Penetration Testing Process

A pentest aims to uncover and identify ALL vulnerabilities in the systems under investigation and
improve the security for the tested systems.

Types of Penetration Testing

Type Information Provided
Blackbox Minimal. Only the essential information, such as IP addresses and domains, is
provided.
Greybox Extended. In this case, we are provided with additional information, such as
specific URLs, hostnames, subnets, and similar.
Whitebox Maximum. Here everything is disclosed to us. This gives us an internal view of the
entire structure, which allows us to prepare an attack using internal information.
We may be given detailed configurations, admin credentials, web application
source code, etc.
Red- May include physical testing and social engineering, among other things. Can be
Teaming combined with any of the above types.
Purple- It can be combined with any of the above types. However, it focuses on working
Teaming closely with the defenders.
Stage | Description

1. Pre-Engagement The first step is to create all the necessary documents in the pre-engagement
phase, discuss the assessment objectives, and clarify any questions. 2. Information Gathering
Once the pre-engagement activities are complete, we investigate the company's existing website
we have been assigned to assess. We identify the technologies in use and learn how the web
application functions. 3. Vulnerability Assessment With this information, we can look for known
vulnerabilities and investigate questionable features that may allow for unintended actions. 4.
Exploitation Once we have found potential vulnerabilities, we prepare our exploit code, tools, and
environment and test the webserver for these potential vulnerabilities. 5. Post-Exploitation Once
we have successfully exploited the target, we jump into information gathering and examine the
webserver from the inside. If we find sensitive information during this stage, we try to escalate
our privileges (depending on the system and configurations). 6. Lateral Movement If other
servers and hosts in the internal network are in scope, we then try to move through the network
and access other hosts and servers using the information we have gathered. 7. Proof-of-Concept
We create a proof-of-concept that proves that these vulnerabilities exist and potentially even
automate the individual steps that trigger these vulnerabilities. 8. Post-Engagement Finally, the
documentation is completed and presented to our client as a formal report deliverable.
Afterward, we may hold a report walkthrough meeting to clarify anything about our testing or
results and provide any needed support to personnel tasked with remediating our findings.

Penetration Testing Phases

1. Pre-Engagement

The entire pre-engagement process consists of three essential components:

1. Scoping questionnaire
2. Pre-engagement meeting
3. Kick-off meeting Before any of these can be discussed in detail, a Non-Disclosure Agreement
(NDA) must be signed by all parties. There are several types of NDAs:

Type Description
Unilateral NDA This type of NDA obligates only one party to maintain
confidentiality and allows the other party to share the
information received with third parties.
Bilateral NDA In this type, both parties are obligated to keep the resulting and
acquired information confidential. This is the most common type
of NDA that protects the work of penetration testers.
Multilateral NDA Multilateral NDA is a commitment to confidentiality by more than
two parties. If we conduct a penetration test for a cooperative
network, all parties responsible and involved must sign this
document.
Document Timing for Creation
1. Non-Disclosure After Initial Contact
Agreement (NDA)
2. Scoping Questionnaire Before the Pre-Engagement Meeting
3. Scoping Document During the Pre-Engagement Meeting
4. Penetration Testing During the Pre-engagement Meeting
Proposal (Contract/Scope
of Work (SoW))
5. Rules of Engagement Before the Kick-Off Meeting
(RoE)
6. Contractors Agreement Before the Kick-Off Meeting
(Physical Assessments)
7. Reports During and after the conducted Penetration Test

2. Information Gathering

We can obtain the necessary information relevant to us in many different ways. However, we can
divide them into the following categories:

Open-Source Intelligence
Infrastructure Enumeration
Service Enumeration
Host Enumeration The more precise this information is, the easier it will be to disguise our
attacks (Evasive Testing).

3. Vulnerability Assessment

An analysis is a detailed examination of an event or process, describing its origin and impact,
that with the help of certain precautions and actions, can be triggered to support or prevent
future occurrences.

