Development doesn’t happen suddenly. If it had happened so, it is not development. Any highest grossing companies, Google for example,V have their earlier and the later phases. Same as for the companies, Internet also has its earlier phase. During that phase not everything is well secured and equipped as today it is. Vulnerabilities existed all the times even now. But during those times, confidential information is passed using some less secure networks known as FTP, HTTP, Telnet, etc. Haven’t heard of those protocols, you can refer here! Coming to the point, finding out the vulnerabilities at each level was found prominent at every level of the network. The data on the server was physically stored at times and if any one got hold of that server, the complete information would be on air. So, to find out the flaws, technically vulnerabilities, they are to be checked and a report has to be recorded for the possibilities of the risk. This is how this term VAPT for Vulnerability Assessment and Penetration Testing started.

We shall now know the details about penetration testing.

Penetration Testing (Pentest)

To be said, VA and PT are referred to be same but they vary with minute differences. Penetration Testing is the process of assessing the system’s vulnerabilities in the attacker’s perspective but legally. This includes active analysis for the system flaws, deficiencies and any security issues. At the end, PT gives a complete report about the seriousness of the vulnerabilities and risk on exploitation. This is same as hiring a man for theft to know how safe we are!

Types of Penetration Tests:

• White Box Testing: The pentesters are provided with the information of the company like IP addresses, network infrastructure, sometimes source code as well before they actually perform testing. This method can also be implemented in conjunction with the security experts of the targeted company.
• Black Box Testing: Here the pentesters actually test like how the attackers would do. No information is provided for the testers than the name of the company. The testers have to find a breakthrough to the company. So, it is also termed as Blind Testing.
• Double blind Testing: Only one or two people are aware of the test being conducted. The security specialists of the company will respond to the attack being performed, without prior knowledge of the verification procedure. This type of testing is useful to test the security monitoring of the company and the response of the experts. It is advised for the pentesters to have appropriate documents to avoid any litigation.
• Internal Testing: A mimic that is performed by the tester to identify the risk from a aggrieved authorized employee behind the firewall of the company is internal testing. The employee can possess confidential data in his hands that can cause nonrecoverable damage.
• External Testing: The Ethical Hackers here focus on the company assets like their websites, applications, external servers etc. They attack their websites and assess how an attacker can remotely access their system and cause destruction.
• Targeted Testing: The testing process will be performed by both the testers and the security team of the company. This provides a real-time feedback from the hacker’s perspective to the security team. Since this test can be seen by everyone, it can also be termed as “lights turned on” approach.

Stages of Pentesting

1. Planning: This stage involves defining the scope of testing, including the testing methods to be used. Information gathering about the target also fall in this stage. The gathered information is used to understand the architecture of the network better.
2. Analysis or Scanning: The targeted applications are searched for vulnerabilities using certain tools developed by the company of pentesters.
3. Gaining Access: This stages uses different attacks, like SQL injection, cross-site scripting, backdoor, etc. (we will get to know them soon) to exploit the vulnerabilities and gain the access over the system. This helps in estimating the damage an intruder can cause.
4. Maintaining the Access: The goal of this stage is to see if the vulnerability can be used to achieve a persistent presence in the exploited system— long enough for an attacker to gain in-depth access. If a attacker can stay for long time in a network, he will be able to steal huge amounts of sensitive data.
5. Formation of the Report: The final stage includes preparing a report that has all the above performed tests and help the security personnel to patch the vulnerabilities and securing the network.

Read about Pentest Tools here!!

That is about Pentesting. We shall learn more about Vulnerability Assessment soon. Till then, have a Happy and Safe learning!

Stay Home Stay Safe!!