Penetration Testing – Complete Guide with Sample Test Cases

What is Penetration Testing?
It’s the process to identify security vulnerabilities in an application by evaluating the system or network with various malicious techniques. Purpose of this test is to secure important data from outsiders like hackers who can have unauthorized access to system. Once vulnerability is identified it is used to exploit system in order to gain access to sensitive information.

Causes of vulnerabilities:
- Design and development errors
- Poor system configuration
- Human errors

Why Penetration testing?

- Financial data must be secured while transferring between different systems
- Many clients are asking for pen testing as part of the software release cycle
- To secure user data
- To find security vulnerabilities in an application

Penetration testing

It’s very important for any organization to identify security issues present in internal network and computers. Using this information organization can plan defense against any hacking attempt. User privacy and data security are the biggest concerns nowadays. Imagine if any hacker manage to get user details of social networking site like Facebook. Organization can face legal issues due to a small loophole left in a software system. Hence big organizations are looking for PCI compliance certifications before doing any business with third party clients.

What should be tested?
- Software
- Hardware
- Network
- Process

Penetration Testing Types:

1) Social Engineering: Human errors are the main causes of security vulnerability. Security standards and policies should be followed by all staff members to avoid social engineering penetration attempt. Example of these standards include not to mention any sensitive information in email or phone communication. Security audits can be conducted to identify and correct process flaws.

2) Application Security Testing: Using software methods one can verify if the system is exposed to security vulnerabilities.

3) Physical Penetration Test: Strong physical security methods are applied to protect sensitive data. This is generally useful in military and government facilities. All physical network devices and access points are tested for possibilities of any security breach.

Pen Testing Techniques:
1) Manual penetration test
2) Using automated penetration test tools
3) Combination of both manual and automated process
The third process is more common to identify all kinds of vulnerabilities.

Penetration Testing Tools:

Automated tools can be used to identify some standard vulnerability present in an application. Pentest tools scan code to check if there is malicious code present which can lead to potential security breach. Pentest tools can verify security loopholes present in the system like data encryption techniques and hard coded values like username and password.

Criteria to select the best penetration tool:
- It should be easy to deploy, configure and use.
- It should scan your system easily.
- It should categorize vulnerabilities based on severity that needs immediate fix.
- It should be able to automate verification of vulnerabilities.
- It should re-verify exploits found previously.
- It should generate detailed vulnerability reports and logs.

Once you know what tests you need to perform you can either train your internal test resources or hire expert consultants to do the penetration task for you.

Examples of Free and Commercial Tools -
Nmap, Nessus, Metasploit, Wireshark, OpenSSL, Cain & Abel, THC Hydra, w3af
Commercial services: Pure Hacking, Torrid Networks, SecPoint, Veracode.

Limitations of Pentest tools: Sometimes these tools can flag false positive output which results in spending more developer time on analyzing such vulnerabilities which are not present.

Manual Penetration Test:

It’s difficult to find all vulnerabilities using automated tools. There are some vulnerabilities which can be identified by manual scan only. Penetration testers can perform better attacks on application based on their skills and knowledge of system being penetrated. The methods like social engineering can be done by humans only. Manual checking includes design, business logic as well as code verification.

Penetration Test Process:
Let’s discuss the actual process followed by test agencies or penetration testers. Identifying vulnerabilities present in system is the first important step in this process. Corrective action is taken on these vulnerability and same penetration tests are repeated until system is negative to all those tests.

We can categorize this process in following methods:
1) Data collection: Various methods including Google search are used to get target system data. One can also use web page source code analysis technique to get more info about the system, software and plugin versions. There are many free tools and services available in the market which can give you information like database or table names, DB versions, software versions, hardware used and various third party plugins used in the target system.

2) Vulnerability Assessment: Based on the data collected in first step one can find the security weakness in the target system. This helps penetration testers to launch attacks using identified entry points in the system.

3) Actual Exploit: This is crucial step. It requires special skills and techniques to launch attack on target system. Experienced penetration testers can use their skills to launch attack on the system.

4) Result analysis and report preparation: After completion of penetration tests detailed reports are prepared for taking corrective actions. All identified vulnerabilities and recommended corrective methods are listed in these reports. You can customize vulnerability report format (HTML, XML, MS Word or PDF) as per your organization needs.

Penetration testing sample test cases (test scenarios):

Remember this is not functional testing. In Pentest your goal is to find security holes in the system. Below are some generic test cases and not necessarily applicable for all applications.

