What is Network Penetration Testing? It is a simulation of a cyberattack. Security professionals will try to bypass security protocols that are in place to gain access to the network using varied means. PenTesting is done to find out vulnerabilities in the network before an actual malicious actor can exploit them.
Well-known Penetration Testing (PT) Methodologies
There are a lot of PenTest methodologies, but the most well-known are
- OWASP Testing Guide (OTG), providing a framework for testing web application security
- Penetration Testing Execution Standard (PTES), covers the various sections related to penetration testing, e.g. pre-engagement, intelligence gathering, threat modeling, exploitation, post-exploitation, and reporting
- NIST SP 800-115, provides guidelines for security assessment and testing
- Open Source Security Testing (OSST), involves identifying vulnerabilities in open-source software and systems
- Information System Security Assessment Framework (SSAF), provides guidance in conducting a PenTest
Following standard PenTesting methodologies has some disadvantages, namely:
- Probability of overlooking unconventional attack vectors and zero-day threats
- Frameworks does not guarantee iron-clad security, especially if critical flaws are missed
- Testing is slowed down due to extensive documentation and compliance checks
- Malicious actors does not follow structured steps
- Tendency of organizations to trade compliance over true risk mitigation
A better way of doing Penetration Testing would be to take on the mindset of a hacker, of thinking like a criminal. Testing done using hacker style is always better.
- Black Box Testing – simulates a real hacking attack where the attacker has no prior knowledge of the system’s internal infrastructure
- Guerilla PenTesting –creative style of hacking, leveraging zero-days, misconfigurations, and chaining exploits
- Bug Bounty style –automated and intuition-based hacking attack with no predefined scope
- Real world Black Hat techniques –includes social engineering, physical intrusion and exploit development
A part of Penetration Testing involves gathering information about the target and scanning for vulnerabilities.
Information Gathering
Passive reconnaissance
- Using stealth to gather data, no direct interaction with target
- Analyze available public information, eg. WHOIS, DNS, social media
- Profile target by mapping network infrastructure, employee details, and exposed assets
Assess key areas in network
- Identify VLAN structure, ACL gaps, and firewall misconfigurations
- Scan for open ports, exposed management interfaces, and misconfigured services
- Check for flaws in routing protocols and misconfigurations
- Check security of Wireless system, eg. Encryption, MAC spoofing risks
- Check for unused ports that are not disabled
Vulnerability Scanning
Vulnerability scanning identifies security weaknesses, scans for open ports and misconfigurations. The level of scanning varies depending on whether it is for audit, for pentesting, or assessment.
- Network discovery and mapping – identifies live hosts, open ports, and running services
- Service and Protocol assessment – scans for misconfigured services, eg. SSH, RDP, SNMP, DNS, HTTP, HTTPS
- Layer 2 & Routing weaknesses – checks for BGP hijacking, OSPF/EIGRP manipulation, STP attacks
- Discover wireless network vulnerabilities –detects weak encryption, rogue Aps
Malicious actors can attack the network either at Layer 2, Layer 3, or via wireless. Some of the common attacks are:
Layer 2
- CAM flooding – the attacker overloads the switch’s CAM table with a ton of MAC addresses causing the switch to act as a hub
- DHCP starvation – the attacker sends a lot of DHCP request packet to the server, never sending any acknowledgement to the server, exhausting available IP addresses
- DHCP spoofing – attacker installs a rogue DHCP server in the network
- Spanning Tree Protocol (STP) manipulation – the attacker introduces a rogue switch in the network with best bridge ID causing the rogue switch to be elected as the root bridge
- VLAN hopping – allows attackers to access restricted network segments
Layer 3
- BGP Route Injection – subnet gets advertised to BGP peer erroneously, either intentionally or thru misconfiguration, causing routes to become unreachable
- BGP Route hijacking – BGP router advertises a subnet thatdoes not belong to it’s assigned group of subnets
- IP Spoofing – source ip address in the packet is manipulated by the attacker to make the packet to come from a trusted source
- Routing table manipulation – the attacker manipulates the metrics of some subnets, causing traffic to take another route, most probably via an attacker’s router, to reach the destination subnet
If you’re a network engineer aiming to expand your skills into penetration testing or ethical hacking, this video is a must-watch. It’s especially helpful for wireless network engineers looking to understand and work with various hacking tools.
