Sample Essay on Penetration Testing Procedures and Methodologies

Executive Summary

Threats against computer frameworks and the information contained inside these frameworks are getting to be progressively successive and ever more complex. Supposed “zero -day” adventures can be acquired on underground markets and Advanced Persistent Threats can prompt infiltration of information over augmented periods. Associations wishing to guarantee security of their frameworks may look towards receiving proper measures to secure themselves against potential security ruptures. One such measure is to contract the administrations of penetration testers to discover and then report the vulnerabilities displayed in the association’s system, and give proposals in the matter of how best to alleviate such dangers.

This paper talks about the definition and the role of the current pen-tester. Additionally, the paper summarizes current norms and expert capabilities in the UK. The paper further recognizes the challenges facing penetration testing, highlighting contrasts from what is largely expected of their role in industry to what is needed by expert capabilities.

Literature Review

There has been significant exertion committed to the technical roles of penetration testing. Reeve & Pritchard (2006) research the significance of the subject from the product pen-testers viewpoint, focusing on where the part of the analyzer lies when surveying imperfections amid programming improvement. Inside the product advancement life cycle, Reeve and Pritchard propose that without legitimate and auspicious evaluation, associations “…often find that their product experiences systemic flaws both at the outline level and in the usage” (Reeve & Pritchard, 2006). The same is the system security of an association; without legitimate and thorough appraisal, the system configuration of an association will prompt obscure imperfections characteristics in the system execution.

Similarly, there has been constrained deal with the abilities and capacities needed of the pen-tester and less so on the lawful, social, moral, and expert issues emerging from such touchy work. A striking exemption to this attestation is the work by Pierce, Jones, and Warren (Liu & Hryciw, 2003). In their paper, they give a reasonable model and scientific classification for penetration testing and expert morals. They portray how honesty of the expert pen tester may be accomplished by “…avoiding clashes of investment, the procurement of false positives and false negatives, lastly lawfully tying analyzers to their moral commitments in their contract” (Liu & Hryciw, 2003). This is unquestionably essential and ought to be the case in most circumstances of an individual working with possibly delicate data, however this seems all the more an individual “moral set of accepted rules” instead of something which can be implemented and surveyed.

Chen et al. (2006) likewise talk about the then procurement by colleges “…toward offering security testing courses.” Furthermore, in 2006, Chen et al. remarked on the “…first U.K. college to offer a committed degree course in hacking”. This has surely demonstrated a rising pattern in the instruction segment for penetration testing courses; however, these have a tendency to be degree orders, and not so much an industry recognized certificate standard.

The diagram below shows the steps that are followed when testing a security system for errors and vulnerabilities that hackers can use to exploit the system. The first stage is planning on how the whole process will take place. Then all the necessary information is then gathered. The actual process of gathering the vulnerabilities then starts and then finally the report is submitted to the authorities.

Figure 1: security testing methods (c) internet source


Below is a diagram showing all the protections that a penetration tester should need to test so as to fully report the vulnerabilities that are available. Some of these critical areas include the network access, the patch management, and the malicious software protection as shown below.

Figure 2: areas that need to be tested in a system. (c) Internet source.




Challenges Facing Penetration Testing

Setting the scope of the test

The challenge here is what frameworks are to be tested? At the point when a penetration test is constantly completed shockingly, a full test is fitting to guarantee that no security escape clauses are neglected in frameworks that have not been tested.

The time needed for a penetration test is ordinarily specifically identified with the extent of the frameworks to be examined. Indistinguishable and close indistinguishable frameworks can frequently be researched in a solitary test, yet when there are distinctive arrangements, every framework will need to be managed independently:

  • If just a particular sub-system, framework or administration is to be tried, for the reasons of this study, the infiltration test is termed as to be “centered”. It is centered in a certain frame-work. Such a test can, obviously, just give data about the framework that was tried, but it cannot give general data about the overall IT security.
  • In a restricted penetration test, a set number of frameworks or administrations are inspected. For instance, all frameworks in the DMZ, or frameworks containing a useful unit can be tried.
  • A full test covers all accessible frameworks. It ought to be noted that even in a complete test certain frameworks, e.g. outsourced and remotely facilitated frameworks may not have the capacity to be tried.

Internal and  External Tests

External pen testing can be termed as the conventional, more regular methodology to pen testing. This test addresses the capacity of a remote assailant to get to the interior system. The objective of the pen-test include getting to particular servers and royal stones inside the inner system by misusing remotely uncovered servers, customers, and individuals. Whether it is an endeavor against a powerless Web application or deceiving a client into providing for you his secret word via telephone, permitting the access to the important VPN, the end diversion is getting accessed from the external sources to within.


