Tools Interact With a Target System in a Fashion Where Their Use Can Be Detected

This likely isn't the first web log post you've read explaining penetration testing. It'south not even the first blog post I've written on it. But information technology'south in the CompTIA Security+ study guide, then gosh darnit, nosotros're going to talk about information technology once more.

Vulnerability scanning and penetration testing are ways of determining the effectiveness of security controls. They're similar activities, but have some differences, which–y'all guessed it–we'll cover here.

This is a continuation of my web log mail service series on the CompTIA Security+ test, where I share my studying and connect it to real-world events.

Penetrating Testing Concepts

Penetration testing ("pen testing" from here on out) simulates an attack on a system from a malicious outsider. This is typically done past a security testing firm for a customer. The firm and the client agree on what is in or out of scope. For example, social engineering attacks might be considered out of scope.

The goal is "to make up one's mind if an aggressor can featherbed your security and access your system." Pen tests likewise show which items are seemingly innocuous simply tin can atomic number 82 to serious risks. Additionally, they demonstrate how well-trained your employees are with regards to security.

Pen tests aren't about nada days or anything too esoteric. Information technology's meant to mimic a existent-globe attack, so mutual/known methods are tiptop of mind.

Active Reconnaissance

In a pen test (or "existent" set on), you need to get together information on the target. This allows you to understand the system, and where vulnerabilities might exist. Active reconnaissance means that your information gathering directly interacts with the target network. This means that you lot might tip-off the target. More info in this blog post.

Passive Reconnaissance

Passive reconnaissance is also virtually data gathering. However, passive means that it's washed without sending traffic to the target. Because you aren't direct interacting with them, information technology's much less likely that you'll be noticed. Google and other search engines can be very useful in gathering data.

Passive vs. Active Tools

Likewise, the tools that you use for reconnaissance can be either active or passive. The difference is whether they directly interact with the target system or non. Nmap is an example of an agile tool, and tin be detected by the defender. Examples of passive tools include Tripwire and Wireshark. Active tools modify or send traffic to the target, passive tools only receive traffic.

Pivot is a phrase that gets my hackles up because information technology reminds me of some venture capital buzzword salad. Here, information technology ways an aggressor gaining access to i system, and then using that arrangement to scan or attack other systems inside that network.

Initial Exploitation

Once you've washed your reconnaissance, information technology's fourth dimension to exploit things. The point of a pen test isn't to really destroy things. Yous do want to demonstrate the viability of an set on, however. Initial exploitation means demonstrating that a vulnerability is in fact present, and exploitable. Only, you finish short of bodily damage to the organization. One example might be exploiting a SQL injection vulnerability to bypass the login page.

Persistence

"Try harder." Persistence is both some type of virtue, and a CompTIA pen testing attribute. In mimicking real attacks, pen tests might also constitute a foothold within the system. Similar to APTs (discussed in the threat actors section), pen testers might create ways to get back into a system after beingness detected.

Escalation of Privilege

Escalation of privilege means moving from a normal user account (and privileges) to higher levels of privileges. The ultimate goal is to go root privileges. As discussed in previous posts, this can be done by stealing credentials or exploiting other vulnerabilities.

Blackness Box

If an outsider were attacking your system, they probably wouldn't know much about the inner workings. The idea of "black box" testing is to simulate this and exam the software with no knowledge of the inner workings. Yous're merely throwing malformed or invalid inputs at it and seeing what happens. While this makes the aggressor'south job more difficult, it'southward more realistic. Information technology also might allow them to call up "outside the box" and think of scenarios that the developers did not.

White Box

You lot tin probably guess that "white box" testing is the opposite. The attacker is given documentation and other info about the software. This lets them rule out huge classes of inputs every bit unnecessary. It might also let attackers come upward with more sophisticated or specific attacks.

…Grayness Box

Gray box is some hybrid between black box and white box. Then the tester has some information about the system, but that cognition is incomplete.

Pen Testing vs Vulnerability Scanning

What's the difference between pen testing and vulnerability scanning? Pen testing is testing a system for vulnerabilities that can be exploited. Vulnerability scanning is scanning the system for vulnerabilities.

Vulnerability Scanning Concepts

Nosotros just covered this, but I judge we'll go over it again. Vulnerability scanning is the process of "examining your systems and devices for holes, weaknesses, and problems." The idea is to detect your weaknesses earlier attackers do, Sun Tzu style. Once you know your weaknesses, y'all can accost them by severity.

Passively Test Security Controls

While not the principal bespeak of vulnerability scanning, you (a tester) might accidentally trigger security controls during your search. This lets the customer know how well their controls are working in certain situations.

Identify Vulnerabilities

The master bespeak, of grade, is to detect vulnerabilities. As with pen testing, nil days aren't the indicate here. We're looking for vulnerabilities that we can find. This means the vulnerabilities take to be known already. Testers will put all the vulnerabilities they detect in a log or report.

Identify Lack of Security Controls

If yous've plant a vulnerability, either the vulnerability needs to be fixed/patched, and/or some kind of security control needs to be put in place and then that the vulnerability can't be exploited. In finding vulnerabilities, you are besides finding what security controls are missing or need improvement.

Identify Mutual Misconfigurations

A subclass of security command issues includes common misconfigurations. This might include default credentials. This gets covered more in the next section.

Intrusive vs Non-Intrusive

The scope of a browse will be determined at the get-go and signed off on by the customer. If a test is intrusive, that ways that system data can exist inverse. Non-intrusive means that it tin can't be changed. This is a trade-off between "existent world" accuracy and practicality for the customer (server reboots, sensitive data, etc.)

Credentialed vs. Non-credentialed

Credentialed scans means that the attacker gets credentials to the organisation. This is less authentic to how a existent set on would occur, just you become "more for your money" since more vulnerabilities will exist found. Non-credentialed ways the attacker is not given credentials (merely may find them, or go in some other way).

False Positives and Fake Negatives

False positives and negatives aren't a new concept. If your scan returned a vulnerability that doesn't really exist, that's a false positive. If it fails to report a vulnerability that _does _exist, that's a false negative.