A penetration test is a simulation of an attack from an external hackers or malicious users.
These tests can be conducted in sevral ways souch as automated scans, targeted attacks and source code analisys, and are divided in tow main categories: black box and white box.
The methodology of a penetration test can be diveded into steps:
- Information gathering and anlaysis
- Vulnerability detection
- Penetration Attempt
- Analisys and reporting
Black Box testing is performed from outside the company and assumes no prior knowledge of the target system. The first step is information gathering. Informations can be collected by searching the publicy available data or by exploiting system's vulnerabilities and weakness. Once all available informations are acquired This test simulates a real attack from external hackers.
White Box testing assumes that the attacker has the complete knowledge of the system, these informations are provided by the tested party.
approach is the most reliable method of analisys as all informations are available to teh tester
The fist step of a penetration test involves the use or ready available tools like network scanners, vulnerability scanners and soure code analyzers. These tools can easly reveal infrastucture weakness and known (unpatched) vulnerabilities but can not be a replacement of the attacker know-how.
A targeted attack involves the analisys of all available informations to find unknown vulnerabilities an weakness in the company infrastructure.
When a vulnerability is found a simulated attack is conducted to exploit it and gather unauthorized access to the system