Figure 3: Example of how a security bleach can be found in a system. Probst, 2012.

Interior pen testing takes an alternate methodology – one that reproduces what an insider assault could perform. The target is commonly the same as outside pen testing, however the real differentiator is the “aggressor” either has an approved access or is beginning from a point inside the inner system (Probst, 2012). Insider assaults have the capability of being significantly more destroying than an outside assault on the grounds that insiders as of now have the learning of what’s vital inside a system and where its placed, something that outer aggressors don’t generally know from the begin.

Testing can be a challenge here in that it is basically not possible to test for threats from the internal employees who have the right to access the system. This is because the employee has all the rights and password to the system hence can do any attack for malicious intentions unmonitored and without anybody ever knowing.


Technical issues

Security solutions suppliers, actually including the top infiltration testing organizations, encounter various technical issues when performing pen tests. One of the most important challenge here, is framework or application inaccessibility. This may be created by overpowering system movement from checking apparatuses like Nap and Nesses, or by application-particular testing instruments like HP Web inspect or IBM Appscan. Lack of accessibility is likely because of a particular application defect, where application structures or other info acknowledgement channels are constantly attacked to degree pernicious information. Another kind of accessibility issue that can happen amid pen testing concerns client account lockout. This is frequently brought on by solution suppliers endeavoring to log into verification interfaces quickly with “beast power” logins.

Other technical issues may emerge from the utilization of particular endeavor code that renders administrations distracted or frameworks precarious. At the point when this happens in a the earth, the arrangement is to stay away from the utilization of these particular adventure sorts for the term of the test, in spite of the fact that the helplessness ought to be noted in the last report.

Organization Policy

Numerous issues that happen amid pen tests are managerial or political in nature. There can be a great challenge when there is an absence of correspondence between the security group asking for the test, and the business or application managers in different parts of the association. Much of the time, the specialty unit gets some answers concerning the test after it has begun, or more regrettable, when specialized issues happen. This can result in noteworthy political turmoil, and will typically defer the task. An alternate basic experience solution suppliers will experience identifies with the conveyance of discoveries. After imperfections in frameworks and applications are found, and the last report has been conveyed, the body that receives the report may brand the discoveries as less basic than the solution experts rates them. Lamentably, this is a risk choice that must be made inside by the client, and the solution supplier is not responsible for this. The length of the discoveries also can be legitimate actually (and the solution supplier has confirmed them suitably to evacuate false positives). This brings about unnecessary costs of testing a system that is perfect. The testing results be changed or lessened in seriousness singularly to “conceal any hint of failure face” or smooth political or consistence concerns inside at .the association. This speaks to a typical moral situation confronted by pen testers, and it is critical to maintain the most elevated trustworthiness models at unequaled.

Report writing

Composing the Testing Guide has ended up being a troublesome assignment. It was a test to acquire agreement and create content that permitted individuals to apply the ideas depicted in the aide, while additionally empowering them to work in their surroundings and society. It was additionally a test to change the center of web application testing from penetration testing to testing coordinated in the product advancement life cycle.

Other Challenges

  1. How Much Should a Test Cost?

It might be difficult to accept; yet selecting an outsider to test your systems is not a simple undertaking. In the event that you discover somebody also, they are great, then they will likely be extremely occupied. The better somebody’s notoriety is, the more you can hope to pay for his or her services. At the point when managing advisors, request four things. One-request references. Two, ask to talk specifically with the person(s) doing the testing. Three, ask the analyzers what routines they use to cutoff unintentional harm to your system and what they do with the information when they are done trying. Also four, make a point to get a marked NDA in the middle of you and the testing organization. After you have gotten a quote for the security testing, get a second or third quote from diverse sorts of specialists. You may need to acquire cites from bigger security firms furthermore from more modest firms that may even be by regional standards situated in your general vicinity. How the money adds up with any infiltration test is choosing what finding a set of vulnerabilities is worth to you.

