PHASES OF A PENETRATION TESTING

Like most things, the overall process of penetration testing can be broken down into a series of steps or phases. When put together, these steps form a comprehensive methodology for completing a penetration test. Careful review of unclassified incident response reports or breech disclosures supports the idea that most black hat hackers also follow a process when attacking a target. The use of an organized approach is important because it not only keeps the penetration tester focused and moving forward but also allows the results or output from each step to be used in the ensuing steps. The use of a methodology allows you to break down a complex process into a series of smaller more manageable tasks. Understanding and following a methodology is an important step in mastering the basics of hacking. Depending on the class you are taking, this methodology usually contains between four and seven steps or phases. Although the overall names or number of steps can vary between methodologies, the important thing is that the process provides a complete overview of the penetration testing process.

For example, some methodologies use the term “Information Gathering,” whereas others call the same process “Reconnaissance.” I will focus on the activities of the phase rather than the name. I will use a four-step process to explore and learn penetration testing. If you search around and examine other methodologies (which is important to do), you may find processes that include more or less steps than I am using as well as different names for each of the phases. It is important to understand that although the specific terminology may differ, most solid penetration testing methodologies cover the same topics. There is one exception to this rule: the final step in many hacking methodologies is a phase called “hiding,” “covering your tracks,” or “removing evidence.” So it will not be included in the coming post. Once you have a solid understanding of the basics, you can go on to explore and learn more about this phase. For the time being I am just refreshing the four simple steps: Reconnaissance, Scanning, Exploitation, and Maintaining Access. Sometimes, it helps to visualize these steps as an inverted triangle.

The reason I use an inverted triangle is because the outcome of initial phases is very broad. As we move down into each phase, we continue to drill down to very specific details. The inverted triangle works well because it represents our journey from the broad to the specific. For example, as we work through the reconnaissance phase, it is important to cast our nets as wide as possible. Every detail and every piece of information about our target is collected and stored. The penetration testing world is full of many great examples when a seemingly trivial piece of information was collected in the initial phase and later turned out to be a crucial component for successfully completing an exploit and gaining access to the system. In later phases, we begin to drill down and focus on more specific details of the target. Where is the target located? What is the IP address? What operating system is the target running? What services and versions of software are running on the system? As you can see, each of these questions becomes increasingly more detailed and granular. It is also important to understand the order of each step. The order in which we conduct the steps is very important because the result or output of one step needs to be used in the step below it. You need to understand more than just how to simply run the security tools from the future post. Understanding the proper sequence in which they are run is vital to performing a comprehensive and realistic penetration test. For example, many newcomers skip the Reconnaissance phase and go straight to exploiting their target. Not completing steps 1 and 2 will leave you with a significantly smaller target list and attack vector on each target. In other words, you become a one-trick-pony. Although knowing how to use a single tool might be impressive to your friends, it is not to the security community and professionals who take their job seriously. It may also be helpful for newcomers to think of the steps we will cover as a circle. It is very rare to find critical systems exposed directly to the Internet in today’s world. In many cases, penetration testers must access and penetrate a series of related targets before they have a path to reach the original target. In these cases, each of the steps is often repeated.

Zero Entry Hacking: A Four-Step Model

Let us briefly review each of the four steps that will be covered so you have a solid understanding of them. The first step in any penetration test is “reconnaissance.” This phase deals with information gathering about the target. As was mentioned previously, the more information you collect on your target, the more likely you are to succeed in later steps. Reconnaissance will be discussed in detail in coming posts. Regardless of the information you had to begin with, after completing in-depth reconnaissance you should have a list of target IP addresses that can be scanned. The second step in our methodology can be broken out into two distinct activities. The first activity we conduct is port scanning. Once we have finished with port scanning, we will have a list of open ports and potential service running on each of the targets. The second activity in the scanning phase is vulnerability scanning. Vulnerability scanning is the process of locating and identifying specific weaknesses in the software and services of our targets. With the results from Scanning, we continue to the “exploitation” phase. Once we know exactly what ports are open, what services are running on those ports, and what vulnerabilities are associated with those services, we can begin to attack our target. This is the phase that most newcomers associate with “real” hacking. Exploitation can involve lots of different techniques, tools, and code. We will review a few of the most common tools in coming posts. The ultimate goal of exploitation is to have administrative access (complete control) over the target machine. The final phase we will examine is “maintaining access.” Often-times, the payloads delivered in the exploitation phase provide us with only temporary access to the system. Because most payloads are not persistent, we need to create a more permanent backdoor to the system. This process allows our administrative access to survive program closures and even reboots. we must be very careful about the use and implementation of this phase. We will discuss how to complete this step as well as the ethical implications of using backdoor or remote control software. Although not included as a formal step in the penetration testing methodology, the final (and arguably the most important) activity of every Penetration Testing is the report. Regardless of the amount of time and planning you put into conducting the penetration test, the client will often judge your work and effectiveness on the basis of the quality of your report. The final Penetration Testing report should include all the relevant information uncovered in your test and explain in detail how the test was conducted and what was done during the test. Whenever possible, mitigations and solutions should be presented for the security issues you uncovered. Finally, an executive summary should be included in every Penetration Testing report. The purpose of this summary is to provide a simple one- to two-page, non-technical overview of your findings. This report should highlight and briefly summarize the most critical issues your test uncovered. It is vital that this report be readable (and comprehensible) by both technical and non-technical personnel. It is important not to fill the executive summary with too many technical details that is the purpose of the detailed report.