Penetration Testing

Penetration testing is a method of evaluating the security of an information system or network by simulating an attack to find out vulnerability that an attacker could exploit.

Security Measures are actively analyzed for design weaknesses, technical flaws and vulnerabilities.

A penetration test will not only point out vulnerabilities, but will also document how the weaknesses can be exploited.

The results are delivered comprehensively in a report, to executive management and technical audiences.

Why Penetration Testing

Identify the threats facing an organization’s information assets.

Reduce an organization’s expenditure on IT security and enhance Return On Security Investment(ROSI) by Identifying and remediating vulnerabilities or weaknesses.

Provide assurance with comprehensive assessment of organization’s security including policy, procedure, design, and implemention.

Gain and maintain certification to an Industry regulation.

Adopt best practices in compliance to legal and industry regulations.

For testing and validating the efficacy of security protections and controls.

For changing or upgrading existing infrastructure of software, hardware, or network design.

Focus on high-severity vulnerabilities and emphasize application-level security issues to development teams and management.

Provide a comprehensive approach of preparation steps that can be taken to prevent upcoming exploitation.

Evaluate the efficacy of network security devices such as firewalls, routers, and web servers.

In a classic penetration test of web applications, different types of attacking techniques are used to find vulnerabilities and use them to break into systems. However, the Web is a growing field, and newer technologies are added every now and then. Any penetration tester conducting a test on a web application needs to be aware of newer techniques in the domain so that the latest classes of issues don’t remain unpatched; at the same time, the old techniques must be extrapolated for better outcomes. This book is an attempt to achieve both in order to impart newer techniques, such as XML attack vectors, which include the recently popular XXE attack. Then we have OAuth 2.0, which varies with implementations, and this results
in flaws, such as account takeovers. Among older techniques, we have XSS, CSRF, and Metasploit Framework (relevant to web) to name a few. The content I have added here in this book will help augment the already understood concepts in depth.

You Missed Read to Computer Viruses , Hack Android Phone

Types of Penetration Testing

No prior knowledge of the infrastructure to be tested.

Computer knowledge of the infrastructure that needs to be tested.

Limited knowledge of the infrastructure that needs to be tested.

Phases of PenTest

Planning and preparation

Methodology designing

Network information gathering

Penetrating perimeter

Acquiring target

Escalating privileges

Execution, implantation, retracting.

Reporting

Clean-up

Artifact destruction

Originally published at https://exploitbyte.com on October 30, 2019.