  1. Doing it without anyone’s help

Approving an inner penetration test presents numerous distinctive issues. As a matter of first importance, the individuals chose for the testing must be dependable and not effectively influenced by feeling. There have been an excess of horrendousness stories of penetration analyzers taking the shortest possible route straight for the CEO’s email account. Most CEO’s do not take sympathetic to the interruption, paying little respect to any vulnerability found. Any infiltration group must be developing enough to weigh the effect of neighborhood legislative issues when leading the test. Amid the test, touchy data about individuals, ventures and numerous different aspects of an association may be uncovered. This data must be taken care of prudently and maturely such that vulnerabilities are found without attacking the security of people. It is additionally suggested that the senior chief of any system operations or MIS gathering be educated of the testing. This can abstain from resource-wasting examinations concerning equipment disappointments and other system interferences that may have been brought about by the infiltration testing. It can likewise constrain overcompensation by representatives who may find confirmation of the penetration endeavor.

  1. Us vs. Them

In the event that system administrators have any learning of the infiltration test before it happens, there exist a risk that they will make additional moves to secure the system. This may speak to a higher state of security than what is ordinarily accessible. There have been a few cases of system managers attempting to secure the system even as the testing was advancing. The human component might likewise get to be included in penetration testing. It is very possible for an overseer to make guarantees about the system security at staff gatherings and to their administration. At the point when an infiltration test shows vulnerabilities, feelings may get to be included. These feelings might over-accentuate the reality of defenselessness or the definite inverse. It is pretty much as likely for an penetration test colleague to hunt down any defenselessness, regardless of how little, as it is for an executive to downplay test outcomes.

  1. The Slippery Slope

Accomplished security analyzers are extremely skilled individuals, yet when they do not find simple approaches to bargain a system, one or two courses of activities follows. In the first place, the analyzers guarantee that with more of a chance, they may have been ready to break in. For this situation, the analyzer ought to have the capacity to exhibit the information to help those cases. In the event that the information is encouraging, you may wish to approve a second test.

Second, if a bargain has not been accomplished, the analyzer will call attention to conceivable refusal of administration assaults, delicate data that ought not to be on open sites and numerous different things that do not straightforwardly influence the security of the system. The earnestness of these proposals ought to be considered, however they are typically signs that the analyzers were not ready to break into the test system.

Penetration Tools Recently Used

Acunetix, as it is called, has both a free and paid adaptation. This hacking device has numerous uses yet it tests and covers SQL infusion and the Cross scripting testing. The application has a state of the artisanship crawler innovation, which incorporates a customer script tester motor. This security apparatus produces definite reports that recognize security issues available, together with the vulnerabilities. The most recent variant, Acunetix WVS adaptation 8, incorporates a few security peculiarities, for example, another module that tests moderate the HTTP in the Denial of Service. Acunetix’s most recent form additionally sends with an agreeability report layout for ISO 27001. The action is helpful for infiltration analyzers and designers since it permits associations to approve that their web applications are ISO 27001 agreeable.

Second, Aircrack-ng is an extensive set of system security devices that incorporates, aircrack-ng (which can splits WEP and WPA Dictionary threats), airdecap-ng (which can decode WEP or WPA scrambled catch records), airmon-ng (which places system cards into screen mode, for instance when utilizing the Alfa Security Scanner, the normally used  aireplay-ng (which is a parcel injector), another sophisticated software known as  airodump-ng (which is a bundle sniffer), just to mention a few. Different apparatuses incorporate airdriver-ng (to oversee remote drivers), together with airolib-ng (to store and oversees ESSID and secret world records and register Pair wise Master Keys), airserv-ng (which permits the penetration tester to get to the remote card from different machines). Airolib-ng is similar to easside-ng which permits the client to run instruments on a remote machine, easside-ng (allows an intentions to impart to a right to gain penetration point, without the involvement of the WEP key) they also use tkiptun-ng (for WPA/TKIP assaults) and wesside-ng (which a programmed device for recuperating wep keys).

Like the greater part of the security apparatuses in our rundown, Aircrack likewise has a GUI interface – which is known as Gerix Wifi Cracker. This is an uninhibitedly authorized security device under the GNU License and comes packaged inside penetration testing Linux circulations, for example, Backtrack, and Back box. The Gerix GUI has a few infiltration testing instruments that consider system dissection, remote bundle catching, and SQL parcel infusion.

Third, Cain & Abel has a notoriety of being a script-kiddie apparatus, yet it is still marvelous. Cain & Abel is characterized as being a secret key recuperation device. This apparatus permits a penetration tester to recuperate different sorts of passwords by simply sniffing into the system, and breaking scrambled passwords utilizing either a lexicon or beast energy assaults. The instrument can likewise record VoIP discussions and can interpret mixed passwords, find Wifi system keys and stored passwords. With the right utilization and mastery, a penetration analyzer can likewise examine steering conventions. The security device does not innately misuse any product vulnerabilities or openings; rather it distinguishes security shortcomings in convention’s benchmarks.

