Penetration Testing Phases

Penetration testing, also known as pen testing, is a type of a security assessment that uses many of the same techniques that hackers employ in real-world cyber attacks. A penetration test can mimic different malicious actors, such as external attackers with no prior access (black-box testing), malicious authenticated users (grey-box), and malicious organization employees (white-box).

Unlike a vulnerability assessment, a traditional penetration test focuses on manual testing. Testers can utilize tools to automate repetitive tasks such as target resource enumeration and testing with different malicious payloads. Unlike a red team exercise, a pen test typically has a defined time duration and scope. The goal is to discover as many security vulnerabilities as possible that affect the target’s ability to withstand malicious attacks.

Importance of penetration testing

Regular pen tests are crucial to organizations because they provide an indication of how well the organization’s assets can withstand real-world attacks. Such attacks can have significant business impact, such as compromise of user accounts, theft of confidential data, and degrading the availability of critical web applications. Penetration tests can also be important for maintaining compliance with cybersecurity regulations, local laws, and customer expectations.

Core Phases of Penetration Testing

The penetration testing process consists of multiple phases that mimic real-world attacks. The exact definition of the phases of the penetration testing process may differ between methodologies and vendors, but the combined activities of all the phases are essential for a successful engagement.

7 stages of penetration testing

1. Pre Engagement Phase

This first penetration testing phase is vital for the planning and smooth execution of a test because it establishes important test parameters:

  • assets included in the penetration test scope;
  • assets explicitly excluded from the test scope;
  • black-box, grey-box, or white-box level of access;
  • test duration with starting and ending dates;
  • procedure for reporting critical severity identified vulnerabilities.

The open discussion between the penetration testing services provider and the customer helps set expectations about the execution and outcomes of the upcoming engagement. At the end of the pre engagement phase, the customer provides the penetration testers with all access necessary for the penetration testing phase.

2. Reconnaissance

The penetration test begins with reconnaissance of the target operating systems. The pen testers gather as much information as they can about the target’s attack surface including the technology stack and potential entry points.

Passive reconnaissance gathers information about the target system without contacting it directly. An open source intelligence (OSINT) investigation can discover publicly available information about the target system. The utility of such information depends on the type of penetration test. For example, a network penetration test can discover additional domain names and IP addresses to include in the scope. OSINT may be skipped if the penetration test is only an internal test on non-public targets.

Active reconnaissance sends network requests to probe the target system. This enumerates the technology stack on the system, such as operating systems and server applications. The penetration tester analyzes software vulnerabilities published in the discovered software to further identify potential vulnerabilities and potential entry points. Other application functionality, such as authentication forms also represent point of entry.

3. Scanning Phase

This penetration testing phase is typically only present in network penetration tests, where the pen tester performs an automated scan to enumerate live assets and identify as many open ports as possible. Scanning often expands the attack surface. For example, discovering a service listening on an open port leads to fingerprinting the service to identify potential vulnerabilities.

Scanning is performed using automated tools. It may be important to adjust the rate of network traffic to avoid system crashes. Loss of availability is especially important in production environments where it can impact business operations. Because of this, preserving the availability of assets in the customer environment is often a contractual requirement.

The scanning phase may include a vulnerability assessment of the assets in the test scope. This is an automated process that can quickly identify security flaws, misconfigurations and vulnerabilities. The penetration tester can then attempt to exploit them manually. The manual exploitation attempts are required because while vulnerability assessment tools identify common vulnerabilities, they stop short of exploiting them in order to verify them.

At the end of the reconnaissance and scanning phases of penetration testing, the penetration tester has enumerated the target systems and identified potential points of entry. This information is used to formulate an effective attack strategy for gaining initial access.

4. Gaining Access

This is the first exploitation phase where penetration tester attempts to gain access to the target system using the enumerated points of entry and identified vulnerabilities. The tester evaluates the effectiveness of the security restrictions implemented to prevent the malicious access. For example, a web application firewall (WAF) may be deployed to protect against common web application attacks. The tester documents the outcome of attempting to bypass the WAF.

Trust AMATAS WAF Assessment services to evaluate the effectiveness of your web application firewall to prevent web-based attacks.

When a tester successfully gains access, they continue to test all other identified entry points and software vulnerabilities. This helps identify all security flaws that might be exploited by a malicious actor to access the customer environment.

Finally, the pen tester assesses and documents the impact of a successful attack. The information recorded includes the level of access granted on each target system, the types of sensitive information exposed, and the opportunities for lateral movement and persistent access within the customer environment.

5. Maintaining Access

Penetration tests do not often have a requirement for establishing persistent access in the customer organization’s environment. If this a requirement, the testers can establish persistent access and hide their tracks. This mimics the behavior of an advanced persistent threat (APT) malicious actor.

