Skip to main content

Five Types Of Penetration Test To Zero In Potential Vulnerabilities

Penetration Testing:
A penetration test or pen test is an intentionally planned attack on a software or hardware system seeking to expose the inherent security flaws that may violate system integrity and end up compromising user’s confidential data. In this post, we are discussing different types of penetration tests so that you know what to cover, estimate efforts, execute efficiently.
The scope of a penetration test (i.e. the level of intrusion) derives from the kind of operation you wish to explore on the target system. Therefore, a security tester must think thoroughly and decide upon the most relevant type of penetration test. Hence, knowing about the different types of pen tests is what expected from a good pen tester.
Primarily, the penetration tests split up into the following five categories.
  1. Network Service Tests.
  2. Web Application Tests.
  3. Client Side Tests.
  4. Wireless Network Tests.
  5. Social Engineering Tests.
Five Types Of Penetration Test For Successful PenTesting:
1. Network Service Tests:
This type of pen test is the most common requirement for the pen testers. It aims to discover vulnerabilities and gaps in the network infrastructure of the clients. Since the network could have both internal and external access points, so it is mandatory to run tests locally at the client site and remotely from the outer world.
The testers should target the following network areas in their penetration tests.
  • Firewall config testing.
  • Stateful analysis testing.
  • Firewall bypass testing.
  • IPS deception.
  • DNS level attacks which include.
  • Zone transfer testing.
  • Switching or routing based testing.
  • Any miscellaneous network parameter testing.
Also, there are a set of software modules which the penetration test should cover are as follows.
  • SSH client/server tests.
  • Network databases like MYSQL/SQL Server.
  • Exchange or SMTP mail servers.
  • FTP client/server tests.
2.  Web Application Tests:
It is more of a targetted test, also, more intense and detailed. Areas like web applications, browsers, and their components like ActiveX, Applets, Plug-ins, Scriptlets fall within the scope of this type of pen testing.
Since this test examines the endpoints of each web apps that a user might have to interact on a regular basis, so it needs thorough planning and time investment.
Also, with the increase in threats coming from the web applications, the ways to test them are continuously evolving.
3. Client Side Tests:
  • The goal of these tests is to pinpoint security threats that emerge locally. For example, there could be a flaw in a software application running on the user’s workstation which a hacker can easily exploit.
  • These may be programs or applications like Putty, Git clients, Sniffers, browsers (Chrome, Firefox, Safari, IE, Opera), and even presentation as well as content creation packages like MS PowerPoint, Adobe Page Maker, Photoshop, and media players.
  • In addition to third-party software, threats could be homegrown. Using uncertified OSS (open source software) to create or extend home made application could cause severe threats that one can’t even anticipate. Therefore, these locally developed tools should also pass through the penetration test cycle.
4.  Wireless Network Tests:
This test intends to analyze the wireless devices deployed on the client site. The list of devices include items like tablets, laptops, notebooks, iPods, smartphones, etc. Apart from the gadgets, the penetration tester should consider preparing tests for the following.
  • Protocols used for configuring Wireless – It’ll help find out the weak areas.
  • Access points for Wireless setup – It’ll enable in identifying the ones violating the access rights.
  • Usually, such tests should take place at the customer end. The hardware used to run pen tests need to connect to the wireless system for exposing vulnerability.
5.  Social Engineering Tests:
This type of test also run as an important part of penetration testing. It paves ways for verifying the “Human Network” of an organization. This pen test imitates attacks which the employees of a company could attempt to initiate a breach. However, it can further split up into two subcategories.
  • Remote Tests:  It intends to trick an engineer (employee) to compromise confidential data using electronic means. The tester could conduct such an attack via a phishing email campaign.
  • Physical Tests: This type of test requires a direct contact with the subject to retrieve the sensitive information. It might involve human handling tactics like Dumpster Diving, Imitation, Intimidation or convince the subject via phone calls.
  • Please note that you must inform the appropriate people before conducting the social engineering penetration test. Also, remember to emulate real-world exploit instead of playing a movie scene.
Summary – Five Types Of Penetrations Test For Successful PenTesting
Penetration test not only assists in discovering the actual and exploitable security threats but also provides their mitigation. By performing a pen test, we can make sure to identify the vulnerabilities which are critical, which are not significant and which are false positives. We hope that you now know the potential areas to begin designing the perfect penetration tests.

Comments

Post a Comment

Popular posts from this blog

Mobile Application Testing Checklist

1. DEVICE SPECIFIC CHECKS 1.1  Can the app be installed on the device? 1.2 Does the app behave as designed/desired if there is an incoming call? 1.3 Does the app behave as designed/desired if there is an incoming SMS? 1.4 Does the app behave as designed/desired if the charger is connected? 1.5 Does the app behave as designed/desired if the charger is disconnected? 1.6 Does the app behave as designed/desired if the device goes to sleeping mode 1.7 Does the app behave as designed/desired if the device resumes from sleeping mode 1.8  Does the app behave as designed/desired if the device resumes from lock screen? 1.9    Does the app behave as designed/desired if the device is tilted? 1.10  Does the app behave as designed/desired if the device is shaken? 1.11 Does the app behave as designed/desired if a local message is coming from another app (think   of: calendar reminders, to-do task etc.). 1.12 Does the app behave as designed/desired if a push message i...
Post a Comment
Read more

Test Scenarios for Excel Export Functionality

1. The file should get exported in the proper file extension. 2. The file name for the exported Excel file should be as per the standards e.g. if the file name is using the timestamp, it should get replaced properly with an actual timestamp at the time of exporting the file. 3. Check for date format if exported Excel file contains the date columns. 4. Check number formatting for numeric or currency values. Formatting should be the same as shown on the page. 5. The exported file should have columns with proper column names. 6. Default page sorting should be carried in the exported file as well. 7. Excel file data should be formatted properly with header and footer text, date, page numbers etc. values for all pages. 8. Check if the data displayed on a page and exported Excel file is the same. 9. Check export functionality when pagination is enabled. 10. Check if export button is showing proper icon according to the exported file type E.g . Excel file icon for xls files 11. ...
Post a Comment
Read more

Software Testing Tips

Here are some of the Best Testing Practices which I learned by Experience:  1) Learn to analyze your test results thoroughly. Do not ignore any test result. The final test result may be ‘pass’ or ‘fail’, but troubleshooting the root cause of ‘fail’ will give you the solution of the problem. Testers will be respected if they not only log the bugs but also provide solutions. 2) Learn to maximize the test coverage each time you test any application. 100% test coverage might not be possible but still, you can always try to reach near it. 3) In order to ensure maximum test coverage, break your application under test (AUT), into smaller functional modules. Write test cases on such individual unit modules. Also if possible break these modules into smaller parts. E.g : Lets assume that you have divided your website application in modules and ‘accepting user information’ is one of the modules. You can break this ‘User information’ screen into smaller parts for writing ...
Post a Comment
Read more