• Fabian Sinner
  • November 7, 2023

Table of content


    Pentest: How does it work?

    In the field of IT security, a penetration test, or pentest for short, is a desired, commissioned test for vulnerabilities in IT infrastructure. As such, it is the legal counterpart to a criminal hack.

    Why do you need a pentest?

    Every unauthorized intrusion is referred to in technical jargon as a penetration. A pentest is designed to examine a client’s system (network, server, computer) for possible vulnerabilities by simulating unauthorized access.

    Access to sensitive data is a particular consideration here. The aim of the test is to minimize the risk of cyberattacks through new knowledge because the results provide information about deficiencies in IT security. However, the elimination of these deficiencies is not part of the penetration testing, but is usually the responsibility of the commissioning company.

    The scope and depth of a professional IT expert’s penetration test can vary greatly depending on the company. Typical test areas are security barriers such as a web application firewall, web-based applications, containers, their interfaces (API) and servers. Configuration errors and vulnerabilities are made visible through intensive attack attempts.

    Similar terms for penetration testing

    Penetration tests should be distinguished from similar terms in the field of IT security:

    • Vulnerability scans: automatic tests without individual customization
    • Security scans: automatic tests where the results are verified manually, but there is no standardized scheme

    What is checked in a pentest?

    Pentests can be carried out for many IT applications:

    • Database servers, web servers, mail servers, file servers, other storage systems
    • Packet filters, virus scanners, firewalls
    • Web applications, containers
    • Network interfaces such as routers, gateways, switches
    • Telephone systems, wireless networks (WLAN, Bluetooth)
    • Clients
    • Building security systems, building control systems

    The non-profit OWASP Foundation offers guidelines in the field of web applications.

    What types of pentests are there?

    Internal pentest

    This type of penetration test analyzes what happens if employee data is stolen or a so-called inside job is carried out. The test therefore assumes an attack using data that is available to employees.

    External pentest

    This is the classic test model. It simulates an attack by hackers who only have access to the company’s external website and the systems used via the internet. This also includes targeted overloading of the external connection through DDoS attacks.

    Blind tests

    This method does not require any precise agreements. The service provider receives the name and consent of the company, but no further input. This allows the IT security experts to react to access attempts in real time without knowing the penetration tester’s exact approach beforehand. This model is suitable, for example, for obtaining an objective assessment of your own IT security from a third party with expertise.

    Another variant is the double-blind test. The difference to the blind test is that the responsible IT specialists in the company are also not informed. This allows the team’s ability to react to an incident, for example, or test the execution of a response plan under real conditions.

    How does a penetration test work?

    Every service provider probably has its own procedure, but there are typical phases and frameworks that are used in the industry. Here you can find a detailed guide from the Federal Office for Information Security (in German).

    1. Methodology and design of a pentest

    In the first phase, the pentest is designed – specifically for the individual customer.

    • Introduction: Service providers get an initial overview
    • Scope: Which systems are to be tested?
    • Methodology: Which techniques and tools should be used for the penetration test?
    • Objectives: What results should the pentest deliver?

    The design of the test is developed using this information. The BSI offers a scheme to classify six important test criteria more precisely. These are aggressiveness, scope, information base, approach, technique and starting point.

    1. Scans

    This phase starts the search for one or more vulnerabilities that allow access. Precise documentation of the procedure is particularly important here. The code is observed at the level of the individual applications.

    1. Access

    In the third phase of a pentest, the systems are bombarded with everything that was defined in the test design. The goal is now to gain access via the vulnerabilities found in step 2. Possible attacks are:

    • XSS (cross-site scripting)
    • Injection
    • Backdoors and rootkits
    • DDoS attacks

    If access is successful, the test has the task of exploring all penetration possibilities because this is exactly how cyber criminals would proceed.

    • Which areas have become vulnerable as a result of the access?
    • What data can be extracted or manipulated?
    • How long does such an attack go unnoticed?
    • To which other network systems can access be extended?
    1. Persistence test

    At this stage, the aim is to check whether access can be maintained permanently (persistent). The aim of most cyberattacks is to gain access that remains undetected for as long as possible (advanced persistent threat).

    During this time, the appropriate malware can be loaded at leisure. Resourceful hackers work their way from unit to unit until they have reached the level where the most sensitive data is stored or from where they have as much control as possible over the company’s IT systems.

