As an ethical hacker when you perform a pentest, you must follow some rules and process step by step to be efficient, below the different phases shortly explained.
The first step of a penetration test is to write an agreement, a kind of pre-engagement about the legal requirements and the rules of the test. It must be signed by both parties before starting the analysis. Some important informations have to be defined with your client:
> Read the agreement example by TrueSec
The more information you have about the target, the more is the chance of successful exploitation.
The next step is probably the most important for you, it’s all about grabbing (usefull) informations linked with the scope previously defined. Every informations are important and, because of the amount, have to be logged/classified somewhere. There is two ways to gather informations:
Automated tools are usually used here because they hold a database of common vulnerabilities and common path.
> Tools for information gathering
Now you have a bunch of informations about your target(s). You found the services and their version, open ports, operating system, usernames… It’s time to find the potential vulnerabilities before the exploitation. Automated scanners and online tools are usually used for that.
After drafting a list of potential entry points you are ready for the next step.
> Tools for vulnerability assessment
This is the funniest phase. You probably found several weakness during the reconnaissance phase, now you’ll target them all but take care not to damage or destroy anything. A good idea is to backup all sensitive datas before you perform any attack. Another point you must consider is the disallowed techniques section defined in the agreement, don’t to waste your time with something that is out of scope… Exploitation can be:
> Tools for exploitation
The goal of this phase is the capacity of maintaining control of the compromised system. Is there a way to hide a backdoor somewhere, escalate privileges and penetrate the internal network? Most of the time you’ll probably be faced to system defenses you couldn’t discover during the information gathering step, adaptation is the key here.
There is alot of rootkit available in different languages for all platforms. You would use one of this not to redo the exploit phase again and again, it’s kind of shortcut.
> Tools for post exploitation
This is the last part of your test and the most important for your client. You’ll have to explain the result considering that different peoples from different horizons with different skills will read it (CEO, security manager, developers, …). The following topics must be covered:
A nice way to present your findings is simply to add one or two charts like those ones:
Some automated tools can create reporting with links and graphical stuff like Acunetix or Nessus.
> See the Offensive security report example