Network Penetration Testing 101, It’s Black and White


There has been a lot of press covering recent high profile security breaches.  The criminals behind these attacks may think of themselves as “hackers”, but the professionals who protect and secure these systems also call themselves hackers; “ethical hackers.”  Ethical (or white hat– like the cowboy hero) hackers leverage many of the same tools and techniques as the criminals, for the purpose of protecting and defending systems.  The ultimate expression of these tools and techniques is the penetration test.  Penetration testing is a “friendly fire” attack on the systems (or comparable test systems) with the goal of identifying weaknesses that can be corrected or mitigated.

The Penetration Test Process

A penetration test tries to evaluate the state of a network in a pragmatic, real-world fashion.  Potential vulnerabilities are tested and exploited, taking a theoretical risk and making it real, and in the process quantifying its potential impact in the process.  Appropriate precautions are taken, but the most effective technique is often to use the same tools to assault the network as are used by attackers to compromise and exploit systems.  Without such real-world tests against real systems, any results are questionable and may misrepresent the true risk to production systems, exposed data within the corporate network, and more broadly on the internet.  The empirical understanding provided by penetration testing provides more value than a vulnerability scan or software and system audits because the methods used can be re-applied in a regression test after the problems have been addressed to confirm that the vulnerability has been reduced or eliminated.

There are many methodologies for penetration testing, both from government and private sources but the testing process has several common forms.  A “white box” (or crystal box) test is performed with a complete understanding of the target networks and systems.  This test models the risk that may exist from internal threats and is a very effective method of testing since resources can focus on the areas of greatest risk and concern.  A “black box” test starts with little or no knowledge of the targets, much like an external attacker would.  These tests may take longer but may help discover vulnerabilities that those familiar with the infrastructure might overlook.  Finally, a “hybrid test” combines a bit of the white and black methods, giving enough information at the start to prime the testing process without leading the conclusions based on familiarity.

The tools used in penetration testing are perhaps the most interesting and terrifying parts of the process.  To effectively evaluate systems, these tools have to leverage the same means to exploit systems as used by the criminals.  For instance, the Metasploit Framework provides an automated approach to leveraging most known exploits against most common operating system and application software.  Other tools provide additional assistance cracking passwords, attacking web applications, or compromising wireless networks.

Penetration testing is done.  Now what?

Findings from penetration testing must be communicated to the corporate community quickly and concisely or the testing provides no value.  The final executive summary is very important.  An executive summary typically provides senior management with an appreciation of the risks and any required high priority responses to weaknesses found.  A detailed account of findings gives results which can then be used by IT staff to resolve specific issues on specific systems.  And finally, a methods and tools description describes how the tests were performed and what tools were used.

In the end, it is essential to know the system vulnerabilities in order to secure them and the data they house.  Securing those systems and protecting them from being compromised requires white hat ethical hackers to have the skills, tools, and a mindset similar to the attackers without the malicious intent that drives criminals.


Joe Skora, Technical Consultant