What are the phases of a Quality Penetration Test?
So, you've hired a Penetration Tester, what should you expect? At a minimum, a penetration test should include phases similar to:
Documentation, client debriefing/presentation
and possibly follow-up retest
During the scoping phase, the tester will discusses and define potential targets with the client. The tester will also discuss and define timeframes, testing caveats and addresses any concerns the client may have. This phase is crucial to set expectations moving forward. I like to use this phase to gather any additional helpful information that the client may inadvertently disclose, like technology stacks to expect.
During the reconnaissance phase the tester will passively as well as actively gather intelligence about targeted systems, networks and users. I typically conduct lots of googling and utilizing OSINT tools during this phase. At the end of recon, the tester should have a strong sense of technology stacks, attack vectors and user data regarding the client.
The research phase may be considered part of recon, however it becomes a distinct phase when it involves learning more about the technology in use and perhaps even duplicating user systems and environments in order to facilitate more precise attacks or exploit development.
Automated testing and fuzzing is an important step in a penetration test. We are only human and cannot know every potential parameter, endpoint or memory register, however, computers are great at this and can programmatically step through large datasets and exhausting all possibilities. This step may include deploying a vulnerability scanner or automated fuzzing tool to try known signatures or lists of payloads.
During the Manual exploitation phase, the attacker takes all of the information gathered in the previous phases and attempts to actually gain privilege to systems in order to disclose protected data or gain a foothold into the protected environment.
From the foothold, the tester moves on the next phase: pivoting & privilege escalation. The is in attempt to raise the privilege to one of more authority or to gain access to additional systems.
After all of this hacking, the most important phase is the knowledge share with the client, the clients development team and product owner. It’s vital that vulnerabilities are articulated clearly and demonstrably. Findings must include specific remediation suggestions that are applicable to the client systems and environment.
All testers and penetration test are not build the same, however you can expect the phases of a good, high quality penetration test to be similar to what i've outlined.