Pentest, also known as penetration testing, is a security service provided by specialized professionals to any organization that values their data. This service involves approaching the system that will undergo tightening measures with an attacker's perspective and conducting a thorough examination of all networks and systems. During penetration testing, various attack vectors are applied to the target organization's systems by attackers to perform tests.
Penetration testing can be automated with software applications or conducted manually. In either case, the process involves gathering information about the target before the test, identifying possible entry points, attempting to find vulnerabilities, and reporting the findings back to the organization.
The main purpose of pentesting is to identify security vulnerabilities. Additionally, penetration testing can be used to test an organization's security policies, compliance requirements, employee security awareness, and ability to detect and respond to security incidents. Typically, the information about the vulnerabilities identified through penetration testing is grouped and presented to the organization's IT and network system managers to help them make strategic decisions and prioritize improvement efforts.
Pentest types are divided into branches depending on the scope of the target to be tested. For example, if the test covers a web application, the service provided is called a web application penetration test.
Web Application Penetration Testing
Local Network Penetration Testing
External Network Penetration Testing
Mobile Application Penetration Testing
Let's start with the most frequently asked question; why should we have a penetration test? Checking the security vulnerabilities in your systems by cybersecurity companies, reporting their strengths and weaknesses to you is of great importance for your system security. Despite all your attention and efforts to security, there is no limit to the methods and tools attackers can use to exploit your systems. Probabilities and risks change depending on the knowledge and experience levels of attackers. Therefore, testing your system's security with "White Hat" hacker teams who can act with the perspective of cyber attackers, know the attack methods and take measures against these methods will be a more realistic and efficient step to ensure and increase security. In addition, standards such as PCI, HIPAA, KVKK make it mandatory to perform pentests (penetration tests).
During pentest activities, various risks can be encountered as the target organization's systems are analyzed from a real attacker's perspective. Just as an attacker has the potential to impact the entire system in a real attack scenario, an improperly conducted pentest can also cause interruptions in your systems. To avoid such disruptions, the pentesting team and the system administrators of the serviced organization should work in coordination. Continuous communication and coordination should be maintained to minimize all risks and to carry out the pentest without causing any interruptions.
The steps of penetration testing begin with the first stage of signing the contract and making the plan. At this stage, a confidentiality agreement is made between the consulting firm providing the service and the firm receiving the service, and the service is carried out within the scope specified in this agreement. After the contract stage, which can be considered as the preparation stage, the technical penetration testing stages are applied sequentially: Discovery Phase: At this stage, the penetration testing expert conducts research on the target organization and tries to expand the attack surface by collecting any information that can be collected. Information gathering is one of the most important steps of pentesting. The more data collected in this step, the more successful the penetration testing will be. Scanning Phase: While passive information gathering techniques are mostly used in the discovery phase, more concrete and functional data is collected by interacting with the target in the scanning phase. Tools such as Nmap, Nessus, and Burp Suite are used to scan the target organization's systems. As a result of the scanning process, open ports, services, and version information related to services are identified. Vulnerability Analysis Phase: Vulnerabilities related to the services running on the ports identified in the vulnerability analysis phase are determined. For example, if an outdated service is used, known vulnerabilities related to this service are investigated. Initial Access Phase: After the vulnerabilities are identified, the target system is accessed for the first time and the penetration process is carried out by exploiting them. Ensuring Persistence: In the persistence phase, efforts are made to remain active in the leaked system. If necessary, the penetration testing expert moves horizontally within the network, from one system to another. (Lateral Movement) Cleaning Phase: Like a real attacker, after completing the relevant work, the penetration testing expert removes the tools installed on the system and does not leave any traces by deleting the data obtained during the test to not leave any traces on the system. Reporting Phase: The most important stage of pentesting is the reporting phase. The report prepared to eliminate the security vulnerabilities detected must be extremely clear, detailed, and understandable. The tests performed by the penetration testing team are meticulously recorded in the report and presented to the relevant system administrators.
Penetration tests are primarily categorized into 3 different methodologies based on the perspective of the attacker and the information available to them: Black Box Pentest Methodology: Black Box Penetration Testing is a type of pentest where the attacker approaches the system like a real threat actor without having any prior knowledge of the target system, and conducts the entire penetration process from scratch. In this methodology, the attacker has no information about the system, and black box penetration testing reveals the best possible results that could occur in a real attack. Gray Box Pentest Methodology: Gray Box Penetration Testing is a partially black box type of pentest where the penetration testing expert has limited information about the target system and is given certain permissions in a specific direction. White Box Pentest Methodology: White Box Penetration Testing is a methodology where sufficient information about the organization's systems is provided to the pentester by system administrators. The white box pentest method is preferred because it provides faster results. As mentioned above, penetration test methodologies are divided into 3 different categories. In order to accurately detect the potential impact of cyber incidents that may occur in real-life scenarios, the black box methodology should be preferred.
