How to do Penetration Testing | Step-By-Steop Process & Methods

How to do Penetration Testing | Step-By-Step Process & Methods

Penetration Testing starts with the Pre-engagement step, which means talking to the client about their intentions for the pentest, mapping out the scope (the extent and parameters of the test), and so on. 

When the Penetration Testers and the client accept the scope, reporting format, and other topics, the actual Pentesting starts.

In the Information-Gathering step, the pentester explores for publicly available information about the client and identifies possible ways to connect to its systems. 

In the threat-modeling step, the Penetration Testers uses this information to determine the value of each finding and the impact on the client if the finding permitted an attacker to break into a system. 

This evaluation allows for Penetration Testers to develop an action strategy and methods of attack.

Before the Penetration Testers can start attacking systems, he or she performs a vulnerability analysis. In this Step, the Penetration Testers attempts to discover vulnerabilities in the systems that can be taken advantage of in the exploitation Step. 

A successful exploit might lead to a post-exploitation Step, where the issue of the exploitation is leveraged to find additional information, sensitive data, access to other systems, and so on...

Finally, in the reporting Step, the Penetration Testers summarizes the findings for both executives and technical practitioners.

Step 1. Pre-engagement

Before the Penetration Testing begins, Pentesters perform pre-engagement interactions with the client to make sure everyone is on the same page about penetration testing. 

Miscommunication between a Penetration Testers and a client who expects a simple vulnerability scan could point to a sticky situation because penetration tests are much more interfering.

The pre-engagement step is when you should take the time to understand your client’s company/business purposes for the pentest. If this is their first Penetration Testing,

What inspired them to find a pentester? 

What expressions are they most worried about? 

Do they have any breakable devices you need to be careful with when Penetration Testing? (I’ve encountered everything from windmills to medical devices caught up to patients on networks.)

Ask questions about your client’s business. What matters most to them?

For example, to a top online vendor, hours of downtime could mean thousands of dollars of missed revenue. 

To a local bank, having online banking sites go hair for a few hours may annoy a few clients, but that downtime wouldn’t be nearly as destructive as the compromise of a credit card database. 

To an information security vendor, having their homepage covered with rude messages from attackers could lead to a damaged reputation that snowballs into a major revenue loss.

Other important things to discuss and agree upon during the pre-engagement Step of the pentest include the following:

Scope

What IP addresses or Hosts are in scope, and what is not in scope?  What kinds of actions will the client allow you to perform?  Are you allowed to use exploits and potentially bring down service, or should you limit the assessment to only detecting possible vulnerabilities? 

Does the client know that even a simple port scan could bring down a server or router? Are you authorized to perform a social-engineering attack?

The client may want you to perform Penetration Tests only as specific hours or on certain days.

Contact Information

What should you contact if you find something serious? Does the client expect you to contact someone 24 hours a day? Do they prefer that you use encryption for email?

A “get out of jail free” card Make sure you have the permission to perform a penetration tests on the target System. If the target is not owned by the company (for example, because it’s hosted by a third party), make sure to verify that the client has confirmed approval from the third party to perform the penetration testing.

Although, make sure your contract involves a statement that limits your liability in case something unexpected happens, and get written permission to perform the Penetration testing.

Payment Terms

How and when will you be paid, and how much paid?

Finally, include a nondisclosure agreement requirement in your contract. Clients will appreciate your written commitment to keep the penetration test and any findings confidential.

Step 2. Information Gathering

Next is the information-gathering Step. During this Step, you examine freely available sources of information, a process known as gathering open source intelligence (OSINT). You also begin to use tools such as port scanners to get an idea of what systems are out there on the Internet or internal network as well as what software is operating. 

Step 3. Threat Modeling

Based on the information gained in the information-gathering Step, we move on to threat modeling. Here we think like attackers and develop plans of attack based on the information we’ve gathered. 

For example, if the client develops exclusive software, an attacker could defeat the organization by gaining access to their internal development systems, where the source
code is developed and tested, and selling the company’s sales secrets to a competitor. Based on the data we found during information gathering, we develop strategies to penetrate a client’s systems.

Step4. Vulnerability Analysis

Next, Penetration Testers begin to actively discover vulnerabilities to determine how successful their exploit strategies might be. Failed exploits can impact services, set off intrusion-detection warnings, and otherwise break your chances of successful exploitation. 

Often during this Step, Penetration Testers run vulnerability scanners, which use vulnerability databases and a series of active checks to make the best guess about which vulnerabilities are being on a client’s system. 

Although vulnerability scanners are powerful tools, they can’t fully replace critical thinking, so we also perform manual analysis and verify results on our own in this Step.

Step 5. Exploitation

Now for the fun exploitation. Here we run exploits against the vulnerabilities we’ve discovered (sometimes using a tool like Metasploit, Burp Suite) in an try to access a client’s systems. As you’ll see, some vulnerabilities will be remarkably easy to exploit, such as logging in with default passwords. 

Step 6. Post Exploitation

Some say Pentesters truly begin only after exploitation, in the post-exploitation Step. You got it, but what does that interference really mean to the client? 

If you broke into an unpatched legacy system that isn’t part of a domain or unless networked to high-value targets and that system includes no information of benefit to an attacker, that vulnerability’s risk is significantly weaker than if you were able to exploit a domain controller or a client’s development system.

During post exploitation, we collect information about the attacked system, look for interesting files, attempt to promote our privileges where necessary, and so on. For example, we might dump password hashes to see if we can change them or use them to access additional systems. 

We might also try to use the exploited machine to attack systems not before available to us by pivoting into them. 

Step 7 Reporting

The final Step of penetration testing is reporting. This is where we send our findings to the customer in a meaningful way. We tell them what they’re doing correctly, where they need to improve their security posture, how you got in, what you found, how to fix problems, and so on.

Writing a good pentest report is an art that takes practice to master. You’ll need to convey your findings clearly to everyone from the IT staff charged with fixing vulnerabilities to higher management who signs off on the changes to external audiences. 

For instance, if a nontechnical type reads, “And then I used MS08-067 to get a shell,” he or she might think, “You mean, like a seashell?” A better way to communicate this idea would be to mention the private data you were able to access or change. A statement like “I was able to read your email,” will resonate with almost anyone.

Summary

This tutorial has got a brief look at the Step of Penetration Testing, including pre-engagement, information gathering, threat modeling, vulnerability analysis, exploitation, post exploitation, and reporting.

Familiarity with these Steps will be important as you begin your Penetration Testing Career. 

Related:

• Web Application Penetration Testing Tutorials - Information Gathering
• OWASP Tutorials - What is an owasp testing project?
• Burp Suite Tutorials - Getting Started with Burp Suite
• Hacking with Android - Become a True Android Hacker