhanced. These are all done with permission. So let us now know about Penetration Testing from depth.
Table of Contents :
• What is Penetration Test ?
• History of Penetration Test
• What are the Tools For Penetration Test ?
• What are the Processes or Phases in Penetration Test ?
• What are Vulnerabilities ?
• What is Payload ?
• Conclusion
What is Penetration Test ?
Penetration Test |
A Penetration Test also known as Pen Test, White Hat Hacking or Ethical Hacking is a process in which a hacker gains an authorized access to a System under certain limitations. It is done to check the security of the system. This is done to identify vulnerabilities of a system or network so that it can be protected from unauthorized parties to get access to system and its data. At the same time it is also performed to strengthen security so that there is no risk of potential threat.
In this process the hacker identifies the system and set’s up a goal. He then reviews all the available information and perform various tasks to attain that goal just like a Black Hat Hacker would do. The target where the Penetration test is to be performed can be either Black Box which means it will only provide a basic or no information except the company name or White Box which means it will provide information about system and few other background information.
There is also one more type of target known as Gray Box Target in which hackers get limited information. A Penetration test determines that whether a System is Vulnerable to attack or not under those sufficient defense’s. It also ensures whether any of the security could be broken down or not.
History of Penetration Test
Sir Deborah Russell and Sir G. T. Gangemi were the two Scholars who first stated that the year 1960 was the beginning era of Computer Security because of increasing popularity of time-sharing. Time-Sharing means that we can share multiple resource among users at the same time by certain means i.e. multitasking and multiprogramming.
In June 1965 several Security Experts of from different countries held a press conference on System Security which was hosted by a Government Contractor, System Development Corporation. During the meeting someone noticed that an employee of SDC was easily able to weaken the different system which connected to a time-sharing system. In that confernce participants requested to use the Penetration Test as a tool to study Computer System weakness.
In 1967 one more conference among the Security Expert took place to discuss about the System Security. Will Ware, Harold Petersen, Rein Tern of RAND Corporation and Bernard Peters of National Security Agency founded the term “Penetration” to define an attack on a system. Will Ware in a paper stated a warning that such practice’s to gain unauthorized access to a system should be stopped.
In 1970 a group of team known as “Tiger Teams” were organized by Government to perform Penetration Test. The team comprised of Crackers. They broke down in system by breaking its security to detect loop holes.
What are the Tools For Penetration Test ?
There are many varieties of software available for Penetration Test which includes free software’s and commercial software’s.
1.) Specially Designed OS Distributions
Examples of OS designed for Penetration Test :-
• BackBox which is Based on Ubuntu
• BlackArch which is Based on Arch Linux
• Kali Linux (replaced by BackTrack) which is Based on Debian
• Parrot Security OS which is Based on Debian
• Pentoo which is Based on Gentoo
• WHAX which is Based on Slackware
There are lot more distributions which is used as a tool for Penetration Test.
There are certain distributions of Linux OS which can be deployed on the target system for practise. Such Systems helps security experts to try latest technology tools for testing. For Example, Metasploitable, OWASP Web Testing Environment and Damn Vulnerable Linux.
2.) Certain Software Frameworks
• Metasploit Project
• BackBox
• Nmap
• Burp Suite
• Hping
What are the Processes or Phases in Penetration Test ?
Penetration Test Process mainly comprises of 5 main phases. They are as follows :-
1.) Reconnaissance: This is the first phase. In this phase the hacker collects all the available information about the target system. These information will help to easily attack the target system. E.g. Search Engine is a open source platform which can be uses to gather data which is used in Social Engineering attacks.
2.) Scanning: This is the second phase of Penetration Test. In this the hacker collects more information about the target system. You might be wondering that it is same as step 1. But it’s not like that, in this the hacker scans for open ports or any such vulnerabilities which will help easily to attack the target system. E.g. Nmap is used to scan for open ports.
3.) Gaining Access: This is the third phase of Penetration Test. In this step the hacker uses the information gathered in Reconnaissance and Scanning to exploit the targeted system by using payload. E.g. Metasploit can be used to operate attacks on known vulnerabilities.
4.) Maintaining Access: This is the fourth step of the phase. In this the hacker tries to maintain access for a longer period of time by taking necessary steps, so that he can capture more and more data from the targeted system.
5.) Covering Tracks: This is the last phase of the test. So what criminals generally do after committing a crime ? They generally hide everything to remain anonymous. Similarly in this step the hacker clears all the traces from the targeted system, log events, any type of data which got stored in order to remain anonymous
So now the hacker has exploited the vulnerabilities of one system and now they will try to gain access to other system through it and the process repeats. Now they will look for new vulnerabilities and will try to exploit them. This process is also referred to as Pivoting.
What are Vulnerabilities ?
If a hacker has to perform a task within low budget and small time then fuzzing is a process or technique which can be used to discover vulnerabilities of a system. In this hacker uses random inputs to get unhanded errors. The tester uses random inputs to get to the code path. Usually well trodden paths are free from any kind of errors. Errors are useful because they expose more information, such as HTTP server can be crashed with full information by tracing it backwards. Also errors directly useful, such as buffer overflow.
What is Payload ?
Payload is an illegal method in Metasploit terminologies. It is used to get keystrokes, taking screenshots, stealing or altering data, installing adware and creating backdoors through shellcode. Some companies have large number of exploits stored in their database which automatically tests the targeted system for any kind of vulnerabilities. For Example,
• Metasploit
• Nmap
• Nessus
• w3af
• OpenVAS
Conclusion
In this article we learn't What is Penetration Test ? I hope you have understood it. It has always been my practise to provide my readers with complete information about this article so that they don't have to search on any other place regarding this topic.
This will alsp save their time and they will get all the information at a single place. If you have any type of query regarding this article or you want some modification in it, then tell us by commenting below.
I hope you have liked this article on What is Penetration Test ? If you have liked it then please share it with your friends and to those who are intrested in hacking. Also, share it on social sites so that it will benefit all. Keep visiting and Thanks for Reading.
0 Comments
Please do not enter any spam link in comment box.