The Types of Pentests You Must Know About
Penetration testers are hired to compromise your security, identify vulnerabilities, and provide you solid recommendations for hardening your security posture. But, are you familiar with the various types of pentests that are employed?
Here are the seven most common types of penetration tests you could explore for your next security engagement.
Reconnaissance, Intelligence Gathering or Open Source Intelligence (OSINT) Gathering
An important first step in penetration testing is Intelligence Gathering also known as Open Source Intelligence (OSINT) gathering. Intelligence gathering is perhaps the most important capability of a pentester. The ethical hacker works to learn the ins and outs of the environment and find out as much information as possible about an organization before beginning a series of different penetration tests.
It’s during this phase that the penetration tester uncovers possible weaknesses and entry points within the security posture of the organization, including the network, applications, website and wireless networks, physical facilities, cloud-based systems, employees, and more.
Are you wondering how a penetration tester can find out so much information about a company before performing a penetration test? Take a look at this OSINT Framework that details all the areas in which a testing professional might look for open information
1. Network Penetration Testing and Exploitation
After the penetration tester performs Intelligence gathering and threat modeling, the tester completes a series of network tests. Network testing is usually the most common method of penetration testing. Once a hacker obtains access to the network, 90% of the obstacles are removed for a threat actor.
A pentester can conduct an internal and external network exploitation. This allows them to emulate a successful hacker that’s been able to penetrate the external network defenses. This gives them an opportunity to explore many facets of the security posture of an organization.
Network testing typically includes:
- Bypassing Firewalls
- Router testing
- IPS/IDS evasion
- DNS footprinting
- Open port scanning and testing
- SSH attacks
- Proxy Servers
- Network vulnerabilities
- Application penetration testing
Application testing is another common type of pentest. Within application penetration testing, the ethical hacker searches for vulnerabilities within all your server applications.
Typical applications for exploit include:
- Web Applications
- Languages
- Java
- PHP
- .NET
- Languages
- APIs
- Connections
- XML
- MySQL
- Oracle
- Frameworks
- Systems
- SAP
- CRM systems
- Logistics
- Financial systems
- HR systems
- Mobile applications
This testing goes even further than the typical network penetration test and identifies vulnerabilities within these common business applications.
2. Website & Wireless Network Penetration Testing
Through this penetration test type, the devices and infrastructure within the wireless network are tested for vulnerabilities.
The pentester will commonly exploit these areas during a wireless network penetration test:
- Wireless encryption protocols
- Wireless network traffic
- Unauthorized access points and hotspots
- MAC address spoofing
- Poorly used or default passwords
- Cross-site scripting
- SQL injections
- Denial of Service (DoS) attacks
- Web server misconfiguration
- The website and/or web server for sensitive customer data
- The web server(s) using malware to obtain deeper access into your network
Poorly secured wireless networks are often used to hack into organizations. There are countless ways for a threat actor to use multiple vulnerabilities within your website and wireless network to obtain sensitive data.
3. Physical penetration testing
You might not think of this as vulnerability, but your physical security controls can be an open door for cybercriminals.
During this a physical penetration test, the pentester will attempt to gain access to the facility through:
- RFID & Door Entry Systems
- Lock-picking
- Personnel or vendor impersonation
- Motion sensors
Often, a physical penetration test is performed with some form of social engineering. A pentester may need to deceive or manipulate your employees to obtain physical access to the facility. This leads us to our next type of penetration test.
4. Social Engineering Tests
Your security is only as strong as the weakest link in your chain. People make mistakes and can be easily manipulated. The weakest link is often your employees. Social engineering is one of the most prevalent ways in which threat actors can infiltrate your environment.
The most common types of social engineering tactics used by ethical hackers are:
- Phishing attacks
- Imposters – fellow employees, external vendors or contractors
- Tailgating
- Name-dropping
- Pre-texting
- Gifts
- Dumpster Diving
- Bluesnarfing
- Eavesdropping
A social engineering test is helpful for telling you about vulnerabilities in your human capital. Not only that, but social engineering is one of the most vital skills used by threat actors. Deception, manipulation, and influence are all skills commonly used by attackers to covertly persuade your employees into providing access to systems and data.
5. Cloud penetration testing
Public cloud services have become increasingly popular for compute, networking and storage. Companies and employees may be able to store backups and all types of data in the cloud. This makes it a prime target for hackers.
But, with the ease of cloud deployments comes complexities in handling cloud security as well as legal obstacles. Not to mention, many public cloud providers have a hands-off or shared responsibility approach to security, forcing the organization to take responsibility for the cloud security.
If your organization wants to perform a cloud penetration test, you may need to notify the cloud provider your intent to carry out the test. Be sure to ask the cloud provider about what areas are off limits. For instance, AWS only permits testing on EC2, RDS, Aurora, CloudFront, API Gateway, Lambda, Lightsail and DNS Zone Walking and small and micro RDS instances as well as small, micro, and nano EC2 instance types are not permitted.
Once you have the approval from the cloud provider, you may be able to proceed with pentesting.
Some of the common testing areas for cloud services include:
- Compute security
- Applications and API access
- Database and storage access
- Encryption
- VMs and unpatched Operating Systems
- SSH and RDP remote administration
- Poorly used firewalls
- Poorly used passwords
Public cloud penetration testing can be a bit difficult. In this situation, you will likely want to employ white box testing, having more knowledge about the environment before testing. Public cloud service providers often restrict or limit a customer’s ability to perform penetration tests because of the multi-tenant or shared nature of Infrastructure as a Service (IaaS).
Be aware that if you’re a Microsoft Azure customer, you must comply with the Microsoft Cloud Unified Penetration Testing Rules of Engagement documentation to start pentesting. If you’re an Amazon Web Services (AWS) customer, you will need to fill out the AWS Vulnerability / Penetration Testing Request Form.
Performing these various pentest types can help you pinpoint the weaknesses you want to improve your security posture. Performing regular penetration tests will be essential to your overall security strategy. A pentest gives you an idea how strong your security posture is and the areas you can improve with actionable recommendations.
Great Article on Types of Pentests!