Students undertaking IT data security authentications will utilize the apparatus to research APR which empowers sniffing on exchanged Lanes and MITM assaults (regularly truncated to MITM). The sniffer offers in the most recent variant of Cain take into consideration the dissection of scrambled conventions, for example, HTTPS. The new form additionally contains directing conventions validation screens, lexicon and animal power saltines for all prominent hashing calculations, watchword mini-computers, cryptanalysis assaults and secret key breaking decoders.

Fourth, Ettercap regularly goes with Cain (third in our rundown). Ettercap is both a free and an open source system security apparatus for man-in-the-center assaults on LAN. Most security instrument can be utilized to dissect machine system conventions inside a security reviewing connection. Ettercap has four techniques for usefulness.

Security checking by sifting IP-based parcels, MAC-based: whereby bundles are sifted focused around MAC address, (this is helpful for sniffing associations through a door). ARP-based examining by utilizing ARP harming to sniff on an exchanged LAN between two hosts. This is mostly known as full duplex. Publicarp-based usefulness: Ettercap utilizes ARP harming to sniff on an exchanged LAN from a victimized person host to all different hosts. This is commonly known as half-duplex.

Another tool is John the Ripper that has the most handsome name on the Security Pen testing Tools list. This extremely well known security instrument, frequently shortened just to “John” is a free secret key breaking programming device. Initially made for the UNIX working framework, it at present deals with each significant working framework. By a long shot, this instrument is a standout amongst the most prominent watchword testing and breaking projects utilized by data security experts. The pen-testing device consolidates different watchword wafers into one compact bundle, which is then ready to recognize secret key hash sorts through its own particular adaptable wafer (Kpodar & Andrianaivo, 2011).

Metasploit is another tremendous tool. Created by Rapid7 and utilized by every pen tester and moral programmer on the planet. The Metasploit Project comprise a security venture, which conveys data concerning the security vulnerabilities and helps penetration testing and Intrusion location. The open source venture is utilized by security experts to execute endeavor code for penetration testing. An alternate cool task is Metasploitable, which is a deliberately defenseless form of Ubuntu Linux, based intentionally for testing security instruments, in the same way as all of the ones recorded here, and exhibiting normal vulnerabilities.

Nessus is an alternate goliath – a security instrument that concentrates on weakness checking. There exists a free as well as a paid rendition – free for individual utilization. It began in 1998 and it has developed into the world’s most prevalent security devices – especially as a weakness scanner. The association behind Nessus, Tenable Security, appraises that it is utilized by in excess of 75,000 associations around the world.

Nessus filters for different sorts of vulnerabilities, the ones that is able to check for openings that programmers could endeavor to add control or access a machine framework or system. Besides, Nessus examines for conceivable misconfiguration (like open mail hand-off, missing security patches, and so forth.). The devices likewise checks for default passwords and basic passwords, which can utilize it through Hydra (an outer apparatus) to dispatch a lexicon assault.


It is a world that the security of the systems in any organization has been of much important. This is due to the increasingly growing threats from attacks by exploiters who aim at exploiting the systems for their own malicious intentions. Before the actual exploitation, an organization has to discover those vulnerabilities so as to zip the loop-holes that can be used. The paper has discussed the methodologies that are used in pen-testing, the procedure and the challenges that are encountered in the process. The paper has also explored the penetration tools that are available for an organization to seal the vulnerabilities that may lead to these tools reaching their syatems.



Chen, X., Huang, B., & Xu, Z. (January 01, 2006). Handbook of electronic security and digital

            forensics. New Jersey: World Scientific. pp 116-125.

Kpodar, K., & Andrianaivo, M. (2011). ICT, Financial Inclusion, and Growth Evidence from

            African Countries. Washington: International Monetary Fund.

Liu, S., & Hryciw, R. D. (January 01, 2003). The local digital divide in Spain: a territorial analysis

            of the Internet penetration in the Spanish households. (

Probst, C. W. (January 01, 2012). Privacy penetration testing: how to establish trust in your cloud

provider. European Data Protection: in Good Health?, 251-265.

Reeve, C. S., & Pritchard, F. P. (January 01, 2006). A new penetration needle for use in testing

bituminous materials. Journal of Agricultural Research, 24, 1121-1126.