If you’re considering having penetration testing done for your organization, you may be unsure if what you’re getting into. Often the mystery behind what happens during a penetration test can be worrying and daunting, especially if It’s your organization’s first time being tested. The good news is that almost all (if not all) penetration testers follow the same set process and methodology. Templates and proven methodologies allow penetration testers to be thorough and cohesive while finding as many vulnerabilities as possible in the allotted time frame.
What are the steps of penetration testing?
Penetration testing generally follows these steps as part of the process:
Here’s a free template that you can download as an example of what actually happens during a penetration test:
Step 1: Intelligence Gathering
During this phase of a penetration test, penetration testers will use a wide variety of penetration testing tools and resources to gather information on your organization. This can include hands-off resources, like finding open-source information about a company, as well as interacting with your organization in the form of network scans and enumeration. Some of the most popular tools pentesters may use to learn about your organization include:
Search engine queries
Domain name searches/WHOIS lookups
Internet footprints—email addresses, usernames, social networks,
Internal footprints—ping sweeps, port scanning, reverse DNS, packet sniffing
The goal for this step of penetration testing is to be very comprehensive, so there’s often a lot of traffic during this phase that can cause some network congestion for your organization. However, other than this, only your SOC will be able to notice any difference in network traffic.
Step 2: Threat Modeling
This step in the pentesting process makes the test very unique to an organization. Here penetration testers take all the information they have gathered about the company and determine the kinds of attacks to make. Instead of the flashiness usually associated with hacking, like using a fancy tool to “pwn” a network or application, this step is more of a mental check meant to answer three questions about the target company:
Where am I most vulnerable to attack?
What are the most relevant threats?
What do I need to do to safeguard these threats?
Penetration testers can identify threats as internal or external, and can use employee, customer, or technical data.
An example of this may be identifying an active directory device or seeing services like SSH or RDP that are on the open internet. While these might not be immediate issues, these can be enticing targets for attackers that are good indicators of where an organization is likely to be attacked.
This is primarily done through analyzing findings from the information gathering stage, and isn’t very interactive with the actual target organization.
Step 3: Vulnerability Analysis
The information gathering stage can provide all sorts of information about a target. With this information, vulnerability analysis uses both automated and manual efforts by testers to identify vulnerabilities. There are plenty of automated scanners for both networks and applications that point testers in the direction of issues that they will find during a pentest. This can be one of the more delicate parts of a penetration test, where pentesters carefully configure these scanners and scrape through scan files to be as comprehensive as possible to identify issues within a target.
Step 4: Exploitation
In an exploitation, ethical hackers actually begin to see how far they can get in an organization’s system through the vulnerabilities and mapping they outlined. Exploitation shows the potential damage that can take place on assets within an organization. An attacker will attempt to compromise the assets that they found to be vulnerable—this consists of both publicly available exploit methods and custom exploitation that can be built by pentesters to get better proof of vulnerabilities.
This step is where things can go wrong if a tester isn’t careful. The worst that can happen (and this is very rarely) is a machine may “go down” and have to be restarted. In most penetration tests, however, the testers will reach out and explain any critical exploits they will test to make sure any sensitive or critical assets won’t have any adverse effects. And pentesters will meet with an organization to go over how far you are comfortable with them going as part of the scoping.
Some of the most common penetration testing exploitation tactics include:
Web Application Attacks
Step 5: Post Exploitation
After exploitation, the penetration testers take things one step further. After getting a session running on a compromised machine, they will gauge the severity of the issues they identified by pivoting into other assets and other parts of the network. Additionally, they will try to get as much information as they can out of the compromised machine, including passwords. This is again to get proof of vulnerabilities and to communicate the severity of an issue.
The same small risks apply to post exploitation that apply to exploitation, but again, penetration testers should keep open communication channels to explain what information they’re gathering and what they’re doing to pivot while on a compromised machine.
Step 6: Reporting
This step is arguably the most important step of penetration testing. After all, there’s no point in a pentest if an organization doesn’t get to actually learn from it! A good report should include findings that cover all phases of penetration testing. It should cover strengths and weaknesses of the overall security posture (identified primarily through threat modeling) as well as vulnerabilities in detail, and of course, remediation recommendations detailing how to fix the issues within the client assets.
Why is penetration testing important?
Penetration tests are all ultimately about helping organizations reach their goals and better understand their IT infrastructure. Penetration tests follow a set process to be as comprehensive and transparent as possible and makes pentests the perfect way for any organization to better understand their IT security.