Phases of a penetration test

Like most things, the overall process of penetration testing can be broken down into a series of steps or phases. When put together, these steps form a comprehensive methodology for completing a penetration testing. Careful review of unclassified incident response reports or breach disclosures supports the idea that most black hat hackers also follow a process when attacking a target. The use of an organized approach is important because it not only keeps the penetration tester focused and moving forward but also allows the results or output from each step to be used in the ensuing steps.

The use of a methodology allows you to break down a complex process into a series of smaller more manageable tasks. Understanding and following a methodology is an important step in mastering the basics of hacking. Depending on the literature or class you are taking, this methodology usually contains between four and seven steps or phases. Although the overall names or number of steps can vary between methodologies, the important thing is that the process provides a complete overview of the penetration testing process.

For example, some methodologies use the term “Information Gathering”, whereas others call the same process “Reconnaissance”. In this course, we’ll focus on the activities of the phase rather than the name. After you’ve mastered the basics, you can review the various penetration testing methodologies and choose one that you like best.

To keep things simple, we’ll use a four-step process to explore and learn penetration testing. If you want to search around and examine other methodologies (which is important to do), you may find processes that include more or less steps than we’re using as well as different names for each of the phases. It’s important to understand that although specific terminology may differ, most solid penetration testing methodologies cover the same topics.

There’s one exception to this rule: the final step in many hacking methodologies is a phase called “hiding”, “covering your tracks” or “removing evidence”. Because this course focuses on understanding the basics, it won’t be included in this methodology. Once you’ve a solid understanding of the basics, you can go on to explore and learn more about this phase.

The remainder of this course will be dedicated to reviewing and teaching the following steps: Reconnaissance, Scanning, and Maintaining Access. Sometimes, it helps to visualize these steps as an inverted triangle. The reason we use an inverted triangle is because the outcome of the initial phases is very broad. As we move down into each phase, we continue to drill down to very specific details.

The inverted triangle works well because it represents our journey from the broad to the specific. For example, as we work through the reconnaissance phase, it’s important to cast our nets as wide as possible. Every detail and every piece of information about our target is collected and stored. The penetration testing world is full of many great examples when a seemingly trivial piece of information was collected in the initial phase and later turned out to be a crucial component for successfully completing an exploit and gaining access to the system. In later phases, we’ll begin to drill down and focus on more specific details of the target. Where is the target located? What is the IP address? What operating system is the target running? What services and versions of software are running on the system? AS you can see, each of these questions becomes increasingly more detailed and granular.

It’s also important to understand the order of each step. The order in which we conduct the steps is very important because the result or output of one step needs to be used in the step below it You need to understand more than just how to simply run the security tools in this course. Understanding the proper sequence in which they are run is vital to perform a comprehensive and realistic penetration test.

For example, many newcomers skip the Reconnaissance phase and go straight to exploiting their target. Not completing steps 1 and 2 will leave you with a significantly smaller target list and attack vector on each target. In other words, you become a one-trick-pony. Although knowing how to use a single tool might be impressive to your friends and family, it ain’t to the security community and professionals who take their job seriously.

It may also be helpful for newcomers to think of the steps we’ll cover as a circle. It’s very rare to find critical systems exposed directly to the Internet in today’s world. In many cases, penetration testers must access and penetrate a series of related targets before they’ve a path to reach the original target. In these cases, each one of the steps is often repeated.