1 Overview
Penetration Testing(Penetration Testing) is a technology and method that simulates malicious attackers to defeat the security control measures of the target system, obtain access control rights, and discover that there are business A safety testing and assessment method that affects safety hazards.
Simply put, it is to conduct a penetration (attack) through various means, and test the target's security protection capabilities and security awareness through penetration.
The most important underlying basis of the penetration process is the existence of security vulnerabilities in the target system (referring to defects or inappropriate configurations in the information system, which can allow attackers to access or destroy without authorization) system, causing information systems to face security risks). Programs that exploit security vulnerabilities to cause intrusion or damage are called penetration code (Exploit) or exploit code.
2. Classification
Black box testing/external testing: Don’t know the internal structure, focus more on the output results, similar to hacker attacks, the cycle of discovering vulnerabilities will be longer
White box testing /Internal testing: Know the internal structure, what functions are there, the test cycle is short, suitable for testing a certain function
Gray box testing/combination testing: a combination of the two
3. Target classification
①Host operating system penetration: Penetration testing of Windows, Solaris, AIX, Linux, SCO, SGI and other operating systems themselves.
②Database system penetration: MS-SQL, Oracle, MySQL, Informix, Sybase, DB2, Access and other databases Conduct penetration testing of application systems.
③Application system penetration: Various applications provided by penetration targets, such as ASP, CGI, JSP, PHP, etc. Composed WWW applications for penetration testing.
④Network equipment penetration: Conduct penetration testing of various firewalls, intrusion detection systems, and network equipment.
4. Network security life cycle (A Bug's Life)
0day: Only you or a small number of people know about it, and the harm is greater
1day: The vulnerability has spread, but the manufacturer has not responded yet and has not made corresponding patches. The vulnerability Still available
5. How to disclose security vulnerabilities
①Full public disclosure: If you find a problem and disclose it directly, the manufacturer may cause huge losses
②Responsible disclosure: Tell the manufacturer and let them quickly prepare a patch
③ Entering the underground economic chain: directly entering the underground economic chain to make profits (illegal!!)
④ Small-scale utilization or even passive disclosure: not disclosing it after knowing it, using it on a small scale, knowing that it is being exploited More and more people are discovering that disclosure
6. Penetration testing process links
(1)Pre-Engagement Interaction Phase(Pre-Enganement Interaction)
At this stage, the testing team conducts interactive discussions with the customer organization, and the most important thing is to determine the scope, goals, constraints, and service contract aspects of the penetration test. It usually involves activities such as collecting customer requirements, preparing test plans, defining test scope and boundaries, defining business goals, project management and planning.
(2)Intelligence Gathering Phase (Information Gathering)
After the target scope is determined, the penetration testing team will enter the intelligence gathering (nformation Gathering) stage. The penetration testing team can use various information sources and collection techniques to try to obtain more information about the target organization’s network topology, system configuration, and security defense measures. Information.
The intelligence collection methods that penetration testers can use include open source information query, Google Hacking, social engineering, network inspection, scanning detection, passive monitoring, service enumeration, etc. The ability to detect intelligence on the target system is a very important skill for penetration testers. The adequacy of intelligence collection largely determines the success or failure of the penetration test, because if you miss key intelligence information, you may fail later. Nothing was found in this stage.
(3)Threat Modeling Phase (Threat Modeling)
The threat modeling phase mainly analyzes the information collected in the previous two phases, conducts threat modeling and attack planning, models the target system, and then determines the optimal attack route, from which subsequent penetration attacks will begin. .
(4) Vulnerability Analysis Phase (Vulnerability Analysis)
After determining the most feasible attack channel, you need to consider how to obtain access control rights to the target system, which is the vulnerability analysis (Vulnerability Analysis) stage.
At this stage, the penetration tester needs to comprehensively analyze the intelligence information obtained and summarized in the previous stages, especially the security vulnerability scanning results, service enumeration information, etc., and the penetration code that can be obtained by searching Resources identify attack points where penetration attacks can be implemented and verify them in an experimental environment. At this stage, a high-level penetration testing team will also conduct security vulnerability detection and mining on some key systems and services on the attack channel, hoping to find unknown security vulnerabilities that can be exploited, and develop penetration code to open the attack channel. on the critical path.
(5)Penetration attack stage (Explitation)
Penetration attack (Exploitation) is the most charming part of the penetration testing process. In this link, the penetration testing team needs to use the security vulnerabilities of the target system they have identified to actually invade the system and gain access control.
Penetration attacks can use penetration codes available through public channels, but generally in actual application scenarios, penetration testers also need to fully consider the characteristics of the target system to customize penetration attacks, and need to defeat the target network Only with the security defense measures implemented in the system can the purpose of penetration be successfully achieved. In black box testing, penetration testers also need to consider evading the target system’s detection mechanism to avoid alerting and discovering the target organization’s security response team.
(6)Post Exploitation (clear traces)
Postexploitation is the link in the entire penetration testing process that best reflects the creativity and technical capabilities of the penetration testing team. The previous steps can be said to be step-by-step to complete very common goals, but in this step, the penetration testing team needs to independently design attack targets based on the target organization’s business model, asset protection forms, and security defense plans. Identify critical infrastructure and find the customer organization's most valuable information and assets to securely protect, ultimately achieving attack vectors that can have the most significant business impact on the customer organization.
In different penetration testing scenarios, these attack targets and methods may be ever-changing, and whether the settings are accurate and feasible also depends on the team’s own sense of innovation, knowledge scope, practical experience and technology ability.
(7) Reporting stage
The penetration testing process is finally submitted to the customer organization, and what is recognized and successfully obtained the contract payment is a penetration testing report (Reporting). This report condenses the key intelligence information obtained by the penetration testing team in all previous stages, the system security vulnerabilities detected and discovered, the process of successful penetration attacks, and the attack paths that cause business impact. At the same time, it also stands on the defensive From the perspective of users, help them analyze weak links and existing problems in the security defense system, as well as technical solutions for repair and upgrade.
7. The significance of penetration testing
Penetration testing is about thinking about the security of enterprise systems from the perspective of a third party. Through penetration testing, potential but unexplored security issues of the enterprise can be discovered. Enterprises can strengthen and improve deficiencies and security vulnerabilities in internal systems based on test results, thereby making enterprise systems more secure and reducing enterprise risks.