This article takes you through a brief and basic penetration test of any company which primarily focuses on the actual attack and the recording of information found, rather than on the formal contractual process that forms a necessary part of every penetration test.
1. Signing the Contract
Getting contracts signed is one of the most important step needed before a penetration test takes place. Without it, all actions against a company could be considered malicious and potentially illegal. All contracts should be signed by authorized personnel for both companies.
- The first section should highlight the personal details of both companies involved.
- The second clause should explain the obligations of each company, that is, the company performing the security test and the client.
- The third clause includes the timeline for the PT including Planning, Execution, Analysis and Presentation.
- The fourth clause explains how and when payments are made.
2. Setting the Rules of Engagement
Setting these rules helps to establish how much information the pen testers are given and what approaches are allowed during the test. This also helps to protect the pen testers from project scope creep.
You should include the following things in your ROE document.
- Roles with contact information
- Communication Plan
- Engagement Overview
- Pre-Engagement Checklist
- Change in Scope Management
3. Planning the Attack
The penetration testing team carries out this step. Its purpose can include the following:
- Gathering your team of personnel
- Collecting tools
- Planning an attack strategy
4. Gathering Information
This step is sometimes called “foot printing” the victim. It is where all relevant information about the company is gathered and used for later steps in an attempt to gain access.
List of popular Information Gathering Tools:
- Whois Domaintools
- Possible Sensitive Files
- Certificate Transparency
5. Scanning (Enumeration)
Scanning consists of searching and probing for systems and enumerating ports and applications running on them. This can also include enumerating user accounts and shared resources on computer systems.
Enumeration can be performed on the following.
- NetBios enumeration (Nbtstat, Superscan, Hyena, Winfingerprint, NetBIOS Enumerator)
- SNMP enumeration (OpUtils, Solarwinds, SNScan, SNMP Scanner, NS Auditor)
- LDAP enumeration (Softerra LDAP Administrator, Jxplorer, LDAP Admin Tool, LDAP Administrator Tool)
- NTP enumeration (Ntptrace, Ntpdc, Ntpq)
- SMTP enumeration (Netscan tools pro, SMTP User Enum)
- DNS enumeration (nslookup, DNS Dumpster, DNS Recon)
- Windows enumeration (psExec, Pskill, PsList, PsLogList, PsFile, PsGedSid)
- UNIX/Linux enumeration (Finger, Rpcinfo, Showmount, Enum4Linux, rpcclient)
Other Common Enumeration Tools:
- WPScan (For WordPress CMS)
- Cain and Abel
6. Gaining Access
This is the most exciting yet typically the most time consuming of all the steps. Gaining access might just fall into your lap, but more often it is a lengthy process. Hopefully in some cases, it will result in a failed attempt.
This step can contain almost any approach to gain access, such as the following:
- Access via the Internet
- Social Engineering
- Wireless Access
- Denial of Service (Dos)
- E-mail Attacks (spam)
- Viruses, Worms and Trojans
- Dumpster Diving
7. Maintaining Access
After the penetration testing team gains access, they might need to return to complete more testing. This step includes the installation of backdoor-style applications to allow an easier return into the system for further penetration attempts.
Suggested Read Articles:
- A to Z – Web Vulnerabilities Index – OWASP Standard
- A to Z – Cyber Security Tools Collection
- A to Z Infosec Awareness Titles and Mottos
This also simulates a scenario where backdoors have been maliciously installed and assesses whether current security measures are likely to detect them.
8. Covering Tracks
This step allows the penetration testers to attempt to clear all traces of the attack just like a highly skilled hacker would.
You should clean the following kind of the information:
- Cache and history
- Chat logs produced by instant messengers
- Clearing event logs
- Erassing or Shredding command history
This is the final stage in penetration test in which an attack clears all the changes made by himself in the target systems and returns the system and all hosts to the precise configurations as they are before conducting penetration test.
9. Writing the Report
This step allows the team to assemble its findings into a document. This is the product that is presented to the customer. This step consumes a significant part of the time taken for the penetration test as a whole. Sometimes the client retains the only copy of this document, which summarizes the information collected in the previous steps.
Here is the list of some sample PT report templates which you can take as a reference while writing the PT report for your client.
- Primoconnect Sample PT Report
- Offensive Security Penetration Test Report
- Purlplesec Sample Penetration Test Report
- TBG Security Sample PT Report
- Rhino Security Lab Example PT Report
- PulsarWeb PT Test (Sample Report)
- TVS Sample PT Report
- Pentest Hub Penetration Testing Report
- TCM Security Sample Pentest Report
- HighBit Sample PT Report
- DataArt Web Application PT Report
- Red Team Network PT Report
You can also go through this SANS PDF document guide on writing the PT report. This document explains the PT report writing methodology, based on the author’s experiences, describing the report content and design.
10. Presenting and Planning the Follow-Up
After the team completes the tests and presents them to the customer, it should schedule a follow-up test on a recurring basis to ensure that the customer does not become vulnerable to future exploits and weaknesses that might occur.