Penetration testing at its core is simply a standard set of procedures a tester will follow along with an application of some common sense and attention to detail. In this article we aim to cover how to conduct a penetration test.
The aim of this article is to give readers a better insight into how a penetration test is usually carried out, albeit the challenges faced and limitations set out between tester and client will be a factor in how the test is carried out, this guide should bring clarity on the basics.
Phase 1: Planning and preparation
This is one of the most important steps and not because of the level of skill required to complete, but the fact it’s imperative that a penetration tester figures out the exact plan of attack before testing actually begins.
The chances of things changing and evolving throughout the process is rather high, however it’s still important that both tester and client are on the same page when it comes to what needs to be done, and that the tester already has a plan in place for how to do it.
This part of the phase will also require decisions as to what tools will be selected and what scripts may come in handy. The decision as to what type of testing is used comes at this point also.
It’s not only important to detail out these technical details, it’s also very important to define the scope of the engagement and ensure you have a clear definition of what can be attacked and what cannot.
It would be detrimental to your career and even your reputation if you do something that was out of the scope that was deemed malicious for whatever reason. There are numerous real-world examples of this happening, too.
Ensure the client has a contact pre-written with the tester at all times, to nullify the chances of any legal ramifications should anything go wrong.
Once all of this is done and out of the way, the real fun can begin.
Phase 2: Performing recon
In the reconnaissance phase, you will find yourself gathering information – a lot.
This is another key aspect to the whole process, because a lack of quality data can undermine the entire pen test through lack of understanding and jumping down rabbit holes through poor information.
This phase covers a vast amount of areas and can vary in levels of both effort and activity. An example of this: running a WHOIS query or even gathering DNS information is a passive task and requires minimal effort, especially with them being readily available from public sources.
Whereas more demanding forms of recon are the involvement in scanning network for open ports, enumeration of networks and services, grabbing banners and even sniffing out packets on the target network.
In this phase you may also be required to use some social engineering or even physical recon such as phishing, bin diving or even impersonation of a staff member.
Phase 3: Analysis of vulnerabilities
Once the recon phase has been completed (usually when enough information has been gathered), the tester is then required to determine what vulnerabilities are present within the system and solve the puzzle of what the best pathway forward is.
Testers will usually utilise both automatic and manual testing, however a combination of both is often found to be the most effective option.
It’s worth mentioning the differences between vulnerability analysis during an actual pen test and a vulnerability assessment. A vulnerability assessment is its own separate unit where an automatic scan takes place and the results fed back to the client with no attempt at exploiting.
Phase 4: Exploitation of discovered vulnerabilities
Exploitation is the process of taking the identified vulnerability and using it to gain access to the system with the intention of bypassing any security measures in place.
Exploitation builds up the majority of the penetration testing and is usually the most time consuming aspect of the whole process, expect to spend quite a bit of time working on this.
There are a plethora of available tools and frameworks all designed to aid a pentester in the exploitation phase, some of these tools such can include: Kali Linux, Metasploit, SQLmap and Canvas. These tools can be useful and save a lot of time to testers, but in a lot of cases manual testing and intuition are the primary requirements.
Phase 5: After successful exploitation
This phase is the one that is used to keep control of the exploited system and attempt to compromise the rest of the network and attached systems. Compromised systems are then valued based on sensitivity of data on the system or how useful it is in building a stronger foothold in the network.
It’s extremely important to gather as much more information as possible during this part of the phase in order to use against the client’s server or that could be used for future exploitation. Any credentials, personal information, financial data or anything deemed to be sensitive should be obtained by the tester.
The last part of this phase is the cleanup process, where any scripts files or even backdoors that the tester has used are to be removed, if settings have been changed then they are to be reverted and any new users accounts created gone.
Final phase: The report
The final step you’ll usually find in all penetration tests is the reporting. I know, I know, a lot of people find reporting to not be fun but it is arguably the most critical part of the entire process you’ve gone through.
Results need to be detailed for your client, they need to be clear and concise about the problems discovered. It should also clearly dine all information from scope and objectives to methodology and summary of the test.
The technical segment is usually for the clients security team and will include proof of concept code, screenshots and details about what was discovered.
Penetration testing can be important for both beginners and pros. We hope that this article has given future pen testers of our world a better understanding of the process that we go through to conduct a thorough, legal and effective penetration test.