Penetration test (computer science)
Penetration test , or pentest (ing) for short , is the technical term for a comprehensive security test of individual computers or networks of any size. The security expert in information technology understands a penetration test to be the testing of the security of all system components and applications of a network or software system using means and methods that an attacker (coll. " Hacker ") would use to penetrate the system without authorization (penetration). The penetration test thus determines the sensitivity of the system to be tested to such attacks. An essential part of a penetration test are tools that help to reproduce as many attack patterns as possible that arise from the numerous known attack methods.
The type of security test is based on the potential danger of a system, network or application at risk, which means that, for example, a web server has a higher risk priority than a simple word processor. The auxiliary tools for penetration tests are correspondingly numerous and accordingly such comprehensive security tests should only be carried out by experienced security researchers or system administrators who know what they are doing, what events they are causing and what results they want to achieve with them.
The term penetration test is sometimes mistaken for an automatic vulnerability scan ( vulnerability Engl. And technical terminology for vulnerability ) used. While this is largely automatic, a real penetration test requires manual preparation in the form of examining the test object, planning the test procedure and goals, selecting the necessary tools and finally carrying out the test. The security scan, in turn, differs from the vulnerability scan in that it manually verifies the test results. The use of the respective terms is often inconsistent in the semi-professional area, while in the professional world of security researchers and specialist companies, standards for performing penetration tests are accepted and recognized worldwide.
The goals of a penetration test are:
- the identification of weak points
- the detection of potential errors resulting from the (incorrect) operation
- increasing security on a technical and organizational level and
- confirmation of IT security by an external third party.
However, due to the constant change in threat patterns and security-relevant factors in information technology, a penetration test should be understood more as a snapshot. In extreme cases, a system can be vulnerable again to a new security hole immediately after the vulnerabilities uncovered by the test have been eliminated. However, a test usually also reveals the causes that lead to the problems identified (e.g. lack of staff). However, it is usually the responsibility of the operator of the tested systems and applications to remedy the causes. The remedial measures range from better support of the systems and applications to shutdown or sale.
Social engineering penetration test
Since potential attackers do not only attack the computers and databases of companies from outside via the network, but also try to get information and access through social engineering via employees, there are special penetration tests that deal with this topic. These tests are designed to find weak points in companies and then to make serious attacks more difficult through training and clarification.
Test setup and implementation
The German Federal Office for Information Security (BSI) has developed a classification scheme that can be used to describe a test. Essentially, six different criteria are considered:
- Information base
- starting point
Based on these criteria, an individual test is then put together with the customer. In practice, multi-stage tests are usually carried out in which several criteria are applied one after the other. For example, a black box test is carried out first and then a white box test . Individual test modules are carried out in the test itself. A distinction is made between I and E modules for the test modules. I-modules denote test steps that are used purely to obtain information, E-modules denote active intrusion attempts. An E-module is usually preceded by a corresponding I-module.
Penetration and other security tests may only be carried out in Germany, Austria and Switzerland (as well as other countries) if this has been agreed between the organization to be tested and the organization performing the test. This is due to the fact that individual tests can be criminal offenses. An example for Germany is the spying of data - in order to avoid criminal prosecution, the test person must be given clear authorization. This always applies if the test taker does not have permission to access data that he could read out in the course of a test, regardless of his position or employment.
The commissioning organization can only commission penetration tests for objects that are under its authority. Specifically, this means that an organization may not commission third parties to test third-party networks. You must therefore clarify the subject of the test before starting the test and seek legal advice if this is not possible. This also applies to the testing of services that it obtains.
Nowadays, a very large part of both the IT infrastructure and the Internet activities are typically obtained in the form of services with a wide variety of contractual relationships (rental, leasing, etc.) - this can also be the case within a company. Even hardware (e.g. routers and firewalls) that are physically located in a company's buildings need not necessarily belong to it. Such information is therefore not available from the testing organization, which is why this task falls to the client.
The BSI recommends a five-step process when performing a penetration test. The preparation phase serves to set common goals and set up the test with the customer. In the information acquisition phase, the security analyst tries to obtain as much information as possible about the system under test. The information obtained is then subjected to an evaluation . Only then are active intrusion attempts made. The results are then collected and bundled in the form of a report . This report also includes recommendations on how to deal with any security issues. Accompanying all five phases, meticulous documentation of the individual work steps is necessary.
During the test, normal IT operations can be disrupted. For example, DoS attacks aim to prevent access to individual services, computers or network segments. If DoS attacks are simulated as part of a module, this should take place outside of the system's usage times. Even with ordinary I or E modules, individual systems may crash. In the preparation phase, an agreement must be made between the client and the customer as to how the knowledge obtained will be dealt with. In this way, the testers could obtain company-critical information during the test.
The implementation of penetration tests can be supported by various software products. These include port scanner such as Nmap , Vulnerability Scanner as Nessus , sniffers like Wireshark , packet generators such hping 2.3 or Mausezahn and password crackers like John the Ripper . In addition, more and more tools are available that have been specially developed for security tests, often come from the open source area due to the verifiability of the source code and are tailored to very specific test areas.
For example, ARP0c is a connection interceptor that works with an ARP spoofing and bridging module. ARP requests from any source in a network are provided with forged ARP requests in order to reach the host that is sending ARP0c packets. Packets from this host are forwarded to an internal module, and the normal address is forwarded in order to maintain a normal network connection. With the help of the tool, man in the middle monitoring is possible. The aim of the deployment is to test firewall rules that are based on a stateful packet inspection and should discard ARP packets with external IP addresses.
Another example of such a specialty tool is the egressor . Egressor is a free tool developed by MITER for checking the configuration of Internet point-to-point routers. Egressor helps companies to configure routers insensitive to Denial-of-Service attacks (DoS). The egress filter system reduces the risk of a network becoming part of distributed denial-of-service attacks (DDoS).
Comprehensive tool collections for penetration tests are increasingly being offered, which are usually put together by experienced security specialists and work on the basis of a stable Linux distribution that is offered as a live CD. The advantage of such penetration test distributions is that all relevant tools are available under one common interface. In addition, they are usually preconfigured and ready to use. A good example of such live CDs is the Kali Linux distribution, which was merged from two independent projects and currently represents the measure of all things, because it is really complete and contains all the tools that are required for extensive security tests.
The numerous tools that can be used for penetration tests can be divided into the following categories:
- Many tools only check a single vulnerability.
- Vulnerability scanners often automatically check a number of application- or protocol-based vulnerabilities. Some can be expanded with your own scripting languages .
- Some programs originally or in addition to their function in penetration tests are also used for general network management . B. some scanners and sniffers .
- Normal programs that are supplied with the operating system can also be used by a penetration tester during an examination.
The BSI provides a collection of such tools under the name BSI OSS Security Suite free of charge. Specialized Linux Live CDs such as PHLAK , Pentoo , Std or Kali Linux (formerly BackTrack , before that Auditor LiveCD and WHAX Linux) contain a multitude of useful tools. Other well-known tools for penetration tests are the Attack Tool Kit (ATK) or Metasploit .
The quality and informative value of a penetration test can hardly be determined by the tools used; they are primarily dependent on the accuracy of the assumptions made (“scenario”) and the structured implementation.
- Federal Office for Information Security, Practical Guide: IT Security Penetration Test
- Federal Office for Information Security, study on the implementation of penetration tests (PDF file; 1.07 MB)
- SecurityFocus Penetration Testing List Archive
- Kali Linux project page
- Pen test tool for Android
- Security Focus Pen Test Mailing List
- The great Application Security Penetration Test FAQ for clients