What are the steps of pen test?

Penetration testing, also known as pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Pen testing can be automated with software tools or performed manually. It provides organizations with a method for proactively identifying and remediating security flaws within their IT infrastructure.

Why is Penetration Testing Important?

Penetration testing is an important part of an organization’s security strategy. It allows organizations to identify and address vulnerabilities before they are discovered and exploited by attackers. Some key benefits of penetration testing include:

  • Identifying unknown vulnerabilities and misconfigurations that automated vulnerability scanners may miss
  • Testing the effectiveness of security controls and defenses
  • Demonstrating vulnerabilities that exist on production systems and networks
  • Raising awareness of security issues among leadership and IT teams
  • Providing evidence to support increased investments in security measures
  • Fulfilling compliance requirements related to regular security assessments

Without periodic penetration testing, organizations leave themselves open to security breaches that could lead to loss of data, intellectual property, reputation and revenue.

When Should You Conduct Penetration Testing?

Organizations should conduct penetration testing:

  • On a regular schedule, such as annually or quarterly
  • After major infrastructure or application upgrades
  • In response to an identified vulnerability or exploit
  • To meet compliance requirements
  • Anytime there are significant changes to the attack surface, such as new services coming online

Regularly scheduled penetration tests reflect changes in an evolving threat landscape and adjustments to the organization’s security posture. Testing critical systems and new applications helps identify vulnerabilities that may have been introduced.

Penetration Testing Methodology

Penetration testers follow a standard methodology to systematically evaluate the security of an environment. The main phases include:

Planning

The planning phase involves defining the scope and goals for the pen test. Testers work with the organization to:

  • Identify the targets (e.g. network ranges, domain names, applications, etc.)
  • Determine which testing methods and tools are allowed
  • Establish testing timeframes
  • Define success criteria

Rules of engagement are outlined to ensure testing activities do not disrupt legitimate business operations.

Information Gathering

The information gathering phase involves collecting data about the target environment. Techniques include:

  • Finding network addresses and open ports
  • Discovering subdomains
  • Identifying applications and services
  • Fingerprinting operating systems
  • Gathering employee names and emails

This reconnaissance enables testers to build a detailed map of the target environment and identify potential weak spots for exploitation.

Vulnerability Scanning

Vulnerability scanning detects weaknesses and misconfigurations in systems and applications using automated tools. Activities include:

  • Network scanning to uncover open ports and vulnerable services
  • Web application scanning to find flaws like SQL injection and cross-site scripting
  • Configuration scanning to audit against best practice policies
  • Vulnerability scanning of services and packages

Scanning results provide a baseline to prioritize penetration testing efforts.

Exploitation

The exploitation phase involves actively probing vulnerabilities to demonstrate real-world impact and risks. Testers may:

  • Attempt to crack weak passwords and hashes
  • Test input validation controls by injecting malicious inputs
  • Verify the extent to which vulnerabilities can be exploited
  • Pivot through systems by chaining exploits to reach critical assets
  • Capture and crack encrypted wireless traffic

Successful exploitation provides evidence of vulnerabilities and solidifies the need for mitigation.

Post-Exploitation

After gaining initial access, testers seek to gain greater access and pivot across the environment. Activities include:

  • Enumerating software configurations and patches
  • Harvesting credentials from systems
  • Lateral movement throughout the network
  • Identifying high value data and assets

Thorough post-exploitation activities demonstrate the extent of access an attacker could potentially achieve.

Reporting

Detailed reporting provides documentation of all vulnerabilities and recommended remediation. A typical penetration test report includes:

  • An executive summary
  • Description of the testing methodology
  • Outline of the discovered vulnerabilities
  • Proof of concept evidence for successful exploits
  • Risk ratings and mitigation advice for findings
  • Network topology diagrams
  • Raw technical results of scans and tests

Management can use the report findings to make informed decisions about security improvements.

Remediation

The final phase involves mitigating vulnerabilities uncovered during testing. Organizations will:

  • Validate report findings
  • Assign risk ratings and priorities
  • Perform software updates and patching
  • Tune detection mechanisms and alerts
  • Reconfigure vulnerable systems and services

Iteratively re-testing vulnerabilities verifies that the issues have been resolved.

