Penetration Testing Explained Step-By-Step
In 2014, Telegram introduced the bug bounty program, inviting hackers to test Telegram’s impenetrable security system. The prize ranged from $500 to $200,000 for those who could expose bugs or vulnerabilities.
For penetration testers, this is an opportunity to land their dream job. Penetration testing has become a hot trend in the 2010s, with the digitization of companies opening new and simpler possibilities for hacking. Security has taken center stage with the change in how we build and use computer systems. Even though nobody is 100% safe from hacker attacks, companies actively perform these penetration tests to understand the issues they are faced with on the internet.
Pen-testing is considered ethical hacking. The process itself involves several stages, which we will outline in this article. We will also talk about some tools that pentesters can use to greatly simplify the process.
The first phase of penetration testing is, of course, preparation. Lots of newbies overlook this essential step. Before doing any pen testing, the client must outline what they want to be tested and using what methods. In simple terms, this is defining the test’s scope.
The client may ask you to perform network wireless and wired test, or maybe they’re only interested in social engineering tests. Once you’ve defined your goal, get the in-scope targets from your client. It will show you which networks and IP addresses are in range, and which are not.
You want explicit directions, as accidentally taking down a critical system that’s out of range can have drastic consequences.
The final part of the prep-stage is outlining the expectations, legal implications, finalizing the goals, etc. You want to make sure that the client gives you freedom from liability, so you don’t end up responsible for hacking their system.
After outlining the scope and the objectives in a contract, you’ll have to review the contract with a legal counsel. They will ensure that the deal is clean. Once you are fully legally covered, you can get straight to business.
Reconnaissance or Open Source Intelligence (OSINT) Gathering
The first step in penetration testing is gathering intelligence on your organization and potential targets. This is called Reconnaissance or Open Source Intelligence (OSINT).
Depending on the test, your pentester might have different kinds of information about your organization. They may need to identify crucial information to find vulnerabilities and entry points to exploit.
Here are some of the common intelligence gathering techniques:
- Search engine queries;
- Domain name searches/ WHOIS lookup;
- Social Engineering;
- Tax Records;
- Internet Footprinting – email addresses, usernames, social networks;
- Internal Footprinting – Ping sweeps, port scanning, reverse DNS, packet sniffing;
- Dumpster Diving;
To find open entry ports and identify vulnerabilities in the organization, a pentester uses an exhaustive checklist. However, this step can be simplified by using services like Spyse, where the pentester can operate this checklist without having a million different tools and services open. The Spyse search engine collects, processes and hands users aggregated data about network elements using OSINT methods. This data is presented in a clean, user-friendly format.
Discovering and Scanning
The next step in penetration testing is understanding the target application and seeing how it will respond to different intrusion attempts. It can be done using:
- Static analysis – Understanding the behavior of the application by inspecting its code, estimating how the application will behave while running;
- Dynamic analysis – Inspecting the code as the application is running. This is the more practical approach because it gives a real-time view into the application’s code;
The next stage is using web application attacks. This includes cross-site scripting, SQL injection, and backdoors, and it fully uncovers the vulnerabilities present in the system. After the weaknesses are exposed, testers try to exploit them by doing everything a hacker would do. Changing privileges, stealing essential data, intercepting, and re-routing traffic — these are all common practice during a penetration test. This helps the tester understand the kind of damage they can cause to the network.
The pentester needs to see whether the attacker can gain a persistent presence in the exploited system — a presence long enough to grant them full, in-depth access. The goal of this stage is to imitate these persistent threats. These threats are dangerous, as attackers can remain in your system for prolonged periods of time (up to several months) to steal your organization’s most sensitive data.
After the long process of setting up, the pentester finally gets to exploit the system and deal the damage. They will try to access data, find ways to compromise the system, and launch dos attacks. This phase can cause lots of mayhem on the network. Therefore it’s usually controlled in penetration testing, and most pentesters use the dummy flag method rather than working with sensitive data.
If you’ve ever played “Capture the Flag” mode in video games, this will be familiar. Usually, a dummy flag is placed in the critical zone (which could be the database), and the goal of the exploitation phase is for the pentester to get the flag. Sometimes, merely revealing the contents of the flag is enough for practical exploitation and data theft.
Evidence Collection and Report Generation
After the penetration test is done, the results are compiled into a report. The report details:
- All the vulnerabilities exploited during the test;
- Sensitive data accessed during the test;
- Amount of time that the pentester remained in the system undetected;
With these results, it’s the management’s decision on whether this risk should be addressed. Usually, ignoring it is a bad option because if a pentester was able to exploit vulnerabilities, it means the system is not secure and will be targeted by hackers.