------------

1) Check if web application is able to identify spam attacks on contact forms used in the website.
2) Proxy server – Check if network traffic is monitored by proxy appliances. Proxy server make it difficult for hackers to get internal details of the network thus protecting the system from external attacks.
3) Spam email filters – Verify if incoming and outgoing email traffic is filtered and unsolicited  emails are blocked. Many email clients come with in-build spam filters which needs to be configured as per your needs. These configuration rules can be applied on email headers, subject or body.
4) Firewall – Make sure entire network or computers are protected with Firewall. Firewall can be a software or hardware to block unauthorized access to system. Firewall can prevent sending data outside the network without your permission.
5) Try to exploit all servers, desktop systems, printers and network devices.
6) Verify that all usernames and passwords are encrypted and transferred over secured connection like https.
7) Verify information stored in website cookies. It should not be in readable format.
8 ) Verify previously found vulnerabilities to check if the fix is working.
9) Verify if there is no open port in network.
11) Verify all telephone devices.
12) Verify WIFI network security.
13) Verify all HTTP methods. PUT and Delete methods should not be enabled on web server .
14) Password should be at least 8 character long containing at least one number and one special character.
15) Username should not be like “admin” or “administrator”.
16) Application login page should be locked upon few unsuccessful login attempts.
17) Error messages should be generic and should not mention specific error details like “Invalid username” or “Invalid password”.
19) Verify if special characters, html tags and scripts are handled properly as an input value.
20) Internal system details should not be revealed in any of the error or alert messages.
21) Custom error messages should be displayed to end user in case of web page crash.
22) Verify use of registry entries. Sensitive information should not be kept in registry.
23) All files must be scanned before uploading to server.
24) Sensitive data should not be passed in urls while communicating with different internal modules of the web application.
25) There should not be any hard coded username or password in the system.
26) Verify all input fields with long input string with and without spaces.
27) Verify if reset password functionality is secure.
28) Verify application for SQL Injection.
29) Verify application for Cross Site Scripting.
31) Important input validations should be done at server side instead of JavaScript checks at client side.
32) Critical resources in the system should be available to authorized persons and services only.
33) All access logs should be maintained with proper access permissions.
34) Verify user session ends upon log off.
35) Verify that directory browsing is disabled on server.
36) Verify that all applications and database versions are up to date.
37) Verify url manipulation to check if web application is not showing any unwanted information.
38) Verify memory leak and buffer overflow.
39) Verify if incoming network traffic is scanned to find Trojan attacks.
40) Verify if system is safe from Brute Force Attacks – a trial and error method to find sensitive information like passwords.
41) Verify if system or network is secured from DoS (denial-of-service) attacks. Hacker can target network or single computer with continuous requests due to which resources on target system gets overloaded resulting in denial of service for legit requests.

These are just the basic test scenarios to get started with Pentest. There are hundreds of advanced penetration methods which can be done either manually or with the help of automation tools.

Further reading:
Pen Testing StandardsPCI DSS (Payment Card Industry Data Security Standard), OWASP (Open Web Application Security Project), ISO/IEC 27002, OSSTMM (The Open Source Security Testing Methodology Manual).
CertificationsGPEN, Associate Security Tester (AST), Senior Security Tester (SST), Certified Penetration Tester (CPT).

Finally as a penetration tester you should collect and log all vulnerabilities in the system. Don’t ignore any scenario considering that it won’t be executed by end users.

If you are a penetration tester, please help our readers with your experience, tips and sample test cases on how to perform penetration testing effectively.



Get FREE eBook + Blog Updates By Email!

Subscribe to get software testing awesome articles and free resources. Enter your email address and click 'SIGN UP NOW' button.


29 comments ↓

#1 Mukund on 06.27.12 at 7:36 pm

there are hundreds of commercial as well free tools available. this made the pen testing much easier.

#2 Kanif on 06.27.12 at 7:52 pm

thanks vijay nice post, help to understand on Penetration testing

#3 Gunasekaran Veerapillai on 06.28.12 at 3:56 am

There are industry standard scanning tools available which scans through the code and give the types of vulneabilities – Authorization & Authentication validation issues, SQL injection, cross site scripting,broken access controls,Configuration issues etc., EC Council conducts a certification on CEH(Certified Ethical Hacking) and there are other related certifications like CISA etc.,

#4 jayashri on 06.28.12 at 5:50 am

Nice post !!! Many test cases are covered in the pen testing. Is there any learning course available for this ? if anybody have any idea please suggest.

