Phases of Penetration Testing

What is Penetration Testing

Raj Upadhyay
3 min readSep 11, 2020

Penetration Testing can be described as

Finding Vulnerabilities and exploiting them to find out how much target can be compromised”

Penetration testing is a safe way to find out how well your security protocols protect your system. Penetration testing can be done on network, servers, computers, firewalls, etc.

Phases of a Penetration Test

1. Pre-Engagement Interactions

2. Intelligence Gathering

3. Threat Modeling

4. Vulnerability Identification

5. Exploitation

6. Post Exploitation

7. Reporting

Penetration Testing Life Cycle

1. Pre-Engagement Interactions

In this phase, you (pentester) discuss the scope and terms of penetration testing with the client. In this phase, you must define the scope of the pentest. Also, the pentester should educate the client about what is to be expected from the pentest.

Pre-Engagement Interactions: Defining of Scope and terms of pentest.

2. Intelligence Gathering

In this phase, we will gather any information that can be gathered about the organization we are attacking. Like we can use Social-media networks, Google Hacking to gather information about an organization. In this phase first, we try to collect as much information without directly contacting with a target (Passive Information Gathering). Next, we interact with the target via scanning there network to look for what services are running on.

Passive information gathering + Active Information Gathering.

3. Threat Modeling

In this phase whatever information we gathered about the target, we will use them and identify any existing vulnerability present or not. In this phase, we will determine the most effective attack methods and how an organization might be attacked.

Identify any Existing Vulnerability present or not.

4. Vulnerability Analysis

In this phase, we will combine the information that we’ve learned from the prior phases and use it to understand what attacks might be viable.

Identify most viable Attacks.

5. Exploitation

This is the most amazing phase of Penetration testing. We try to exploit the system. An exploit should be performed only when we know almost beyond a shadow of a doubt that a particular exploit will be successful. before we trigger a vulnerability, we should know that the system is vulnerable.

Exploit after you are sure that your exploit will work 100%. Don’t try any random exploits on target.

6. Post Exploitation

Once we compromise one of the systems then we try to compromise the next system so we can collect more sensitive information stored in them. When we exploit one system after another, we are trying to demonstrate attacks that would have the greatest business impact.

Post exploitation is one of those tricky scenarios in which we must take
the time to learn what information is available to us and then use that information to our benefit.

Try to collect more sensitive information about target.

7. Reporting

It’s the most important part of the Penetration testing life cycle. we need to specify each and every step that we have done. Starting from information gathering to post-exploitation. We need to mention each and every activity that we did in the previous step.

It’s an art to write Penetration Testing report because we need to use simple language that non-security person (CEO, CFO) can understand what we did.

we should also give solutions to patch the vulnerability.

Mention each and every step that we did in all phases in the report.

--

--

Raj Upadhyay

DFIR Consultant || #LoveToPlayCTF #infosec #cybersecurity #4n6