Are you trying to refine your penetration testing phases or methodology to get better results and happier clients?
Or are you looking to get into penetration testing?
Then you’ll love this article.
Because today, I’m going to show you the 7 penetration testing phases that I use to get amazing results every time.
Plus: I’m going to give you bonus resources to help you master each phase.
So right away:
What are the phases of penetration testing?
The 7 phases of penetration testing are: Pre-engagement actions, reconnaissance, threat modeling and vulnerability identification, exploitation, post-exploitation, reporting, and resolution and re-testing.
You may have heard different phases or use your own approach, I use these because I find them to be effective.
Now, let’s look at each of those phases in closer detail and see how to master each.
1. The pre-engagement actions phase
This is one of the phases of pen testing that a lot of novices tend to overlook.
However, it is probably most important.
This pre-phase usually begins with defining the test’s scope.
The client outlines what they want tested and by what methods.
They may, for example, want a network wireless and wired test or they may only want social engineering tests.
Once you understand that,
Get the in-scope targets from the client.
Make sure you know which networks and addresses are in range and which are not.
Get explicit directions.
You don’t want to take down a critical system that’s not in range – that would be really bad.
Ok. Good Enough.
Now both parties should outline the expectations, legal implications, objectives and goals, and the like.
As the pen tester, you want to be sure this contract gives you freedom from liability.
After you have worked out an acceptable scope and the engagement’s objectives in the contract, make sure both party’s legal counsel reviews it.
It’s super important!
Make sure you are legally covered.
Once that’s complete, you are pretty much ready to head to phase 2.
2. The reconnaissance phase
After the scope is complete and the legal stuff is out of the way, it’s time to work on reconnaissance.
The idea of this phase is to gather as much info about the subject as you possibly can.
Some often want to:
Skip this and get straight to the fun part?
Not if you want to succeed.
It’s really important that you have a clear understanding of the client’s systems and operations before you begin exploiting.
Some people call this phase “foot-printing”.
Common reconnaissance methods include:
- Search engine queries to gather data about the personnel, systems, or technologies of the client.
- Domain name searches, WHOIS lookups, and reverse DNS to get subdomains, people’s names, and data about the attack surface.
- Social Engineering to find out positions, technologies, email addresses
- Internet foot-printing looking for email addresses, social accounts, names, positions
- Dumpster diving to find valuable data that may be used for attacks or social engineering
- Tailgating to get physical access or pictures with hidden cameras
And these are only a few of the many things you may want to try during this phase.
Once you are satisfied that you have a good understanding of the target, you’re ready to move on to the next phase.
Bonus: Reconnaissance Resources
3. The threat modeling and vulnerability identification phase
Once you feel you have sufficient info about the client’s systems, you can start modeling the threats that the client would realistically face and identify vulnerabilities that will allow for those attacks.
It’s kind of a pre-attack phase in which you get everything ready.
All that data you gathered during reconnaissance will pay off.
You might start using scanning tools or port scanners to find open ports, live hosts, etc.
Or you may use a vulnerability scanner to find possible vulnerabilities on the network.
You’re looking to get as many details about the systems as you can.
Are the systems up?
What OS are they?
…Is there a firewall? …Antivirus installed? …Intrusion detection? Is it easily avoided?
Pro Tip: Get as thorough of a network map as is possible up front. It will be invaluable as you progress in your test.
It’s time to start thinking like an attacker.
Think about the company’s assets and how they may be used.
Things like employee info:
Who works in what departments, what is their role, can the employee be exploited as a stepping stone in the attack?
Customer data (if it’s in scope) can also be a valuable target.
Who are there customers?
Do the customers of your client have any kind of access into their systems?
What kind of interactions does the customer have with them? (Think the Target Breach).
By now you should have a pretty good understanding of the networks.
You’d be thinking about things like:
The domain structure if it exists
Servers that could possibly be exploited.
Which computers would likely have the things you want – local admin credentials, admin credentials, etc.
Come up with a tentative plan of attack.
Pen tests evolve. You’ll likely end up re-thinking as you run into obstacles.
If you put time and effort into this penetration testing phase, you’ll reap the rewards later.
4. The exploitation phase
If you’ve completed all of the steps leading to this one, you are on the road to a successful penetration testing engagement.
Don’t relax now
There’s still a lot to do.
Pro Tip: With all of the possible vulnerabilities you have found by now, you should have plenty of possible entry points to pick from. That’s why those phases are so important.
The time has come:
You can begin exploiting those opportunities to gain access to systems.
Dependent upon the scope, you’ll want to see just how far you can get.
Can you get a shell going on the computer?
Can you get credentials off of it?
Can you use it to pivot to another computer or server?
Or you may try creating an admin account.
That’s kind of the goal of this phase – to gain as high of administrator access as possible.
Don’t get me wrong
There may be other goals and a ton of damage can still be done even without admin rights.
Once you’ve fully exploited the information systems or your engagement time has run out, it’s time to go to the phase that the client is expecting.
5. The post-exploitation phase
After you have completely exploited the systems or reached the end of the testing time, you’ll want to document the methods that you used.
I like to keep this documented as I go to make this phase easier.
I keep a list of devices that I access and the associated vulnerabilities, ports, personnel, etc.
As I work through exploitations, I keep notes and screenshots – especially of the attacks that worked.
My Tip: I like to keep a “chronology” as I go while performing pen tests. I document everything I do, the time I did it, and for how long it ran (if a scan or something similar). In the timeline, I also add the name of the corresponding screenshot. That way, when I’m ready to work on the report, everything is right there.
While you do this, you’ll want to be thinking about the value of the compromised assets.
Was it just a secretary’s computer that has little access to the network, or was it a critical server?
What was the value of any data you were able to exfiltrate?
Did you get credit card numbers? Or just a marketing email list (although still potentially valuable and usable by an attacker).
Think about the vulnerabilities you used and how they can be fixed.
Note these as you go too.
The other big thing that needs to be done in this phase is cleanup.
Remove any scripts and files that you may have planted and used.
If you changed settings on devices, revert them back to what they were. (Again. This is why your notes and screenshots as you go are important).
Remove any accounts that you may have created during your exploiting.
Now, it’s time for the report.
Bonus: Post-Exploitation Resources
6. The reporting phase
While maybe not the most enjoyable of the penetration testing phases, reporting is probably the most important phase.
Because it’s here that you tell your client their systems’ weaknesses and give them suggestions to resolve those weaknesses.
You should tell the client exactly what the exploits where that you used to compromise their systems as well as exactly what steps should be taken to remediate them.
The whole point in this penetration testing engagement was to make their systems more secure, right?
So don’t hold anything back.
To make things totally clear for the client, I like to:
Weight each exploit or weakness using a metric based on their risk level – Low, moderate, high, or extreme.
This weight is based on how easy it was to exploit and how much damage it could cause.
Then, I always add a suggested remediation timeline.
Critical items are in the 1 – 3 month timeline and non-critical findings are in the 3 – 6 month bracket.
I like to make it very easy for the client to see what they need to address, what is most critical, and just how critical it is.
I do this because I have another phase after this that not every penetration tester performs.
7. The resolution & re-testing phase
Not all penetration testers do this phase.
After a pen test when I’ve given the client my full findings and recommendations list, I usually give them a space of time to resolve the issues.
Then, if they want, I’ll re-test the items they fixed and verify the vulnerability no longer exists.
Similarly, sometimes clients want the penetration tester to assist in resolving the issue.
It’s not the most common, but I’ve had a few request assistance.
So those are the 7 phases of a penetration test that I use to get amazing results and happy clients every time.
What phases do you use? Or do you have resources to add?
Please share in the comments below.