Skip to main content
Payloads & Payloads

Penetration Testing Introduction

·1794 words·9 mins
Adrien Raimbault
Author
Adrien Raimbault

Penetration Testing - Introduction
#

Table of Contents
#

Legend
#

! Important Note

Penetration Test vs Red Team vs Vulnerability Assessment
#

  • Penetration Test: A structured, authorized attempt to identify and exploit all vulnerabilities in a system.
  • Red Team Assessment: Scenario-based, focused on reaching a specific goal using stealth and creativity.
  • Vulnerability Assessment: A lighter version of a penetration test using only automated tools (e.g., Nessus, Qualys, OpenVAS).

Risk Management
#

Risk management involves identifying, evaluating, and mitigating risks that could harm a company.

Risk Mitigation Strategies:

  • Transfer: Shift responsibility to a third-party (e.g., cloud provider).
  • Reduce: Apply preventative measures and controls.
  • Accept: Use financial instruments or tolerate low-risk scenarios.

Types of Penetration Testing
#

  • External Testing: Simulates an attack from an outsider (e.g., over the internet).
  • Internal Testing: Performed from within the company’s internal network.

Testing Types: Blackbox / Greybox / Whitebox
#

  • Blackbox: Only minimal public info is provided.
  • Greybox: Partial access to documentation and internal info.
  • Whitebox: Full knowledge including source code and credentials.

Laws & Regulations
#

Categories USA Europe UK India China
Protecting critical information infrastructure and personal data Cybersecurity Information Sharing Act (CISA) General Data Protection Regulation (GDPR) Data Protection Act 2018 Information Technology Act 2000 Cyber Security Law
Criminalizing malicious computer usage and unauthorized access to computer systems Computer Fraud and Abuse Act (CFAA) Network and Information Systems Directive (NISD 2) Computer Misuse Act 1990 Information Technology Act 2000 National Security Law
Prohibiting circumventing technological measures to protect copyrighted works Digital Millennium Copyright Act (DMCA) Cybercrime Convention of the Council of Europe Anti-Terrorism Law
Regulating the interception of electronic communications Electronic Communications Privacy Act (ECPA) E-Privacy Directive 2002/58/EC Human Rights Act 1998 (HRA) Indian Evidence Act of 1872
Governing the use and disclosure of protected health information Health Insurance Portability and Accountability Act (HIPAA) Police and Justice Act 2006 Indian Penal Code of 1860
Regulating the collection of personal information from children Children’s Online Privacy Protection Act (COPPA) Investigatory Powers Act 2016 (IPA)
A framework for cooperation between countries in investigating and prosecuting cybercrime Regulation of Investigatory Powers Act 2000 (RIPA)
Outlining individuals’ legal rights and protections regarding their personal data Personal Data Protection Bill 2019 Measures for the Security Assessment of Cross-border Transfer of Personal Information and Important Data
Outlining individuals’ fundamental rights and freedoms State Council Regulation on the Protection of Critical Information Infrastructure Security

Penetration Testing Stages
#

1. Pre-Engagement
#

Goals: Define scope, objectives, and rules of the test.

Key Documents:

  • Non-Disclosure Agreement (NDA)
  • Scoping questionnaire & document
  • Penetration Testing Proposal
  • Rules of Engagement
  • Contractors Agreement

2. Information Gathering
#

Steps:

  • OSINT: Open-source information collection
  • Infrastructure Enumeration: Identify networks, firewalls
  • Service/Host Enumeration
  • Pillaging: Look for sensitive data on compromised systems

3. Vulnerability Assessment
#

4. Exploitation
#

Objectives:

  • Exploit discovered vulnerabilities
  • Prioritize based on:
    • Success probability (CVSS)
    • Exploit complexity
    • Risk of causing damage

Tips:

  • Test exploits in a local VM
  • Ask for client permission when unsure

5. Post-Exploitation
#

Objectives:

  • Escalate privileges
  • Establish persistence
  • Continue pillaging and vulnerability assessment

Techniques:

  • Evasive, hybrid, or non-evasive
  • Identify internal network structure
  • Look for credentials, sensitive documents

6. Proof of Concept
#

  • Document exploit steps
  • Provide scripts if necessary
  • Ensure PoC is understandable and reproducible

7. Post-Engagement
#

Checklist:

  1. Cleanup of tools/scripts from target
  2. Document findings and provide mitigation advice
  3. Report review meeting with client
  4. Deliver draft and final reports
  5. Post-remediation testing (if applicable)

8. Data Retention
#

  • Secure storage of data collected during engagement
  • Retain data for reference, verification, or re-testing

9. Close Out
#

  • Final meeting to review findings
  • Share full report and supporting data
  • Provide next steps for remediation

Penetration test stages
#

  1. Pre-Engagement: create and review contracts (goals, scope, time estimation, rules)
  2. Information Gathering: Info about target company, software and hardware
  3. Vulnerability assessment: Analyze results from information gathering stage (manually and automated)
  4. Exploitation: Test attacks against identified vectors
  5. Post-exploitation: Escalation of privileges, searching for sensitive data
  6. Lateral Movement: Use a machine to access additional hosts at the same of a higher privilege
  7. Proof-of-Concept: document step by step how to achieve level of access (Path)
  8. Post-engagement: documentation and cleaning and meeting

Pre-engagement
#

This is the stage of preparation for the current penetration test. This stage needs 3 elements :