Analysis Type | Description

Descriptive Descriptive analysis is essential in any data analysis. On the one hand, it describes a
data set based on individual characteristics. It helps to detect possible errors in data collection
or outliers in the data set.

Diagnostic Diagnostic analysis clarifies conditions' causes, effects, and interactions. Doing so
provides insights that are obtained through correlations and interpretation. We must take a
backward-looking view, similar to descriptive analysis, with the subtle difference that we try to
find reasons for events and developments.

Predictive By evaluating historical and current data, predictive analysis creates a predictive
model for future probabilities. Based on the results of descriptive and diagnostic analyses, this
method of data analysis makes it possible to identify trends, detect deviations from expected
values at an early stage, and predict future occurrences as accurately as possible.

Prescriptive Prescriptive analytics aims to narrow down what actions to take to eliminate or
prevent a future problem or trigger a specific activity or process.

4. Exploitation

During the Exploitation stage, we look for ways that these weaknesses can be adapted to our use
case to obtain the desired role (i.e., a foothold, escalated privileges, etc.)

Once we have found one or two vulnerabilities during the Vulnerability Assessment stage that we
can apply to our target network/system, we can prioritize those attacks. Which of those attacks
we prioritize higher than the others depends on the following factors:

Probability of Success
Complexity
Probability of Damage

5. Post-Exploitation

The Post-Exploitation stage aims to obtain sensitive and security-relevant information from a
local perspective and business-relevant information that, in most cases, requires higher
privileges than a standard user. This stage includes:

1. Evasive Testing
2. Information Gathering
3. Pillaging --> we examine the role of the host in the corporate network
4. Vulnerability Assessment
5. (Privilege) Exploitation
6. Persistence --> once we have an overview of the system, our immediate next step is
maintaining access to the exploited host. This way, if the connection is interrupted, we can still
access it.
7. Data Exfiltration --> we will often be able to find, among other things, considerable personal
information and customer data.

6. Lateral Movement

The goal here is that we test what an attacker could do within the entire network. After all, the
main goal is not only to successfully exploit a publicly available system but also to get sensitive
data or find all ways that an attacker could render the network unusable.

In this stage, we want to test how far we can move manually in the entire network and what
vulnerabilities we can find from the internal perspective that might be exploited. We again run
through:

1. Pivoting
2. Evasive Testing
3. Information Gathering
4. Vulnerability Assessment
5. (Privilege) Exploitation
6. Post-Exploitation

7. Proof-of-Concept

Proof of Principle is a project management term. In project management, it serves as proof that
a project is feasible in principle.

8. Post-Engagement

Post-engagement in penetration testing refers to the activities that occur after the active testing
phase. This phase is crucial for ensuring that the value of the penetration test is fully realized.
Here’s what typically happens during post-engagement:

1. **Data Analysis**: The data gathered during the penetration test is analyzed to identify and
understand the vulnerabilities, the methods used to exploit them, and the potential impact on
the organization.
2. **Reporting**: A comprehensive report is created detailing the vulnerabilities found, the
exploitation methods, and the potential risks. The report should be clear and actionable,
providing prioritized recommendations for remediation.
3. **Risk Analysis**: The risks associated with the identified vulnerabilities are assessed to help
the organization prioritize which issues to address first based on their potential impact.
4. **Debriefing**: A meeting with the stakeholders to discuss the findings, the implications of the
vulnerabilities, and the recommended next steps.
5. **Remediation**: The organization begins the process of patching the vulnerabilities and
implementing the recommended security measures.
6. **Re-Testing**: After remediation efforts are completed, it may be necessary to perform a re-
test to ensure that the vulnerabilities have been effectively addressed and that no new issues
have been introduced.
7. **Documentation**: All the steps taken, from the initial findings to the final remediation, should
be documented to improve future security measures and for compliance purposes.
8. **Follow-Up**: Continuous communication between the penetration testers and the
organization to ensure that all recommendations are understood and implemented correctly.