The five steps of pen testing

Planning is the first and most important step in ethical hacking. The process of planning will direct the pen tester during the latter part of the testing; if they have successfully planned their mission, it is highly likely that they will successfully reach their goal. A pen tester should establish specifically defined goals, which should be aligned with the business’s objectives. The purpose of the testing exercise should be clearly discussed with the organisation’s management, and performance criteria should be used to achieve the maximum results from the process.

A clearly defined schedule must be created with start and end dates, as well as the time and tools to be used in each step.

An example of a defined ethical hacking plan can be found on the FedRAMP website.

Reconnaissance is split into two types: active and passive reconnaissance. During this step, the target (this could be an employee in the business or someone that has access to the system recourses)is not aware that specific information is being collected about them or their organisation and the installed infrastructure. Upon the successful completion of this step, the hacker will have a list of IP addresses that can be used to define the target and information about the employee, the company location, the number of employees and the employees’ locations, in addition to potential targets for social engineering.

The techniques that can be used during active and passive data collection include using internet sources to collect publicly available information, social engineering of non-technical employees, looking for confidential information in disposed-of materials, and observing the behaviour of employees and systems when probed (Grimes, 2017; Krutz and Vines, 2008).

The scanning step relies heavily on the information collected from the reconnaissance step. The main aim of scanning is to examine network parameters, externally accessible resources and internal network devices, locating their vulnerabilities and misconfigurations. This technical step requires the use of technical tools to collect additional information about the identified targets, such as using a multiple-frequency port scanner to scan for open ports over a changing timespan. Other tools include vulnerability scanners and network mappers (Grimes, 2017; Krutz and Vines, 2008).

In this step, the pen tester will usually examine the discovered open ports, services and IP addresses and implement vulnerability evaluation. This will lead to the tester taking control of one or more network devices and probing their system configurations, with the sole purpose of accessing user information.

Compromised internal devices can be configured to launch attacks internally to avoid detection by an outside firewall. The techniques used in this step include testing discovered usernames/passwords, exploiting a known vulnerability, identifying any configurations on the network that can be exploited to gain access, distributing malware via email or leaving compromised USB devices on premises (Grimes, 2017; Krutz and Vines, 2008).

Once access to the infrastructure has been achieved, it is critical for the pen tester to embed backdoors to maintain their access for as long as possible so that they can collect information about the system, its functionality and its behaviour, as well as identify critical internal nodes. To main access for a long period of time, all backdoors and activities must be hidden. Some of the techniques used in this step include escalating privileges, installing backdoors or remote-access Trojans, and using compromised accounts to create new credentials (Grimes, 2017; Krutz and Vines, 2008).

In the final step of pen testing, the steps taken must be hidden and footprints must be erased to avoid detection. A pen tester will aim to make the system appear as it did before the testing process to avoid detection by a network administrator. The steps taken to cover tracks can include removing logs, using steganography and installing custom-built rootkits. If the organisation hosts a web application firewall, the pen tester will look at the vulnerabilities contained within it and target them independently, installing a hidden rootkit if they are successful in their attack (Grimes, 2017; Krutz and Vines, 2008).