Last Updated on 23 March 2022 by Alastair Digby
A well-executed penetration test is one of the best ways to find security weaknesses and uncover dangerous vulnerabilities lurking in your IT environment. In a pen test, professional ethical hackers carry out authorised, simulated attacks on different aspects of your network infrastructure, including web applications, mobile apps, your internal network, and Internet-facing assets.
Regardless of the particular focus of a given penetration test, a five-phase approach is the go-to for an effective security testing program. But what are the 5 stages of penetration testing? Keep reading to get a breakdown of what each stage involves and how those stages contribute to the usefulness of the test.
Table of contents
- The 5 Stages of Penetration Testing
- Gaining Access
- Maintaining Access
- Report Generation
- Closing Thoughts
The 5 Stages of Penetration Testing
Here is an outline of each penetration testing stage to help you better understand the process
Testing types vary in how much information the ethical hacker receives beforehand. In a blind or black box test, the strategy is to not give the ethical hacker any information other than the name of your business so that you can best approximate real-world attack scenarios. In a white box test, the testing team gets fully informed about the internal makeup of the system, web application, or network being tested. Grey box tests lie in the middle of these extremes by providing some limited information to the testing team.
Reconnaissance involves efforts by pentesters to gather information about the target system being tested. All types of pen tests call for some degree of reconnaissance, but black box and grey box tests obviously require more information gathering. Generally, you can further divide reconnaissance into two forms:
- Passive reconnaissance makes use of observing publicly available information about a company’s employees or network environment without directly interacting with the systems, apps, users, or networks in the environment. Hackers glean this information from online databases, Google searches, social media platforms, by browsing the company website, and even from dark web forums where employee usernames or passwords may be available.
- Active reconnaissance directly engages with a target to gather information that may make it easier to breach. This type of information gathering involves using network vulnerability scanners and even social engineering tactics, such as phishing.
Reconnaissance is a critical step that’s important not to overlook or downplay in the testing process. Testers need to probe for as much information as they can in order to best replicate how real-world threat actors operate and plan their attacks.
The scanning phase of a penetration test attempts to expand the testers’ view of your infrastructure using a slew of different tools. This phase essentially functions as an extended form of information gathering but with the possibility of also finding “low hanging fruit” vulnerabilities to exploit. The types of scans you can expect a good pentester to use during this phase include:
- Port scanning tools like Nmap to find open ports in your environment
- Pings, traceroute commands, and network mappers to map out the topology of hosts, IP addresses, firewalls, routers, and operating systems on the network
- Vulnerability scanners to find misconfigurations, default passwords, and vulnerabilities that can provide access to a system
- Static and dynamic web application analysis to understand an app’s source code, performance, and behaviour.
The additional and more in-depth information gathered during the scanning phase proves invaluable in later phases of the test engagement.
3. Gaining Access
Gaining access is sometimes referred to as exploitation because this is the phase where testers use the information at their disposal to attack and breach the target system. Since many potential entry points ultimately prove unfruitful, the exploitation phase calls for patience and persistence from the ethical hacker.
Skilled pen testers employ a range of attack vectors in an effort to gain access to a network, app, or system. These vectors include code injection, social engineering, network-based attacks, and web application exploits.
Toolkits like Cobalt Strike and Metasploit feature heavily in the gaining access phase of penetration tests by assisting with exploiting weaknesses. Unfortunately, many threat actors purchase these toolkits for their own nefarious uses.
Successfully gaining access may or may not provide administrative control over the infiltrated device or system. It’s for this reason that the exploitation stage often extends to privilege escalation. The tester tries to find further vulnerabilities that provide complete control over the host system. Thorough testers will also pivot from an affected system and show how compromising one system can be used to attack other systems in your environment.
4. Maintaining Access
After gaining initial access, ethical hackers then attempt to establish persistence in your environment and maintain that access until they exploit it to its fullest possible extent. Maintaining access often requires installing trojan horses, backdoors, keyloggers, rootkits, and other forms of malware on compromised hosts. These malicious scripts and software can be installed on user systems, web services, apps, and more.
Real-world threat actors regularly lurk undetected inside a network environment for weeks or even months before achieving their goal, whether that’s gathering intelligence, exfiltrating data, or locking down systems and demanding a ransom. In the now-infamous Solarwinds attack, hackers managed to roam networks, including some belonging to the US government, for nine months while evading detection. To maintain access, the Solarwinds hackers used a DLL backdoor script.
While time constraints obviously limit an ethical hacker from maintaining access for nine months, the point of this stage is to not only show that it’s possible to exploit particular vulnerabilities in your target systems, but also that adversaries could feasibly maintain access and cause even more damage.
5. Report Generation
Generating a clear and actionable report is arguably the most important part of the test for your security team in strengthening the security of your organization’s network. The recommendations and findings in a pen test report provide the information needed to prevent future attacks. The report should include all identified vulnerabilities along with measurements that rank their potential impact and a timeline for remediation.
Since other stakeholders beyond security teams might need a pen test report, it’s important that the testers you hire are able to tailor their reports to different audiences. This might mean simply providing an executive summary that highlights key report findings and business impacts without going into technical details.
A hurried approach to reporting reveals itself in an imprecise, confusing document that doesn’t help your business improve its cyber defences. Ethical hackers who combine the ability to use technical tools with strong reporting skills are worth searching for.
Penetration tests shouldn’t just be performed as a box to tick in your yearly security or compliance checklist. But even with a more frequent testing approach, you need fast remediation capabilities. Informer’s platform provides you with real-time penetration testing results so that you can address vulnerabilities before malicious parties exploit them. Flexible and customisable reports give you enhanced reporting tools to serve any audience that cares about the test results.