As an ethical hacker when you perform a pentest, you must follow some rules and process step by step to be efficient, below the different phases shortly explained.
The first step of a penetration test is to write an agreement, a kind of pre-engagement about the legal requirements and the rules of the test. It must be signed by both parties before starting the analysis. Some important informations have to be defined with your client:
- the scope: ip range, URL, server…
- the method used: white/grey/black box
- the start date and the end date
- the forbidden techniques: denial of service, social engineering…
> Read the agreement example by TrueSec
Information gathering & Scan
The more information you have about the target, the more is the chance of successful exploitation.
The next step is probably the most important for you, it’s all about grabbing (usefull) informations linked with the scope previously defined. Every informations are important and, because of the amount, have to be logged/classified somewhere. There is two ways to gather informations:
- Active: with this technique you will directly interact with your target which means each test can be very noisy, you can then be detected and blacklisted if a firewall is well configured. Prone to find open ports, services version, hidden path…
- Passive: you will use online ressources to find interesting informations like forums, social networks or search engines. Prone to find administrator name, email, ip address…
Automated tools are usually used here because they hold a database of common vulnerabilities and common path.
Now you have a bunch of informations about your target(s). You found the services and their version, open ports, operating system, usernames… It’s time to find the potential vulnerabilities before the exploitation. Automated scanners and online tools are usually used for that.
After drafting a list of potential entry points you are ready for the next step.
This is the funniest phase. You probably found several weakness during the reconnaissance phase, now you’ll target them all but take care not to damage or destroy anything. A good idea is to backup all sensitive datas before you perform any attack. Another point you must consider is the disallowed techniques section defined in the agreement, don’t to waste your time with something that is out of scope… Exploitation can be:
- Server side: in a remote exploitation you try to exploit the server or the network of your target.
- Client side: the “weakest link in the chain”, ie. human, for instance: malicious links, phishing, PDF hacking and so on…
The goal of this phase is the capacity of maintaining control of the compromised system. Is there a way to hide a backdoor somewhere, escalate privileges and penetrate the internal network? Most of the time you’ll probably be faced to system defenses you couldn’t discover during the information gathering step, adaptation is the key here.
There is alot of rootkit available in different languages for all platforms. You would use one of this not to redo the exploit phase again and again, it’s kind of shortcut.
This is the last part of your test and the most important for your client. You’ll have to explain the result considering that different peoples from different horizons with different skills will read it (CEO, security manager, developers, …). The following topics must be covered:
- Technical details
- Annexe if needed
A nice way to present your findings is simply to add one or two charts like those ones:
Some automated tools can create reporting with links and graphical stuff like Acunetix or Nessus.
> See the Offensive security report example