A penetration test is a simulated cyber attack designed to uncover vulnerabilities and poor security controls. To succeed at this, you must follow a framework or methodology that includes specific penetration testing steps for you to follow. This allows you to perform a comprehensive assessment and provide the client with actionable insights to improve their cyber security posture.
Failure to follow the appropriate penetration testing steps can result in an inadequate security assessment that does not meet the main objective of a pentest and falls short of meeting the client's expectations.
This article will showcase several popular penetration testing frameworks and methodologies used by security professionals in the field. It will then guide you through the necessary steps all pentests have in common so that you can consistently execute the perfect assessment.
What Is a Penetration Test?
Before looking at popular penetration testing frameworks and methodologies you can use to perform an assessment, let’s define what a penetration test is.
A penetration test is a simulated cyber attack designed to identify vulnerabilities within a computer network, system, or application that an attacker can exploit to gain unauthorized access. Its main goal is to provide a comprehensive assessment that uncovers vulnerabilities and poorly configured or missing security controls that a hacker could exploit in the real world.
They provide the blue team with insight into security gaps they must prioritize and are often compliance requirements set by regulatory bodies.
If you are curious about how a penetration test compares to red team engagement, read Red Teaming vs Penetration Testing: What Is Best for Me?
Frameworks and Methodologies
Now know what a pentest is, let’s look at the frameworks and methodologies that security professionals use to perform them.
There are countless penetration testing methodologies. However, many of them are very similar, having only subtle differences. These differences come from the type of penetration test being performed. For instance, some methodologies focus on testing web applications, whereas others are designed for network pentests. Here are some of the popular frameworks and methodologies that are commonly used today.
Open Web Application Security Project
The Open Web Application Security Project (OWASP) is a non-profit organization that provides a comprehensive testing guide for web applications. This guide offers a systematic approach for assessing the security of web applications. It includes checklists, examples to aid testers, and additional tools that improve the efficiency of a test.
OWASP has other notable projects that you can freely use. These include:
- OWASP Top Ten Project: A list of the most critical web application security risks. You can learn how to use this project in How to Use the OWASP Top 10 for WebApp Penetration Testing.
- OWASP ZAP (Zed Attack Proxy): An open-source web application security scanner.
- OWASP Software Assurance Maturity Model (SAMM): Guidelines and best practices for writing secure code.
- OWASP Mobile Application Security: A testing guide for mobile apps.
- OWASP Juice Shop: A deliberately vulnerable web application for hands-on security training.
Penetration Testing Execution Standard
The Penetration Testing Execution Standard (PTES) is a framework that provides a common language and scope for performing penetration testing. It was developed by information security practitioners from various industries to establish a standardized approach and ensure consistency when performing pentesting.
It includes seven phases that guide you through the pentesting process:
- Pre-engagement Interactions: Discussing the penetration test's scope, objectives, and rules.
- Information Gathering: Gathering intelligence about the target system or organization.
- Threat Modeling: Analyzing the intelligence gathered to identify potential threats and risks.
- Vulnerability Analysis: Assessing the target system for known vulnerabilities.
- Exploitation: Actively exploiting the identified vulnerabilities.
- Post Exploitation: Maintaining access, escalating privileges, and exploiting the target system or network further.
- Reporting: Documenting your findings in a report for the client.
The standard also includes technical guidelines to accompany these phases, defining certain procedures to follow during a penetration test.
National Institute of Standards and Technology Special Publication 800-115
National Institute of Standards and Technology (NIST) Special Publication 800-115 is best described by its title “Technical Guide to Information Security Testing and Assessment.” The publication provides recommendations and best practices for planning, executing, and documenting security assessments. It heavily emphasizes the technical aspects of assessing security controls and vulnerabilities.
This publication includes four high-level phases that should guide your penetration testing:
- Plan: Defining the scope, objectives, and rules of the engagement.
- Discover: Gathering information and performing reconnaissance activities to understand the target environment.
- Attack: Actively exploiting the vulnerabilities identified to test systems and applications.
- Report: Document your findings and communicate these to the client.
MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) is a knowledge base that catalogs known tactics, techniques, and procedures (TTPs) used by real-world threat actors. These TTPs are organized into a matrix that models the different stages of a cyber attack. This matrix includes two main components:
- Tactics: The high-level phases of the attack lifecycle from initial access to command and control.
- Techniques: The specific actions, methods, or procedures an adversary uses to accomplish their objectives.