    It often takes time to reach this depth. A penetration test is therefore used to check how quickly the spread can take place and when relevant security systems sound the alarm.

    1. Pentest evaluation

    The results are based on detailed documentation of all actions during the check. Once test phases 2-4 have been completed, the observations and conclusions are usually compiled in the form of a report. The following information is presented in this report:

    • Attacks and methods used
    • Vulnerabilities/security gaps that were successfully exploited
    • Data that could be extracted or viewed
    • Duration of undetected access

    Some pentesters also prepare recommendations for action for their customers.

    How do I find a trustworthy pentester?

    Companies and organizations should proceed with the utmost caution when making their selection. Similar to providers for physical security in the company, experience and trust are important factors in this line of work.

    Pay particular attention to qualification and certification when making your selection. A contract with clear service level agreements is also important. A contract should definitely include the following points:

    • Inspection period
    • Test object and depth
    • Obligations to cooperate
    • Liability
    • Confidentiality (non-disclosure agreement)
    • Warranty
    • Storage time of the data
    • Data protection

    The German Federal Office for Information Security (BSI) provides a list of certified providers for penetration tests. The test must not be started until the client has given its approval.

    What happens after a penetration test?

    The right approach is important for deriving tasks: Every penetration test is only a snapshot of the state of IT security. A few days or weeks later, a similar test could be completely different.

    The reason is because new updates and patches are constantly being released by providers that secure existing vulnerabilities. At the same time, new vulnerabilities emerge.

    Which tasks follow from a completed pentest depends entirely on the results:

    1. Access failed: all-clear for IT security
    2. Access successful, which depends on the details:
    • Which method led to success?
    • How long did the access go unnoticed?
    • How deep was the tester able to penetrate the system?
    • What data was affected?

    A list of priorities should be derived from the report in order to eliminate vulnerabilities as efficiently as possible.

    What are the risks of a pentest?

    Fraudsters during penetration testing

    The worst-case scenario is that companies end up with dubious providers who use the knowledge gained for criminal activities. This could include, for example, selling information on vulnerabilities in hacker forums or the unauthorized extraction and storage of data. This makes it all the more important to check the references of the chosen service provider.

    Pentest mishaps

    A pentest should not actually paralyze the business, but human error can occur during the test. Incorrect agreements, vague wording in the order or misunderstandings are all possible scenarios that could cause a system failure.

    Another classic problem is if system maintenance is being carried out at the same time as the test, as this can have a significant impact on the result. Coordination between all departments involved and external service providers (remote maintenance) is therefore essential. The exception, of course, is double-blind tests, where an unforeseen attack is desired.

    Legal aspects

    Both sides should ensure that the scope of the test objectives is precisely defined. Furthermore, the client must ensure that these agreed objectives are the property of their own company without exception and are legally separable. Anyone who inadvertently attacks and/or paralyzes the cloud service or a web application of a third-party provider could get into serious legal trouble.

    A penetration test carried out in good faith without the consent of the service provider could be considered a real cyberattack under criminal law. Before starting the test design, the rights to all components must be checked. This includes hardware (servers), software (applications) and other networks (cloud services and interfaces).

    Penetration testing or IP stresser?

    Anyone searching the Internet for a stress test for their own IT will quickly come across so-called IP stressers. These services offer to simulate DDoS attacks for a small fee.

    However, extreme caution is required here. Many of these companies operate in a legal gray area. If it is not checked exactly which domain is being targeted, then service providers are not only acting highly unprofessionally, but are also committing criminal offenses. Whether IP stressers are working legally or are actually disguising criminal booter services (DDoS for hire) is often not so easy for buyers to see through.

    Websites are deliberately professionally designed and search engine optimized so that they appear to be a respectable business model from the outside. Unfortunately, this is often just the polished entrance to a dark cellar.

    A penetration test is also based on a completely different idea compared to legal IP stressers: instead of simulating a blunt DDoS attack, an individual pentest is designed specifically with the customer to cover several levels and IT risk factors.

    In the case of DDoS attacks, for example, this can mean using several different attack techniques across all layers, whereas IP stressers usually only offer pure volume attacks (layers 3, 4). The fact that pentests are priced differently should therefore not unsettle you.

    What is a Network Layer? (OSI Model Explained)
    Link11 warns: DDoS Extorters Stealth Ravens mean serious Business with Mirai Botnet