In a previous blog post , we explained about penetration testing and the different types of testing available. In this article, we will look at the various steps involved in a pen test. Although different frameworks or methodologies might state fewer steps than those listed below, the steps below would be included in one form or another
1. Target scoping
It is the initial stage of deciding to carry out a penetration test. During this stage, an open discussion between the client and the pen test team should be carried out to establish the requirements and set expectations. Some of the important decisions to be made may include: what has to be tested, what is in scope and what is not, duration of the test, identifying key stakeholders and defining roles and responsibilities, signing a non-disclosure agreement if required, deciding the type of testing technique like a black box or white box etc. Having an open conversation allows either party to understand what the end goals are and enables the testers to follow a suitable approach to achieve the best results. It is also important to consider legal aspects in this step to ensure everything agreed upon would not lead to any complications later on.
2. Information gathering
In this step, the testers use the internet to find information about the target using both technical and non-technical methods. Information gathering provides essential information to continue with the test. It is mostly carried out passively, i.e. from public sources and not interacting directly with the target and is commonly referred to as OSINT or Open Source Intelligence gathering. It may include identifying DNS information or searching about the target on multiple search engines or job sites or even carrying out some social engineering activities.
3. Target discovery
In this step, network-specific information is considered to produce a probable network topology of the target. It includes identifying live hosts on the network, mapping perimeter network devices like router and firewalls, operating system fingerprinting etc. This step requires the application of technical tools to gather the required information about the target. This can be considered as an active phase where interactions with the target systems occur. The more detailed a network discovery is carried out, a thorough assessment can be performed!
4. Enumerating targets
This stage expands on the target discovery phase and further identifies services running on the target machines. It involves using a variety of tools to identify the different ports and services running on targets to narrow down and choose a starting point to focus the test on. Sometimes, this might lead down the rabbit hole in which case, they will have to identify another asset and continue their test.
5. Vulnerability mapping
It is the process of identifying vulnerabilities or weaknesses within the asset(s) identified in the previous step and deciding how to test them. Vulnerability scans using manual or automated techniques are carried out, searching for vulnerabilities using service banners, identifying false positives and false negatives and identifying attack paths for exploiting the vulnerabilities.
6. Social engineering
Social engineering is the art of using a human attack vector to gain access which may include tricking the target into granting access when there is no other route available or impersonating an admin staff or a colleague in need. Although, few places may have limitations on how or if social engineering is allowed and therefore, this has to be agreed upon during the target scoping phase.
7. Target exploitation
It is the phase which most pen testers are excited about. In this step, testers try to gain unauthorised access by circumventing the security measures in place by finding exploit code or tools, developing scripts to bypass measures and finally identifying as many entry points as possible to access high-value target assets. Some techniques may include fuzzing, source code analysis, zero-day exploits or developing exploits for buffer overflows or other software errors.
8. Privilege escalation
Upon successful exploitation, the next potential goal is to obtain administrative privileges on the system such as a root account on Linux or an administrator user on Windows operating system. At this point, depending on the scope of the assessment, the testers may attempt to cause maximum damage, which may include, obtaining encrypted passwords for offline cracking, obtaining clear text passwords by sniffing, capturing and analysing network traffic and so on. In some cases, a compromised asset is then used as a starting point to pivot further into other assets or targets within an organisation.
9. Maintaining access
Depending on the scope of the assessment, there could be a scenario to maintain access to the target system for a specified time. This may be useful or applicable in double-blind tests or red teaming exercises where the capabilities of the defenders or security analysts are also evaluated. It may include setting up covert channels such as backdoors or implementing root-kits.
10. Documentation and reporting
This is the final stage of the assessment where a detailed report has to be prepared. It should contain the list of vulnerabilities found, verified and steps carried out to exploit them. Depending on the audience, the report may explain from a non-technical perspective highlighting the risks if presented to the management or may include technical details for system administrators or security analysts. The report may also include the necessary remediation steps to secure the organisation from a real-time attacker. Another common technique is to list out vulnerabilities based on their severity, so it becomes easier for the organisation to prioritise what has to be fixed and how soon!
Once the pen test is complete, it is the responsibility of the tester to ensure that they clean up, i.e., to remove any scripts or tools installed on the target systems and to restore the systems to the same state as before beginning the pen test.
At Rootfloe, we follow an iterative approach to a penetration test, I.e After providing the initial report, we perform re-tests round’s of re-assessing the application/network to verify if the security recommendations and remediations implemented have been resolved or have been mitigated. It ensures that changes made by your developer to your systems/network are free from vulnerabilities and make sure that any new vulnerabilities exist due to human error while implementing the recommended changes in the technical report. This process makes sure that the applications/network are not prone to any new cyber-attacks.
Get in touch with us today for a free consultation at info@rootfloe.com and contact us to learn more and schedule your next pen test.