Red teamers and penetration testers use the MITRE ATT&CK to emulate real-world attacks and assess the effectiveness of an organization’s security controls.
MITRE has specific ATT&CK matrixes for Enterprise, Mobile, and Industrial Control Systems (ICS).
CompTIA is a cyber security training provider offering a vendor-neutral penetration testing certification Pentest+. This certification includes a methodology for assessing, identifying, and testing vulnerabilities in systems and networks.
The methodology consists of five key objectives:
- Planning and Scoping: Gaining an understanding of the project scope, objectives, legal requirements, and rules of the pentest.
- Information Gathering and Vulnerability Scanning: Gathering information about the target network, systems, and applications.
- Attacks and Exploits: Performing network, wireless, application, and social engineering attacks.
- Reporting and Communication: Effectively communicating the findings of your pentest through a comprehensive report.
The International Council of E-Commerce Consultants (EC-Council) is another cyber security training provider offering a vendor-neural penetration testing certification. They offer the Certified Ethical Hacker (CEH), which showcases a structured approach to performing a penetration test using eight key stages:
- Permission: Gaining proper authorization and legal permissions from a client to conduct your pentest.
- Recon: Gathering information about your target system or organization.
- Scanning and Enumeration: Actively scanning and enumerating your target’s networks, systems, and applications for potential vulnerabilities.
- Gaining Access: Exploiting identified vulnerabilities to gain access to the target system.
- Escalation of Privileges: Gaining higher access or privileges on the target system.
- Maintaining Access: Using techniques to establish persistent access to the target system.
- Covering Tracks/Installing Backdoors: Removing evidence of your activities on the target system.
- Reporting: Documenting and reporting your finding to the client.
To determine whether CompTIA’s Pentest+ or EC Council’s Certified Ethical Hacker is the best option, look at Pentest+ vs CEH 2023: Which Certification Is Best for You?
The 8 Penetration Testing Steps
As you can see, these frameworks and methodologies have several components in common. These similarities can be divided into eight steps that you must perform when executing any type of penetration test. Let’s look at these steps in detail.
Step 1: Planning and Preparation
The first step is the planning and preparation phase. This is where you need to work with your client to define the scope of the penetration test, the assessment’s key objectives and goals, a timescale for the testing, and obtain the necessary legal permissions to perform the test.
You will usually discuss these prerequisites in your initial meeting with the client and finalize them by signing a legal contract. You must not skip this step. If you do not properly plan your pentest or fail to get the appropriate permissions, your pentest not be successful.
Step 2: Reconnaissance
In this step, you will gather information about the target organization using passive information gathering (passive reconnaissance) techniques. This involves collecting publicly available information about an organization and its systems. It avoids directly interacting with the target and triggering any detections.
This information is often called Open Source Intelligence (OSINT) and includes domain names, IP addresses, active hosts, technologies used, employee information, internal documents, and potential vulnerabilities. This information will give you insight into the best approach to attacking the target.
One powerful method for performing OSINT is Google Dorking. To learn how you can master this, read How to Google Dork a Specific Website for Hacking.
Penetration testing tools used during the Reconnaissance phase:
- Maltego: A OSINT tool that visually represents the data's relationship to targets.
- Recon-ng: A modular tool capable of gathering OSINT data from various sources using a collection of scripts.
- TheHarvester: A tool that can discover subdomains, email addresses, usernames, and other public information related to a target from OSINT data.
Step 3: Scanning and Enumeration
With a list of initial targets to attack, you can begin scanning these targets for vulnerabilities. This is known as active reconnaissance and involves directly interacting with the systems you are targeting by sending network packets designed to elicit a response from the target system.
You will first perform network scanning, where you scan the client's network to discover active hosts and extend your target list. Then you can begin enumerating these targets to determine what network ports are open and what services these machines are running. By discovering the services used, you can identify potential vulnerabilities or missing security controls that you can exploit.
Penetration testing tools used during the Scanning and Enumeration phase:
Step 4: Vulnerability Assessment
A list of active targets and the services running on them does not necessarily tell you if they are vulnerable to a specific exploit. To find out this information, you must perform a vulnerability assessment.
This involves using an automated vulnerability scanner that performs intense scans against a target system to identify known vulnerabilities based on how that system responds to the network packets it sends. The scanner will provide you with a list of known vulnerabilities, which you can prioritize testing based on the vulnerability's severity and potential impact.