Types of Penetration Testing

There are several types of penetration testing, classified based on the information provided to testers and the goals of the engagement:

Black Box Testing

  • Simulates an external attack by an unknown adversary
  • Testers are provided no knowledge beyond basic scope
  • Models the experience and skills of real-world attackers
  • Most realistic assessment of an organization’s security

White Box Testing

  • Assumes testers have full knowledge of the target environment
  • Access to architecture diagrams, source code, etc.
  • Focuses on finding subtle vulnerabilities

Grey Box Testing

  • Balanced approach combining some internal knowledge with black box testing
  • Partial information such as network diagrams provided
  • Helpful for testing large targeted environments

Choosing a Penetration Testing Service

Organizations have the option of conducting penetration tests using trained in-house security staff or hiring an external service provider. Factors when selecting a service include:

  • Experience: Evaluate services with a proven history and seasoned penetration testers.
  • Methodology: Look for services with systematic testing processes.
  • Reporting: Reports should provide detailed findings and clear remediation guidance.
  • Compliance: Select services that adhere to industry standards and frameworks.
  • Scope: Services should offer testing of various components – network, web apps, wireless, etc.
  • Credentials: Prefer services with testers holding respected certifications like Offensive Security Certified Professional (OSCP).
  • Timing: Testing should be performed on an ongoing basis, not just a one-off engagement.

Preparing for a Penetration Test

Advance planning and preparation are key to getting the most value from a penetration test. Steps to take prior to testing include:

  • Scoping the size and limits of the test
  • Listing sensitive systems, data or users that are off-limits
  • Allocating resources to monitor tests
  • Freezing updates to systems and software where possible
  • Verifying robust backup and recovery mechanisms
  • Informing help desks and monitoring teams that testing will occur

Taking these steps helps facilitate testing while minimizing business disruptions.

Penetration Testing Tools

Penetration testers rely on a diverse toolkit of software programs and scripts. Some commonly used tools include:

Category Tools
Information Gathering Nmap, Netcat, Maltego, FOCA, theHarvester, Recon-ng
Vulnerability Scanning Nessus, OpenVAS, Nexpose, Retina CS
Web App Scanning Burp Suite, OWASP ZAP, w3af, Nikto
Network Scanning Hping, Yersinia, Scapy
Password Cracking John the Ripper, Hashcat, Hydra
Wireless Testing Aircrack-ng, Kismet, Wifite
Exploitation Tools Metasploit, sqlmap, Social Engineer Toolkit (SET)
Post-Exploitation Mimikatz, PowerSploit, Veil Framework
Reporting Nessus, OpenVAS, Dradis

Scripting languages like Python and PowerShell are also extensively used to create custom test scripts.

Penetration Testing Standards

Well-defined standards guide how penetration tests should be safely and effectively conducted. Some key standards include:

  • Payment Card Industry Data Security Standard (PCI DSS) – Provides guidelines for testing systems that process credit card payments.
  • Penetration Testing Execution Standard (PTES) – Details a comprehensive methodology for performing penetration tests.
  • NIST 800-115 – Outlines technical techniques for conducting tests and specifies a framework for testing federally owned systems.
  • OSSTMM – The Open Source Security Testing Methodology Manual serves as an ethics code and best practices guide for security researchers.

Adhering to standards ensures tests are high-quality, consistent, and safe.

Legal and Ethical Considerations

Penetration testers must operate within clear legal and ethical boundaries. Key considerations include:

  • Defining a limited scope authorized by the client
  • Securing written permission and contracts for testing activities
  • Informing relevant parties before tests commence
  • Implementing technical safeguards like network segmentation
  • Handling and reporting on vulnerabilities responsibly
  • Balancing business risks when reporting critical flaws
  • Focusing on commercial client objectives, not personal motivations

Unethical penetration testing that lacks permission or recklessly endangers systems can cross over into illegal hacking.

Career Paths in Penetration Testing

Penetration testing offers an exciting and challenging career path in information security. Typical roles include:

  • Penetration Tester – Conduct security assessments of networks, applications, wireless systems, etc.
  • Ethical Hacker – Apply hacking techniques to identify vulnerabilities from an adversary’s viewpoint.
  • Red Teamer – Simulate cyber attacks to test incident response processes.
  • Vulnerability Assessment Analyst – Scan for vulnerabilities and report detailed technical risks.
  • Information Security Consultant – Perform a range of security assessments for clients.

Penetration testers need a blend of soft and technical skills. Important capabilities include communication, report writing, creativity, persistence, programming skills and an ethical hacker mindset.

Conclusion

Penetration testing provides tremendous value for securing critical systems and data from real-world attacks. By proactively testing defenses from an adversary’s perspective, organizations can identify and resolve security gaps before they are exploited. With a sound penetration testing methodology and the help of skilled security professionals, companies can implement robust cybersecurity protections.