Network penetration testing is an attempt by an ethical hacker to breach an organization’s network without doing harm. The objective is to identify security weaknesses in the network and its security controls, report on them, and allow the organization to remediate them.
Modern networks are extremely complex, with a combination of WAN, LAN, and wireless networks, a large number of endpoints including servers, workstations, mobile devices and internet of things (IoT) devices, and security technologies like firewalls and intrusion prevention systems (IPS). Any of these could be a weak link that allows attackers to penetrate the network.
A network penetration test takes the perspective of an outside attacker, scanning the network to identify vulnerabilities, and actually exploiting them to prove their possible impact on the business.
In this article:
- Network Security Threats and Attacks
- External vs. Internal Network Penetration Testing
- Network Penetration Testing Process
- Network Penetration Testing with Bright
Network Security Threats and Attacks
Here are some of the common threats that can be tested with network penetration testing.
Malware is malicious software that can be used to attack computer systems. Trojans, ransomware, and spyware, are common examples of malware. Hackers can use malware to steal or copy sensitive data, block access to files, compromise or damage operational systems and datasets.
Phishing is a tactic in which attackers impersonate a reputable entity or individual through email or other forms of communication. Attackers often use phishing emails to distribute malicious links and attachments that can further their goals. These links or attachments typically send the user to a malicious website or directly deploy malware. The end goal of phishing is to extract login credentials, account information, or other sensitive information from victims.
Traditionally most phishing attacks were conducted by email, but attackers are increasingly performing attacks via other forms of communication, including social networks, SMS messages, and even voice calls.
In a distributed denial of service (DDoS) attack, multiple infected computer systems attack a target, denying service for the system’s legitimate users. DDoS can target servers, websites, or other network resources. It is performed by creating a large number of fake connection requests, malformed packets, or other illegitimate traffic that floods a target system and can cause it to slow down, crash, or shut down.
Advanced Persistent Threats (APTs)
An APT is a long-term targeted cyberattack that allows an intruder to gain access to a network and remain undetected for a long period of time. APT attacks are typically aimed at stealing data rather than disrupting the target organization’s network.
The goal of most APT attacks is not to get in and out as quickly as possible, but rather to achieve and maintain continuous access to the target network. Because executing APT attacks can be very labor-intensive and resource-intensive, hackers often choose high-value targets such as countries and large corporations, from which they can steal information over an extended period of time. APT attacks are commonly conducted by large, organized cybercrime groups or state-sponsored hackers.
In a drive-by download attack, malware is accidentally downloaded to a user’s computer or mobile device, leaving them vulnerable to cyberattacks. This attack is especially severe because the user does not need to click anything or open a malicious email attachment to get infected, and so it can affect even security conscious individuals.
Drive-by downloads exploit vulnerabilities in applications, operating systems, or web browsers (these may be zero day vulnerabilities not yet addressed by the vendor, or known vulnerabilities where the user or the organization failed to apply a security update).
A DNS attack is a vulnerability that could allow an attacker to exploit Domain Name System (DNS) vulnerabilities.
Although DNS is very powerful, it is designed for ease of use, not security. There are many types of DNS attacks in use today. Some attacks manipulate communication between a DNS client and server. Others use stolen credentials to log into your DNS provider’s website and redirect DNS records to malicious websites.
External vs. Internal Network Penetration Testing
External Penetration Testing
Traditionally, external threats were often considered more important than internal threats. Most organizations agree that anything exposed to the Internet needs some form of security testing, and possibly the most rigorous type of testing is penetration testing.
If an external host is compromised, it can lead to an attacker digging deeper into the internal environment. If an external device is the target of an attack, like a hacker looking for a public-facing SFTP/FTP server that stores client data, these devices must also be protected.
External network penetration testing focuses on the perimeter of your network and identifies any deficiencies that exist in public-facing security controls. When performing external penetration testing, the testers mimic real scenarios as best as possible to identify as many potential vulnerabilities as possible.
External network penetration testing techniques include the following:
- Host and service discover, port scanning and querying
- Attempting to gain access to public-facing systems using default passwords, brute force, password cracking, or other techniques
- Network sniffing and traffic monitoring
- Spoofing or deceiving servers and network equipment
- Using buffer overflow or similar attacks for remote code execution
- Running exploits for discovered vulnerabilities
- Changing configuration of running systems
- Denial of Service (DoS)
- Privilege escalation and lateral movement when gaining access to any internal systems
Internal Penetration Testing
Insider threats are a growing concern at most organizations. An insider threat could be a disgruntled worker, previously terminated employees, or someone trying to steal trade secrets. An insider threat could also be someone who does not have malicious intent—for example, negligent or careless employees, human errors and misconfigurations can all result in a network compromise.
Internal network penetration testing targets the networked environment that lies behind public-facing devices. This type of penetration test is designed to identify and exploit issues that can be discovered by an attacker who has gained access to your internal network.
Internal penetration testing techniques include:
- Scanning for internal subnets, domain servers, file servers, printers, switches
- Privilege escalation and lateral movement
- Identifying vulnerable devices, services, or operating systems on the local network
- Deploying malware such as trojans and rootkits to gain persistent access
Related content: Read our guide to penetration testing services
Network Penetration Testing Process
Network penetration testing typically follows four stages: reconnaissance, discovery, exploitation, and analysis. The following discussion mainly refers to external penetration testing, but the process for internal testing is similar.
The reconnaissance stage involves scanning systems and uncovering potential weaknesses and vulnerabilities, like an external attacker would do. This has two aspects:
- Technology vulnerabilities—the penetration tester looks for weaknesses in network ports, peripherals, software, or network services hackers can use to get into your systems. This process is very useful for vulnerability assessment and provides an external perspective on security weaknesses in the environment.
- Human vulnerabilities—social engineering vulnerabilities include common phishing scams and theft of login credentials. Penetration testers can try these tactics and see if the company’s employees are vulnerable to social engineering. This can help identify problems and raise awareness of security policies among employees.
During the discovery phase, penetration testers use information from the reconnaissance phase to perform real-time testing using pre-coded or customized scripts to identify possible security issues and see if they are easily exploitable. The objective is to identify the possible attack vectors and decide which one the tester will use during exploitation.
In the exploit phase, penetration testers use the information obtained in the discovery phase, such as vulnerabilities and entry points, to begin testing exploits on vulnerabilities they discovered in network devices or IT systems. The goal of the exploit phase is to break into the network environment, evade detection, and demonstrate a capability to do damage (for example, by gaining access to sensitive data).
At the end of the test, the penetration tester documents their process and findings, and prepares a penetration test report. In most cases, reports include vulnerabilities identified and exploited, sensitive data accessed, and how long ethical hackers managed to avoid detection.
The report must provide actionable information that can allow the organization to patch vulnerabilities and protect against future attacks.
Related content: Read our guide to penetration testing report
Complementing Penetration Testing with Dynamic Application Security Testing (DAST)
Bright Security enables organizations to automate black box testing for a long list of vulnerabilities across both applications and APIs. These tests include both technical vulnerabilities and business logic vulnerabilities. This combination goes a long way towards providing unparalleled coverage that previously could only be achieved by conducting manual penetration testing.
Moreover, the automated solution enables organizations to run targeted scans early in the SDLC and remediate issues before they make it to production. This is far superior to having to detect vulnerabilities in a production environment with manual tests.