What is Network Penetration Testing? It is a simulation of a cyberattack. Security professionals will try to bypass security protocols that are in place to gain access to the network using varied means. PenTesting is done to find out vulnerabilities in the network before an actual malicious actor can exploit them.
Well-known Penetration Testing (PT) Methodologies
There are a lot of PenTest methodologies, but the most well-known are
- OWASP Testing Guide (OTG), providing a framework for testing web application security
- Penetration Testing Execution Standard (PTES), covers the various sections related to penetration testing, e.g. pre-engagement, intelligence gathering, threat modeling, exploitation, post-exploitation, and reporting
- NIST SP 800-115, provides guidelines for security assessment and testing
- Open Source Security Testing (OSST), involves identifying vulnerabilities in open-source software and systems
- Information System Security Assessment Framework (SSAF), provides guidance in conducting a PenTest
Following standard PenTesting methodologies has some disadvantages, namely:
- Probability of overlooking unconventional attack vectors and zero-day threats
- Frameworks does not guarantee iron-clad security, especially if critical flaws are missed
- Testing is slowed down due to extensive documentation and compliance checks
- Malicious actors does not follow structured steps
- Tendency of organizations to trade compliance over true risk mitigation
A better way of doing Penetration Testing would be to take on the mindset of a hacker, of thinking like a criminal. Testing done using hacker style is always better.
- Black Box Testing – simulates a real hacking attack where the attacker has no prior knowledge of the system’s internal infrastructure
- Guerilla PenTesting –creative style of hacking, leveraging zero-days, misconfigurations, and chaining exploits
- Bug Bounty style –automated and intuition-based hacking attack with no predefined scope
- Real world Black Hat techniques –includes social engineering, physical intrusion and exploit development
A part of Penetration Testing involves gathering information about the target and scanning for vulnerabilities.
Information Gathering
Passive reconnaissance
- Using stealth to gather data, no direct interaction with target
- Analyze available public information, eg. WHOIS, DNS, social media
- Profile target by mapping network infrastructure, employee details, and exposed assets
Assess key areas in network
- Identify VLAN structure, ACL gaps, and firewall misconfigurations
- Scan for open ports, exposed management interfaces, and misconfigured services
- Check for flaws in routing protocols and misconfigurations
- Check security of Wireless system, eg. Encryption, MAC spoofing risks
- Check for unused ports that are not disabled
Vulnerability Scanning
Vulnerability scanning identifies security weaknesses, scans for open ports and misconfigurations. The level of scanning varies depending on whether it is for audit, for pentesting, or assessment.
- Network discovery and mapping – identifies live hosts, open ports, and running services
- Service and Protocol assessment – scans for misconfigured services, eg. SSH, RDP, SNMP, DNS, HTTP, HTTPS
- Layer 2 & Routing weaknesses – checks for BGP hijacking, OSPF/EIGRP manipulation, STP attacks
- Discover wireless network vulnerabilities – detects weak encryption, rogue Aps
Malicious actors can attack the network either at Layer 2, Layer 3, or via wireless. Some of the common attacks are:
Layer 2
- CAM flooding – the attacker overloads the switch’s CAM table with a ton of MAC addresses causing the switch to act as a hub
- DHCP starvation – the attacker sends a lot of DHCP request packet to the server, never sending any acknowledgement to the server, exhausting available IP addresses
- DHCP spoofing – attacker installs a rogue DHCP server in the network
- Spanning Tree Protocol (STP) manipulation – the attacker introduces a rogue switch in the network with best bridge ID causing the rogue switch to be elected as the root bridge
- VLAN hopping – allows attackers to access restricted network segments
Layer 3
- BGP Route Injection – subnet gets advertised to BGP peer erroneously, either intentionally or thru misconfiguration, causing routes to become unreachable
- BGP Route hijacking – BGP router advertises a subnet that does not belong to it’s assigned group of subnets
- IP Spoofing – source ip address in the packet is manipulated by the attacker to make the packet to come from a trusted source
- Routing table manipulation – the attacker manipulates the metrics of some subnets, causing traffic to take another route, most probably via the attacker’s router, to reach the destination subnet
Wireless
Common attack vectors include
- Frequency jamming – disrupts communications by emitting the same radio frequency signals as the legitimate signals. Aims to disrupt or degrade wireless communication
- De-authentication attacks – forces users to lose connection to their current wireless connection and reconnect to hacker-controlled wireless network
- Rogue access points – unauthorized wireless access points connected to the network without knowledge or permission from the network’s administrator
- Man-in-the-Middle – the attacker installs a rogue access point and, using this access point,t intercepts and relays communications between two parties, without the parties knowing about this
Network Penetration Testing Lab
Having your own network PenTesting lab brings several advantages
- Safe Testing – trainees can practice and do experiments without any risk to the production network
- Hands-on Learning – trainees can do hands-on practice with advanced exploits like BGP hijacking and Wifi attacks
- Repeatable Scenarios – simulate real-world attack scenarios consistently
How often should penetration testing be done?
Apart from assessing the network for vulnerabilities, an actual network penetration test should also be done at least once a year. It is always better to know when an attack on the network is being done, and by whom. Companies or organizations should not wait for an actual attack, which can happen at an unknown time and by unknown actors.
Summary
Network Penetration Testing, or PenTesting, is an integral part of securing the network. It is always better to discover holes or weaknesses in the network’s security posture early, through an actual attack conducted by professional hacking service providers. Compliance with network audits can help in securing the network, but it is not the one-size-fits-all solution. It is always better that you know who your attacker is, when the attack is taking place, and how the attack is being done, so you can properly protect your network.
If you’re a network engineer aiming to expand your skills into penetration testing or ethical hacking, this video is a must-watch. It’s especially helpful for wireless network engineers looking to understand and work with various hacking tools.
