about the target system and usually takes the approach of uninformed attacker. Black box pen-test simulate a realistic scenario, but some areas of infrastructure may not have tested and does not cover informed attacker penetration attempts.
White Box Pen-test
White box Penetration tests is a pen-testing approach that uses the knowledge of the internals of the target system to elaborate the test cases for example in application Penetration testing the source code of the application is usually provided along with design information or in an infrastructure Pen-testing networks diagrams, infrastructure details, etc. are provided.
The goal of a white box test is to provide as much information as possible to the Pen-tester so that he or she can gain inside understanding of the system and elaborate the test cases based on that. The advantages of a white box Pentest is that it allows to perform deep and through testing, maximizes testing time, extent the testing area and it is realistic enough.
Gray Box Pen-test
In Gray box Penetration test the Pen-tester will have a partial knowledge about the target system to check if this knowledge will allow him to penetrate and gain access to the system. Gray box testing also called gray box analysis which is strategy for software debugging in which the tester has limited knowledge of the internal details of the program.
Gray box testing is non-intrusive and unbiased because it does not require that the tester have access to the source code. With respect to internal processes, gray box testing treats a program as a black box that must be analyzed from the outside. During a gray box test, the person may know how the system components interact but not have detailed knowledge about internal program functions and operation. A clear distinction exists between the developer and the tester, thereby minimizing the risk of personnel conflicts.
Planning Penetration Testing
Once a penetration tester (Pen-tester) gain approval to perform a Penetration testing, a great deal of thought and consideration need to be done. Poor planning of penetration testing can have serious consequences for the network and systems, causing unwanted business disruption that might lead to permanent harm. The planning of Pentest is divided into four steps:
Identifying the Pentest purpose
The first step of planning a pen-test is identifying the need of the customer (the customer is the owner of the IT system), the customer basic needs is identifying the weaknesses in the information systems and take measures before real attack occurs, but her we should find the methods and targets according to the customer sensitive topics, for example:
Who is the most important threat for the customer, an insider employee of the company or an outsider?
What is the most important asset that the customer wants to protect?
What can an inner threat do to IT infrastructure?
Is it possible to extract plain data from the customer database?
Scope of Penetration Testing
There are different areas in the IT systems that may be subject to Pen-test, the customer should decide the scope of Pen-test and what should be tested under the guidance of the Pen-tester, some of the areas that pen-tester should go through and agree with the customer to be part of the pen-test is:
Inter-Network.
Internal network.
Web applications.
Servers.
Network devices.
Database Management systems.
Applications.
Social Engineering.
DDoS.
Physical Security.
And more, depending on customer environment.
Requirements
Pen-test Requirement is preparation of things that Pen-tester need to do. The Pen-tester and the company should be prepared for the pen-test, in the Pen-tester side:
Hardware (laptop, external Servers, external disks, USB sticks, wireless cards, etc.)
Software Tools.
The customer should have the following setup before the pen test:
Monitoring solution to detect the attack.
Backup (since Pen-test have some risks a backup of critical systems should be taken prior the pen-test.
Emergency response Plan, customer should be ready for service interruption.
Restrictions
A Pen-tester can do anything in the system during the Pentest with having written agreement where the customer define the roles of engagement and what are the restrictions, plus having the Pen-tester to sign the Non-Disclosure Agreement (NDA).
Rules of engagement are:
Scope.
Total Duration.
Attack Times. (during business hours or outside business hours)
Methods (i.e. no DDOS to DBMS systems).
Penetration test Phases
Penetration test consists of five phases:
Reconnaissance Phase: Passive information gathering of preliminary data or intelligence of a target system, the data is gathered in order to plan attack.
Scanning Phase requires the application of technical tools to gather further intelligence on target system but in this case the data gathered is about the systems that customer have in the place, a good example is the use of vulnerability scanner on a target network.
Exploitation and Post exploitation Phase: This phase also known as gaining access, it requires taking control of one or more network devices in order to either extract data from the target or to use that device to launch attacks on other targets. The purpose of the post exploitation phase is to determine the value of the machine compromised and maintain control for later use. The value of the machine is determined by the sensitivity of the data stored on it and the machines usefulness in further compromising the network.
Covering Tracks phase: simply means that the attacker must take steps necessary to remove all trace of detection, any changes that were made, escalation of a privilege, etc. all must return to state of no recognition by the host and network administrators.
Reporting Phase: Reporting is the prove of Pen-tester actions during the Pen-test, it is where the Pen-tester going to report the finding and share recommendations to remediate the vulnerabilities and weaknesses.