It is important to be aware that a vulnerability scan is very noisy as it generates a lot of traffic on the client’s network. This activity is likely to be detected by modern security solutions, and if your priority is to remain undetected, you should check for vulnerabilities manually.
To find out what vulnerability scanner to use, take a look at The Best Vulnerability Scanners for Kali Linux in 2023.
Penetration testing tools used during the Vulnerability Assessment phase:
- Nessus: A vulnerability scanner that scans over 75,000 CVEs (Common Vulnerabilities and Exposures) using various configuration options and automatically produces a report.
- Metasploit: An all-in-one pentesting framework with modules for information gathering, recon, scanning, vulnerability assessment, exploitation, and post-exploitation.
- Greenbone Vulnerability Manager (formerly OpenVAS): A open-source Nessus fork designed to target individual targets or networks.
Step 5: Exploitation
Once you have identified vulnerabilities or weak security control, you can begin attempting to exploit them to gain initial access to the target systems. This could involve exploiting applications, network devices, operating systems, people, misconfigurations, or any other technology that is vulnerable to attack.
This is the stage that most people associate with hacking, as its the one that is popularised by movies and TV shows. However, this stage would not be possible without the previous four stages. Information gathering and enumeration are the most vital to successfully performing this step.
Penetration testing tools used during the Exploitation phase:
- sqlmap: An open-source pentesting tool that automatically detects and exploits SQL injection vulnerabilities.
- John the Ripper: A password-cracking tool that lets you perform various password-based attacks to discover user credentials. You can learn to use John in this quick and easy guide.
- Burp Suite: The defacto web application pentesting toolkit for discovering and exploiting common vulnerabilities in web applications.
Step 6: Post-Exploitation
Once you have exploited a target system and gained initial access, you can begin performing your post-exploitation activities. These include; gathering additional information about the system and internal network, escalating your privileges to have greater control of the compromised system, and setting up persistence mechanisms to maintain access.
These initial post-exploitation activities allow you to use the compromised machine as a pivot point to perform lateral movement from and compromise other systems on the internal network.
This stage ends when you collect evidence of achieving the goals of the penetration test, such as accessing a sensitive system or stealing certain information. At this point, you must clean up any files you left behind, change any configurations you altered, and remove any persistence mechanisms you installed. You need to return the systems you compromised to the state you found them in.
Penetration testing tools used during the Post-Exploitation phase:
- BloodHound: A tool that uses graph theory to reveal relationships in an Active Directory environment you can exploit once you have gained initial access.
- Responder: An intercepting proxy tool that allows you to poison the LLMNR, NBT-NS, and MDNS to hijack credentials and hashes. Used extensively in pass-the-hash attacks.
- Seatbelt: A C# tool that can be used to enumerate system vulnerabilities for privilege escalation attacks.
- Mimikatz: A notorious credential harvesting tool that can extract sensitive information from Windows machines, including password hashes and Kerberos tickets.
Step 7: Reporting
Once the technical stages of your penetration test are complete, you need to create a report that details any vulnerabilities you discovered, any successful exploits you performed, and all the potential security risks you uncovered during your testing.
It is also important to highlight the impact of the vulnerabilities you discovered and how the client can remediate or mitigate them going forward. The purpose of a pentest is to provide the client with actionable insights on how to better protect their IT infrastructure. To do this, you must provide clear, concise recommendations that enable the client to improve their security posture.
Penetration testing tools used during the Reporting phase:
Step 8: Remediation and Follow-Up
The final phase in a penetration test involves following up with the client. This is usually done through a debrief where the penetration tester will discuss the assessment outcome with the client and answer any questions or concerns.
This phase may also include collaborating with the client to develop a plan for remediating the vulnerabilities discovered or re-testing the client’s systems to verify that the vulnerabilities have been effectively remediated.
Penetration tests involve performing a simulated cyber attack to identify vulnerabilities and weak security controls within a client’s IT infrastructure. They provide clients with a comprehensive assessment of their cyber security posture and offer recommendations on improving it.
To do this, you must follow a methodology or framework when performing a penetration test, either one of the popular ones listed in this article or one you create. These tools provide step-by-step instructions on how to effectively test a client’s system and produce actionable insights that the client can use.
You have seen the common steps that most penetration testing methodologies and frameworks have in common and the tools used by professional penetration testers at each step. If you are interested in learning the skills required to become a penetration tester, take a look at these training courses: