Penetration Test Process

5 Step Process

First, need to determine the scope of what you’re testing against.
- E.g. all assets or just certain IPs
organization might restrict your testing to test or quality assurance (QA) environments only to prevent impacts on production systems
might also provide rules of engagement
- rules may specify times of day in which testing must take place, procedures testers should follow if they uncover a severe vulnerability, etc.
- rules will vary

Reconnaissance, or recon, is the research you conduct before attempting any attacks against a target.

can involve:
- searching the internet for information about the target environment or company
- looking through job listings for mentions of specific technologies
- researching some technology you know the company to be using
- etc.
often a passive activity

The discovery phase of the penetration test begins the active testing stage.

likely run your vulnerability assessment tools
go over the results
look for open ports and services on hosts to detect any running services that could be vulnerable to attack
you might conduct additional research and recon based on specific information collected

This phase involves attempting to exploit the vulnerabilities you detected.

may include
- attacking vulnerabilities
- chaining multiple vulnerabilities together to penetrate deeper into the environment
may prompt additional research and recon

carefully document what you discovered and what exact steps you need to reproduce the attacks you successfully carried out
illustrates one of the key differences between vulnerability assessment and penetration testing
- While vulnerability assessment may produce a potential list of vulnerabilities in the environment, the tools can’t guarantee that an attacker will actually be able to exploit them
- In penetration testing, the tester will report only the issues that resulted in an actionable attack against the system or have a high chance of being exploited.