The methodology steps
When performing a pentest you will always follow these steps or similar ones, each group may have it's own nomenclature or number of steps, but in the end is always almost the same. Obviously is not obligatory to follow and some are done in parallel, but not having an organized plan with protocols will surely end in chaos, confusion and errors, also slowing your work too much.
Pre-Engagement
The first step, before starting the technical work, where you talk with the client and define the type, the scope and objectives of the pentest. Both have to reach a written agreement. It may sound boring but it's crucial to establish rules, constraints, limitations, obtain proper authorization and legal permissions, NDAs, etc. This step will define how far you can go and will mark the whole direction of all the next steps. Without having a very clear map of the job to do you can waste hours and even end up having legal problems.
Information Gathering
Depending on the type of assessment be it white, grey or black box, you will have to gather more or less information about the target, such as domains names, IP addresses, network infrastructure... In this step you think of nmap but there is OSINT techniques too, its key to gather data about employees, organization structure, potential human vulnerabilities, etc... This step will mostly be ongoing and parallel to the others until the end of the job.
White box: the pentester has complete and detailed knowledge of the internal architecture, design and source code of the client. The test will not simulate a real attack from the outside but the analysis will be much more detailed and thorough, reviewing each configuration. On the other hand it is much more expensive, long and it can give the client a false sense of security because it may not reflect the real world, as for example an external attacker usually won't need the full source code to find a vulnerability. Black box: the opposite of white box, with little to no information of the client, maybe just the name, the pentester simulates a real attack from the outside and tests the detection and response of its defense systems. While it's the closer to a real attack, it may overlook some important vulnerabilities. Grey box: a combination between white and black box, pentesters are given a limited amount of information. Its usually used for a focused pentesting on a specific part of the infrastructure. For example a pentester may be given a low level account and he has to try to escalate privileges. It can also simulate attacks from an insider.
Vulnerability Assessment
This step though very close to the next one, has an specific aim: to validate the existence of vulnerabilities and classifying them. Here the pentester uses various automated scan tools to do a first look on the most common and possible vulnerabilities, then uses this information to manually investigate further and if found, prioritizes them based on the severity and potential impact on the security of the target.
Exploitation
Once the vulnerabilities are found, the pentester, very carefully, has to actually exploit them and demonstrate(not doing real damage, obviously) the real-world impact this attack could have. For this pentesters may use automated exploitation frameworks like the famous Metasploit or manually craft exploits for the specific occasion. It may involve too attempting password attacks and finding credentials that could be compromised.
Post-Exploitation & Persistence
Now the system is exploited and the pentester gained access, its time to establish a foothold in the target. To see if we can come back easily, to open a backdoor and come back again. For this the pentester will use various tools and backdoor scripts to try to stay hidden from the detection systems as long as possible. This is crucial since even if you fix an exploit, if the bad actor already breached in and created a backdoor, it will not need to exploit again, having detection systems on what data is going out of the company infrastructure is as crucial as what data is trying to get in.
Privilege Escalation & Lateral Movement
Usually when a pentester compromises a system its from a low privileged user account, because they are usually the easiest, but also limited. If the admin did a good work they won't have access to important data and it may seem like it was all for nothing, but that's where privilege escalation and lateral movement step enters.
Entering through the door ( or maybe more like through the broken window ;-) ) it's a big part, but not the end, privilege escalation is in fact one of the most important parts of the whole pentesting! Once inside we must see "what can we do with whats given" and try to reach as far as we can (or as we were told in the agreement) until we get the ultimate result of full control of the system or even the network, AKA root. For this we may need to find the credentials of the admin account or just an exploit to act like it.
Privilege escalation is focused on obtaining the root/admin account parting from a low-privileged user on a system (escalation, going up!). Lateral movement is focused on checking how many of the network systems/credentials the attacker can access, control or exploit, while also trying to zig-zag our way into a privilege escalation (lateral, going sideways!). Both techniques feed on each other.
Check the page Possible vectors for a more practical way to understand it
Reporting & Remediation
Once the work is done and the agreement ended its time for the paperwork! While it's not the part that everyone necessarily enjoys the most, its what the client truly paid for. The pentester has to deliver a document for the technical team of the client, explaining all its findings and a technical guide on how to remediate them. And usually another is written in a more user friendly way for the high profile staff of the company, AKA the CEO. Both of course are full confidential and need to be protected with care, specially until the vulnerabilities are patched. While its reflected as the last step, its usually started at the beginning and done in parallel with all the other steps, this offers the possibility to add screenshots of the process and alleviates the hard work at the end as most of it is already done.
Public real pentest reports link.
Last updated