When we talk about penetration tests, a lot of people think that it is just a matter of starting our computers, run a few tools against the objective, do a bit of magic and, done, the pentester discovers a few vulnerabilities. But the truth is far from this point of view, maybe in the films is something like that but not in real life.
A pen-testing is a well-defined process, it has its methodologies like OSSTMM, OWASP and some others. All of them, define concrete steps and procedures that a pentester should follow to perform a proper task.
One of the things that it is well defined is the different phases of a pen-testing. We can find well-defined phases, each one of them specifying what needs to be done and when it needs to be done. The tools you use to complete each one of these phases are not important in this article, in this article, it is just important the process.
We can find five different phases in a pentest. Each one with its boundaries, objectives and goals well defined. These five phases are:
- Gaining access
- Maintaining access
- Clearing tracks
Let see a little introduction of the different phases.
Reconnaissance refers to the preparatory phase where an attacker seeks to gather information about a target prior to launching the attack. In other words, find all the information at our fingertips. The attackers are going to use all the public sources that they can reach to find information about the target. And we are not talking just about the company, we are talking about employees, business, operations, network, system, competitors, … everything we can learn about our target. We can use web pages, social networks, social engineering, … The objective is to know as much as we can about the victim and the elements around it.
We can find two types of reconnaissance:
- Passive: Involves acquiring information without directly interact with the target.
- Active: Involves interacting with the target directly by any means.
Scanning refers to a pre-attack phase where the attacker scans the network for specific information on the basis of information gathered during the reconnaissance. In general, in this step, we are going to use port scanners, vulnerability scanners and similar tools to obtain information about the target environment like live machines, ports in each one of these machines, services running, OS details, … All this information will allow us to launch the attack.
Gaining access refers to the point where the attacker obtains access to a machine or application inside the target’s network. Part of this phase is when the attacker tries to escalate privileges to obtain complete control of the system or, based on the access the attacker has, it tries to compromise other systems in the network. Here we have multiple tools and different possibilities like password cracking, denial of service, buffer overflows, session hijacking, …
Maintaining access refers to the phase where the attacker tries to retain the ownership of the system and make future accesses to the compromised system easier, especially in the case that the way the attacker has used to compromise the system is fixed. The attacker can do multiple things like creating users in the system, install their own applications and hide them, install backdoors, rootkits or trojans even, in some cases, the attacker can secure the compromised machine to avoid other attackers to control the machine.
Clearing tracks refers to the activities carried out by an attacker to hide malicious acts. In this phase, the attacker tries to remove all the pieces of evidence about the machine being compromised trying to avoid, in the first place, the detection and, in second place, obstructing the prosecution.
These are the different phases of a pen-testing, and any service offered should perform all of them properly. In addition, one of the best things about performing all the phases correctly and in the adequate order is that we can use the information found in a previous phase to complete the next phase.