  • Scoping questionnaire (define the scope during the 1st meeting)
  • Pre-engagement meeting
  • Kick-off meeting

Documents needed are:

  • Non-Disclosure Agreement
  • Scoping Questionnaire (internal, social engineering, web, physical)
  • Scoping document (live hosts, users, activities out of scope, IPs, domains, box, evsion (hide))
  • Penetration testing proposal (NDA, goals, scope, type, methods, remote, internal, time, third parties, evasion, risks, payment terms)
  • Rules of Engagement (contractor, pentesters, goals, scope)
  • Contractors Agreement
  • Reports

Information Gathering
#

Steps:

  • Open-Source Intelligence: OSINT, Information online
  • Infrastructure Enumeration: Server’s map, identify firewall
  • Service Enumeration: Services we can communicate with
  • Host Enumeration
  • Pillaging: Collect sensitive information locally on an exploited target

Vulnerability Assessment
#

This stage’s goal is to analyze the information gathered from the previous stage and identify the vulnerabilities that can be exploited.

For example, a TCP port 2121 is open. This port is not standard as it’s not in the system ports range between 0 and 1023. See service name & protocol number registry

However, this port number resembles the FTP port number 21. The service running on this port could be a custom or a misconfigured FTP server.

Vulnerability research:

In this part, we look for known vulnerabilities in the software and services running on the target system.

Here is a list of some of the most common vulnerability databases:

Exploitation
#

The goal of this step is to adapt the weaknesses found to exploit the vulnerabilities from the previous step.

Note that this step is closely connected to the previous one.

Prioritize possible attack vectors

We can prioritize the attack vectors based on the following criteria:

  • Probability of success: CVSS scoring, NVD calculator (risk vs severity)
  • Complexity: time, effort and research needed
  • Probability of damage: avoid any damage to the system (no DoS)

Note: You can use a matrix to prioritize the attack vectors depending on the above criterias.

Preparation for the attack

If you can’t find a proof of concept for the vulnerability, a solution is to mirror the host environment on a local VM. This way you can test the exploit without damaging the target system.

Important !: If in doubt about the exploit, ask the client for permission to test it, providing them with the data they need to make a decision.

Post-exploitation
#

In this part, we assume that we have successfully exploited a vulnerability on the target system.

The objective here is to get sensitive and/or security related information from the compromised system.

Evasive Testing

Evasive testing is a technique used to avoid detection by security systems and tools.

There are 3 different categories:

  • Evasive: Techniques designed to completely avoid detection by security tools.
  • Hybrid evasive: A combination of evasive and non-evasive techniques, balancing stealth and functionality.
  • Non-evasive: Techniques that do not attempt to avoid detection but focus on exploiting vulnerabilities directly.

Information gathering

Now you can get back to the information gathering & vulnerability assessment stage with the newly acquired information.

We can now restart the process from the local perspective.

Pillaging

Pillaging is the stage where we examine the role of the host in the corporate network.

The information we are looking for are but are not limited to:

  • Interfaces
  • Routing
  • ARP
  • VPN
  • IP Subnets
  • Subnets
  • Network traffic
  • Services
  • DNS

The main goals of pillaging are either to show the impact of a successful attack or to find a way to escalate privileges with documents, passwords, configuration, etc..

Persistence

Next step in the timeline is to maintain access to the compromised system. This step can be done when needed and depending on the situation. If used a buffer overflow vulnerability, you may not be able to access the system the same way if you loose the connection.

Vulnerarility assessment

Having a foothold in the system, we can now start looking for internal vulnerabilities.

Privilege escalation

Privilege escalation is the process of gaining higher privileges on a system. Note that this process does not always have to occur locally, as we could get some credentials from the compromised system and use them to access other systems on the network.

Data exfiltration

Data exfiltration is the process of transferring sensitive data from the compromised system to an external location. This process can be done in several ways, including:

  • Using a reverse shell
  • Using a VPN
  • Using a proxy
  • Using a remote desktop connection

Proof of concept

The proof of concept can be a document of the vulnerabilities found, or a more pratical version of a PoC like a script or a code that automatically exploits a vulnerability.

Note that the script option may not be the only way to exploit a vulnerability. It’s important that developers or cyber security experts are able to understand the code and the logic behind it. The vulnerability may be exploitable in several ways, and the script may not express the only way to exploit it.

Post-engagement

  1. Cleanup: clean tools, script and files used during the pentest on the target systems.
  2. Documentation: write a report of the pentest, including the vulnerabilities found, the impact of the attack and the recommendations to fix them. This includes command output, screenshots. Don’t expose any Personal Identifiable Information (PII) in the report but provide a list of the findings. e.g. Attack chain, findings with risk rating, recommendations, remediation steps, etc.
  3. Report review meeting: review the report with the client and discuss the findings and recommendations.
  4. Deliverable Acceptance: deliver the report to the client and provide them with a copy of a draft report.
  5. Post-remediation testing: review the documentation & test the remediation steps taken by the client to fix the vulnerabilities found during the pentest.

Data retention

Data rentention is the process of keeping the data collected during the pentest for a certain period of time. This process is important to ensure that the data is not lost or destroyed during the pentest.

Close Out

This is the final step of the pentest. This step includes the following tasks:

  • Review the report with the client and discuss the findings and recommendations.
  • Provide the client with a copy of the report and the data collected during the pentest.