Penetration Testing

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search


The Penetration Testing Execution Standard (PTES) defines penetration testing in 7 phases. The PTES technical guidelines contain, in particular, practical suggestions for test procedures and recommendations for security tools.

The seven Phases

Pre-engagement Interactions

Setting the scope is arguably one of the most important components of a penetration test. While many volumes have been written on the various tools and techniques that can be used to gain to gain access to a network, very little has been written about the subject written about the topic that precedes penetration: preparation. Preparation. Neglecting the preparatory activities can leave the penetration tester (or his company) a number of problems, such as a Expansion of the project scope, dissatisfied customers, and even legal problems. The scope of a project defines exactly what should be tested. How each aspects of testing are performed is covered in the Order Rules section. The question to ask as a customer is: Is there sensitive equipment that needs to be handled with need to be careful with when testing? For a local bank, it can be a nuisance if the online banking pages go down for a few hours. When the online banking site of a local bank goes down for a few hours, it might upset a few customers, but would not be nearly as devastating as the compromise of a credit card database.


- Which IP addresses or hosts are in scope, and which are not?

- Are exploits allowed to be used and likely to crash a service, or should we limit ourselves to just identifying possible vulnerabilities? to be detected?

- Does the customer realize that even a simple port scan can crash a server or router?

- Are social engineering attacks allowed to be carried out?

- Are there specific time windows where the tests should be performed?

These are all questions that need to be clarified with the customer in order to avoid misunderstandings. Not to be neglected is to define in writing all the necessary information that is relevant for the penetration test. Each tester must have the authorization to perform a penetration test on the predefined target. If the target does not belong to the company (e.g., the web server is hosted by a third party provider), it is important to ensure that the customer has the formal authorization from the third party to perform the penetration test.

Intelligence Gathering

Intelligence Gathering is the process of reconnoitering a target to gather as much information as possible that can be used to penetrate the target in the vulnerability assessment and exploitation phase. The more information one can this phase, the more attack vectors one can exploit in the future. Reconnaissance is achieved with the use of tools such as port scanners to gain to get a picture of what systems are on the Internet or internal network and what services are and which services are running there. Open Source Intelligence (OSINT) is a form of information gathering in which information from publicly available sources is searched sources is searched, selected and analyzed to gain actionable insights. gain.

Threat Modeling

Threat modeling is about identifying and communicating information about the threats that may can impact a particular system or network. Security threat modeling enables an IT team to understand the nature of the threats and how they may impact the network. In addition, threat modeling can be used to analyze the dangers that threats pose to applications, taking into account their potential vulnerabilities. Based on the data found during information gathering, one develops strategies to penetrate a customer's systems. For example, if the customer develops proprietary software, an attacker could disrupt the company by gaining access to the internal development systems where source code is developed and tested, and sell the company's trade secrets to a competitor.

Vulnerability Analysis

Vulnerability testing is about discovering vulnerabilities in systems and applications that can be exploited by attackers. These vulnerabilities can range from misconfiguration of hosts and services to insecure application design. . Next, pentesters begin actively discovering vulnerabilities to determine how successful exploit strategies might be. Failed exploits can crash services, trigger intrusion detection alerts, and otherwise ruin the chances of a successful exploit being. At this stage, pentesters often deploy vulnerability scanners that include a Vulnerability database. However, although vulnerability scanners are powerful tools, they cannot completely replace critical thinking, accordingly, results must be reviewed manually.


The exploitation phase of a penetration test is exclusively about gaining access to a system or resource bypassing security constraints. If the previous phase, vulnerability assessment, has been properly conducted. This phase should be well planned and a precision strike. The main focus is to determine the main entry point into the organization and identify high-value targets.

Post Exploitation

The purpose of the post-exploitation phase is to determine the value of the compromised computer and to retain control of the computer for later use. If an unpatched legacy system is penetrated that is not part of a domain or otherwise networked with high-level targets, and that system is not populated with information of interest to an attacker is filled. The risk of this vulnerability is significantly lower than if access to a domain controller has been proven. The value of the computer is determined by the sensitivity of the data stored on it and the usefulness of the computer for further compromise of the network. The methods described in this phase are intended to help the auditor identify and document sensitive data, determine configuration settings, communication channels, and relationships with other network devices that can be used to gain further access to the network, and to establish one or more methods for subsequent access to the computer. For example, password hashes could be read to see if they can be used to access other systems.


A pentester must produce a detailed report on the testing process and the vulnerabilities discovered. A penetration test report is the only tangible product of a pentest. The entire purpose of a penetration test is to identify vulnerabilities and security issues that the organization can address - and these are communicated via the report. Therefore, a penetration tester must ensure that they produce the best report possible. A good penetration test report includes a summary of the results and the approach taken, summarizes the vulnerabilities and their impact on the organization, and makes recommendations on how to fix them.