Establishing persistent access in the target environment requires the penetration tester to use advanced techniques to retain access in case of being discovered or the host system becoming inaccessible. In a network penetration test, this might require injecting malicious code in a host system startup sequence or compromising a peripheral network device.

Once persistent access is established, the testers can check network traffic to study the internal topology. This repeats the Reconnaissance and Scanning penetration testing phases on the inside of the customer environment. The testers can identify and compromise additional target systems, repeating the entire process further. This iterative process is necessary in segmented internal networks.

In some cases, penetration testers can gain access only as an unprivileged user. The penetration testers then analyze the operating system and the applications running on it to identify privilege escalation vulnerabilities. Successful escalation can expose additional sensitive information, such as user credentials and application secrets. This can allow additional lateral movement to even more systems in the customer environment.

While in the customer’s environment, the pen testers may need to hide their tracks to remain in the compromised system undetected by the defensive security controls and staff. This may require modifying system and network log files, stealing data, injecting malicious code inside operating systems and applications, and hiding communication channels.

The penetration testers document their interaction with the customer internal network environment, such as the presence or absence of appropriate security controls, effectiveness of the existing controls, specific vulnerabilities, identified and compromised systems, privilege escalations, and sensitive data gathered.

6. Covering Tracks

At the end of the pen test, the testers remove their tracks and restore the system as close to its original state as possible. However, unlike the previous phases, this penetration testing phase does not involve attacking or compromising the target environment further.

This may include the removal of installed testing software, additional test accounts, and malicious data and software used to exploit the target’s vulnerabilities. Failure to do so can expose customer’s resources to unintended consequences. For example, a malicious payload left in the production environment of a web application can inadvertently be triggered by an application user.

7. Reporting Phase

The reporting phase is the last of the penetration testing phases. The pen test results in a comprehensive report that describes the engagement and shares the results with the customer. The report lists the agreed-upon engagement parameters and known limitations of the performed testing. An executive summary provides a high-level discussion of the results of the penetration test, business impact assessment, and recommendations.

The penetration testing report also provides in-depth technical information about each identified vulnerability and exploited sensitive data. This includes the vulnerability description, severity rating, reproduction steps, evidence, and actionable remediation recommendations.

Standardized vulnerability severity rating is important for effective vulnerability management and remediation prioritization. The standardized Common Vulnerability Scoring System (CVSS), also used by the National Vulnerability Database (NVD), rates each vulnerability’s exploitability and security impact. The score is used to assign Critical, High, Medium, or Low severity to each vulnerability.

Endnotes

Penetration tests are a crucial component of identifying an organization’s security risks of internal and external attacks. Regular tests and the continued remediation of identified security vulnerabilities can improve the organization’s security posture and help it meet its cybersecurity compliance and customer requirements.

Penetration test engagements can also identify gaps in the organization’s defensive security controls. The security team can use pen test findings to learn new trends in threat actors, malicious attacks, and known vulnerabilities. This can help the team counter these new trends with appropriate network design and security control changes. This can lead to improve the organization’s security posture in the long term.

Strengthen Your Security with AMATAS

Ready to put penetration testing to work for your business? Book a meeting with our experts today and secure your organization against cyber threats.

FAQs

What are the phases listed in NIST SP 800-115?

NIST Special Publication 800-115, titled “Technical guide to information security testing and assessment”, lists four penetration testing phases. They represent a broader way to define the same phases listed above:

  • The NIST SP 800-115 Planning corresponds to the Pre Engagement phase above.
  • The Discovery phase combines the Reconnaissance and Scanning pen testing phases.
  • The Attack exploitation phase combines the Gaining Access and Maintaining Access phases.
  • The Reporting is similar to the homonymous phase above.

What are the three access levels of penetration testing?

Penetration testing can have black-box, grey-box, or white-box access level. Black-box testing mimics an external attacker with no prior access to the target. Grey-box testing requires authenticated access and imitates a malicious application or system user. White-box testing can include access to databases or application source code. Such testing evaluates the risk imposed by a malicious organization employee.

What are the 7 steps of penetration testing?

The seven steps of penetration testing are: Pre-Engagement Phase, Reconnaissance, Scanning Phase, Gaining Access, Maintaining Access, Covering Tracks, and Reporting Phase. The Pre-Engagement Phase establishes test parameters. Reconnaissance gathers target information. Scanning identifies vulnerabilities. Gaining and Maintaining Access test system defenses. Covering Tracks removes evidence. Reporting Phase includes a technical risk briefing, summarizing findings and recommendations.

Which of the 7 stages of penetration testing does port scanning fall under?

Port scanning falls under the third phase of a penetration test, known as the scanning phase. It is used during network and other infrastructure penetration tests to gather information about a network. The primary goal is to identify open ports on a network host, which can reveal vulnerabilities that could be exploited by malicious actors.

Related Articles

Scroll to Top