This likely isn’t the first blog post you’ve read explaining penetration testing. It’s not even the first blog post I’ve written on it. But it’s in the CompTIA Security+ study guide, so gosh darnit, we’re going to talk about it again.
Vulnerability scanning and penetration testing are ways of determining the effectiveness of security controls. They’re similar activities, but have some differences, which–you guessed it–we’ll cover here.
This is a continuation of my blog post series on the CompTIA Security+ exam, where I share my studying and connect it to real-world events.
Penetrating Testing Concepts
Penetration testing (“pen testing” from here on out) simulates an attack on a system from a malicious outsider. This is typically done by a security testing firm for a customer. The firm and the customer agree on what is in or out of scope. For example, social engineering attacks might be considered out of scope.
The goal is “to determine if an attacker can bypass your security and access your system.” Pen tests also show which items are seemingly innocuous but can lead to serious risks. Additionally, they demonstrate how well-trained your employees are with regards to security.
Pen tests aren’t about zero days or anything too esoteric. It’s meant to mimic a real-world attack, so common/known methods are top of mind.
In a pen test (or “real” attack), you need to gather information on the target. This allows you to understand the system, and where vulnerabilities might exist. Active reconnaissance means that your information gathering directly interacts with the target network. This means that you might tip-off the target. More info in this blog post.
Passive reconnaissance is also about information gathering. However, passive means that it’s done without sending traffic to the target. Because you aren’t directly interacting with them, it’s much less likely that you’ll be noticed. Google and other search engines can be very useful in gathering information.
Passive vs. Active Tools
Likewise, the tools that you use for reconnaissance can be either active or passive. The difference is whether they directly interact with the target system or not. Nmap is an example of an active tool, and can be detected by the defender. Examples of passive tools include Tripwire and Wireshark. Active tools modify or send traffic to the target, passive tools only receive traffic.
Pivot is a phrase that gets my hackles up because it reminds me of some venture capital buzzword salad. Here, it means an attacker gaining access to one system, and then using that system to scan or attack other systems within that network.
Once you’ve done your reconnaissance, it’s time to exploit things. The point of a pen test isn’t to actually destroy things. You do want to demonstrate the viability of an attack, however. Initial exploitation means demonstrating that a vulnerability is in fact present, and exploitable. But, you stop short of actual damage to the system. One example might be exploiting a SQL injection vulnerability to bypass the login page.
“Try harder.” Persistence is both some type of virtue, and a CompTIA pen testing attribute. In mimicking real attacks, pen tests might also establish a foothold within the system. Similar to APTs (discussed in the threat actors section), pen testers might create ways to get back into a system after being detected.
Escalation of Privilege
Escalation of privilege means moving from a normal user account (and privileges) to higher levels of privileges. The ultimate goal is to get root privileges. As discussed in previous posts, this can be done by stealing credentials or exploiting other vulnerabilities.
If an outsider were attacking your system, they probably wouldn’t know much about the inner workings. The idea of “black box” testing is to simulate this and test the software with no knowledge of the inner workings. You’re just throwing malformed or invalid inputs at it and seeing what happens. While this makes the attacker’s job more difficult, it’s more realistic. It also might allow them to think “outside the box” and think of scenarios that the developers did not.
You can probably guess that “white box” testing is the opposite. The attacker is given documentation and other info about the software. This lets them rule out huge classes of inputs as unnecessary. It might also let attackers come up with more sophisticated or specific attacks.
Gray box is some hybrid between black box and white box. So the tester has some information about the system, but that knowledge is incomplete.
Pen Testing vs Vulnerability Scanning
What’s the difference between pen testing and vulnerability scanning? Pen testing is testing a system for vulnerabilities that can be exploited. Vulnerability scanning is scanning the system for vulnerabilities.
Vulnerability Scanning Concepts
We just covered this, but I guess we’ll go over it again. Vulnerability scanning is the process of “examining your systems and devices for holes, weaknesses, and issues.” The idea is to find your weaknesses before attackers do, Sun Tzu style. Once you know your weaknesses, you can address them by severity.
Passively Test Security Controls
While not the main point of vulnerability scanning, you (a tester) might accidentally trigger security controls during your search. This lets the customer know how well their controls are working in certain situations.
The main point, of course, is to find vulnerabilities. As with pen testing, zero days aren’t the point here. We’re looking for vulnerabilities that we can find. This means the vulnerabilities have to be known already. Testers will put all the vulnerabilities they find in a log or report.
Identify Lack of Security Controls
If you’ve found a vulnerability, either the vulnerability needs to be fixed/patched, and/or some kind of security control needs to be put in place so that the vulnerability can’t be exploited. In finding vulnerabilities, you are also finding what security controls are missing or need improvement.
Identify Common Misconfigurations
A subclass of security control issues includes common misconfigurations. This might include default credentials. This gets covered more in the next section.
Intrusive vs Non-Intrusive
The scope of a scan will be determined at the beginning and signed off on by the customer. If a test is intrusive, that means that system data can be changed. Non-intrusive means that it can’t be changed. This is a trade-off between “real world” accuracy and practicality for the customer (server reboots, sensitive data, etc.)
Credentialed vs. Non-credentialed
Credentialed scans means that the attacker gets credentials to the system. This is less accurate to how a real attack would occur, but you get “more for your money” since more vulnerabilities will be found. Non-credentialed means the attacker is not given credentials (but may find them, or get in some other way).
False Positives and False Negatives
False positives and negatives aren’t a new concept. If your scan returned a vulnerability that doesn’t actually exist, that’s a false positive. If it fails to report a vulnerability that _does _exist, that’s a false negative.