Penetration testing is a controlled attack aimed at identifying security vulnerabilities in organizations' systems and testing and examining their tolerance against attacks that may come from various roles. The purpose of penetration tests performed by a penetration test expert is to detect critical security vulnerabilities in systems. Penetration testing; To improve the security profiles of institutions, to be cautious against attacks that may come from outside, and to prevent data loss and value losses that may occur as a result of security vulnerabilities of institutions. Considering the critical services that penetration tests provide in terms of security, it is recommended to perform penetration tests at least once a year.

Some specific penetration testing approaches are used when performing penetration tests;

White Box Penetration Test:

In this type of approach, comprehensive testing is performed with extensive knowledge about the system to be penetrated. Penetration testers have complete knowledge about the target system, network architecture, source codes, login credentials. White box penetration testing, also known as transparent box testing, carries fewer risks than other approaches.

Black Box Penetration Test:

Black box penetration testing is a type of approach performed externally without knowledge of the target system. Experts do not have information such as system network, source codes, or identity information. While this approach is riskier than other types, it can verify the availability of vulnerabilities by attackers and show how they are exploited. 

Gray Box Penetration Test:

Gray box penetration testing is an approach between black and white box penetration tests, performed by experts who will perform the penetration test and have access to some limited information. Casual in the system allows testing security within the hardened environment with an internal user profile.

The penetration testing stages are as follows:

Scoping Determination:

Penetration testing is one of the disciplines that requires focus. Organizations want to avoid long processes and unnecessary costs. Institutions that want to receive Penetration Testing services determine a certain scope because a holistic general test is costly. Maximum efficiency can be achieved with a test whose scope is determined in detail. Scope determination is important for institutions in this process.

Information Gathering -Discovery:

It is the process of collecting passive (without direct interaction with the target) / active (direct interaction with the target) intelligence about the target in order to perform comprehensive security testing. In this process, IP addresses, domain details, network topology, mail servers, etc. Various data can be obtained. Performing effective, well-equipped data collection during the information collection process makes planning the optimum attack strategy for the next stages of the test more efficient. This process is one of the most important processes in the testing stages.

Scanning - Vulnerability Detection:

This is the stage where security vulnerability detection analyzes are carried out in the target system by scanning with technical tools in line with the information collected. This stage can also be briefly called security scanning. Scanning ensures that potential weaknesses in the target system that can be exploited by attackers are identified. Potential exploitation points are identified by determining the risk levels of security vulnerabilities detected as a result of scanning a combination of automated tools and manual methodologies. Penetration testers use many database systems such as Common Vulnerabilities and Exposures (CVE) to determine the risk of detected security vulnerabilities.

Exploitation Phase:

This is the stage where security vulnerabilities identified as a result of discovery and scanning are exploited. After detecting vulnerabilities, the penetration test specialist tries to exploit the vulnerabilities when deemed necessary and tests how far he can attack the target system. In most cases, approval is obtained from the institution before exploiting the vulnerability. Since there is a possibility of damage to working target systems during testing, one of the most sensitive and demanding stages is the exploitation phase.

Reporting:

After the tests are completed based on the collected data, a comprehensive report explaining the findings of the penetration test is prepared by the experts who performed the test. This report includes a draft of the results of attack scenarios of security vulnerabilities in target systems, risk assessment, and improvement suggestions. The report prepared at the final stage is of great importance in correcting the security weaknesses of the organization and improving the overall security posture.

In general, the following headings are expected to be included in the penetration test report:

- Introduction and Executive Summary

- Penetration Testing Methodology

- Findings and Weaknesses

- Recommended Solutions and Improvements (Remediation)

- Results and General Evaluation

Penetration Test Types:

Network Pentest: 

Network penetration testing is one of the most common penetration tests performed. Network penetration testing experts aim to detect security vulnerabilities from the perspective of attackers who can access the institutions' network and the systems connected to the institution's network. In this type of penetration test, we check the security of the services and protocols running on the corporate network and detect vulnerabilities. Network penetration testing can be done in two different ways: locally and externally. 

Web Application Pentest:

Web application penetration testing plays a role in detecting security vulnerabilities in the organization's web applications and determining the threats posed by the detected security vulnerabilities. Penetration test experts identify vulnerabilities as a result of penetration tests initiated autonomously/manually by creating scenarios from an aggressive perspective, and offer solutions to institutions based on the findings. People or institutions that develop web applications should be aware of all the security threats they may encounter before marketing their product. Otherwise, there will be a risk of major reputational losses. At this point, web application penetration tests should be prioritized.

Load Test (DDOS and Load Pentest):

DDOS penetration test is a type of attack used to determine the maximum number of requests or traffic level that institutions' external applications can handle and to check whether the defense mechanisms used against DDOS attacks within the institution are working effectively. This attack is usually carried out by sending packets modified for certain attack types in a controlled manner from more than one server belonging to the institution performing the penetration test. Some test attack types are listed below:

– A volumetric attack is a situation where the network layer is exposed to spoofed traffic.

- Protocol attacks are carried out by exploiting the vulnerabilities of the protocols in the 3rd and 4th layers of the network. An example is the SYN Flood attack.

- Application attack layer, this attack is made towards the protocols at the 7th layer of the network. Example: Slowloris attack  

Social Engineering Pentest:

Social engineering penetration testing deals with people and the vulnerabilities involved in this process. Social engineering is one of the biggest threats faced by corporate employees. With the social engineering attack scenarios they prepare within the scope, penetration test experts try to obtain information from the employees of the institution that is of critical importance for the institution or that will make it easier for the institution to infiltrate its network. Social engineering tests raise awareness of the susceptibility of organizations and their employees to social engineering attacks. As a result of the tests, it is of great importance to train corporate employees about social engineering attacks and take appropriate security measures.

Mobile Application Pentest:

Mobile application penetration testing involves discovering the security vulnerabilities of mobile applications and identifying critical attack scenarios and vulnerabilities that are important for the organization and in direct interaction with the customer. Mobile application penetration testing is the process most similar to web application penetration testing with its client-server architecture. Nowadays mobile applications; While it is usable and easy to use and makes it more popular, this also brings risks of security vulnerabilities. Penetration testers evaluate these risks and perform mobile application penetration tests from an attacker perspective on applications within a certain scope. 

Wireless Network Pentest:

Wireless penetration testing is usually done on wifi networks, which are widely used in all organizations and are one of the first targets of most attackers. Wireless network penetration testing aims to detect security vulnerabilities in wifi distribution devices or the encryption and user authentication algorithms used. 

RESOURCES:

• https://tr.wikipedia.org/wiki/S%C4%B1zma_testi
• https://www.ibm.com/topics/penetration-testing
• https://www.hackerone.com/knowledge-center/what-penetration-testing-how-does-it-work-step-step 
• https://www.w3schools.com/cybersecurity/cybersecurity_prenetration_testing.php
• https://www.microsoft.com/tr-tr/security/business/security-101/what-is-a-ddos-attack#:~:text=Birka%C3%A7%20farkl%C4%B1%20DDoS%20sald%C4%B1r%C4%B1%20t%C3%BCrleri,sald%C4%B1r%C4%B1s%C4%B1%20ve%20kaynak%20katman%C4%B1%20sald%C4%B1r%C4%B1s%C4%B1.
• https://cybersguards.com/web-application-penetration-testing-checklist-updated-2019/
• https://www.avast.com/c-penetration-testing
• https://www.cisco.com/c/en/us/products/security/what-is-pen-testing.html#~types-of-pen-testing