#5 Deepak on 06.28.12 at 5:53 am

Informative.

#6 Deepak on 06.28.12 at 5:57 am

Hi Vijay,
The time stamp of our comments is -5:30 of IST.
Is it an error or to my ignorance, is this blog time set as per the time from where you are blogging.

#7 kiran on 06.28.12 at 3:56 pm

Sir,
Can you tell me How to hack flex+java web application.
I am testing flex+java application.
Give me resource

Thanks
Kiran

#8 Vijay on 06.28.12 at 6:50 pm

Thanks Gunasekaran for listing the CEH(Certified Ethical Hacking) certification. It’s also one of the best ethical hacking certifications.

#9 RAja on 06.29.12 at 10:48 am

Fortify is tool to perform scurity test at deveoper level

#10 sandeep on 06.30.12 at 8:18 am

Nice post …

#11 Romil on 07.02.12 at 10:14 am

nice post for security testing…..

#12 Sukumar on 07.17.12 at 7:05 am

Hi ..

Really its a nice informative information and your blog is so nice. Good work..

Keep It up.

Thanks
Sukumar Jena

#13 Monti Sharma on 07.22.12 at 5:18 pm

nice.thanks for the info

#14 Kannan Manoharan on 07.31.12 at 6:43 am

Thank you for posting this article. I learned something new about penetration testing.

#15 kalpana on 08.08.12 at 1:07 am

Can i get information about how to test web based application testing in mobile.I need how to test step by step details?

#16 Jayaprakash on 08.30.12 at 12:09 pm

Nice Article. Gave a thorough insight on Penetration Testing.

#17 vijayaraja on 09.06.12 at 12:02 pm

good knowledge to you and very nice

#18 parimala on 09.13.12 at 7:45 am

Any one say how to test web application in initial stage(manualy & automation).which one recently used automation tool & how to work with automation? can any one say sample application web testing?

#19 Ram on 09.29.12 at 2:21 am

This website is extremely informative and helps all varieties of software testers around the globe .This site is not just for beginners who are not just enthusiastic but also for experts as a reference.I wish all the best for the site conductors and admins and hopefully they continue to contribute their valuable services to spread knowledge in Manual and Automated Testing.

#20 Aamir on 10.09.12 at 12:06 pm

Can anyone help me in understanding what is the difference between Pen & Security testing?

#21 deeparani on 10.10.12 at 8:51 am

good KT..Thank You…

#22 Ganesh on 12.24.12 at 9:41 am

Its a very good info for me,
can you please suggest a open source tool for pentesting with examples and how to use it.

Can you suggest any websites for practicing the pentest

#23 Srini Elluri on 03.29.13 at 5:02 pm

Nice Post Vijay. If you can provide more test cases based on OWASP top 10 users will be benefited.

Regards
Srini Elluri

#24 Kish on 07.29.13 at 10:31 am

Absolutely top class site and information! agree with other comments that help on this site serves testing professionals at all levels of experience. Kudos and carry on the great work please.

#25 Srinivasan on 09.17.13 at 5:26 am

Dear Sir,

#26 Srinivasan on 09.17.13 at 5:28 am

Dear Sir,
I am fresher for the penetration Testing, i need to know how to do the network penetration easily, which tool is easy to do the network penetration testing , and PLEASE SEND ME THE STEP BY STEP GUIDE FOR THE NETWORK PENETRATION TESTING.

#27 Ranjan Kumar on 01.10.14 at 9:05 am

I would like to learn about software application security.So, which site is best for details knowledge about it.

#28 Prajakta on 01.13.14 at 10:01 am

Hi, i am a beginner in the pen testing field, want to know the in & out of Vulnerability Assessment & Penetration Testing(VAPT), i.e want the knowledge of OWASP listed vulnerabilities, how to find them(step by step detail) in thin and thick client using automated & by manual process. please email me regarding the same.

#29 PRAJAKTA on 01.13.14 at 10:32 am

Hi, i am a beginner in the pen testing field, want to know the in & out of Vulnerability Assessment & Penetration Testing(VAPT), i.e want the knowledge of OWASP listed vulnerabilities, how to find them(step by step detail) in thin and thick client using automated & by manual process. please email me regarding the same.
my Email ID: prajakata.patil189@gmail.com