HTB CPTS: Penetration testing process

Penetration testing is not only “cool hacking” actions and stunning results. It’s a process which has many stages.

Penetration testing process

• There’s no step by step process in pentesting. There are stages.

• Each stage builds on the other

Stages of the Penetration Testing:

1. Pre-engagement

   1. It’s a stage for educating the client and adjusting the contract

      1. NDA, Goals, Scope, TIme estimation, Rules of Engagement

2. Information gathering

   1. Describes how to obtain information about the necessary components in various ways.

   2. Looking for potential security gaps

3. Vulnerability Assessment

   1. We analyze results from our Information Gathering stage

   2. We look for knows vulnerabilities in the systems

4. Exploitation

   1. We use the results to test our attacks against the potential vectors.

   2. We try to gain initial access to the systems.

5. Post-Exploitation

   1. At this stage we have access to the exploited machine.

   2. We may try to escalate our privileges to obtain the highest possible rights.

   3. We may hunt for sensitive data. For example credentials or other data.

6. Lateral Movement

   1. It describes movement within the internal network of our target company.

7. Proof-of-Concept

   1. In this stage we document the steps we took to achieve network compromise.

   2. It is important do document our finding well, because company then can fix those gaps and they see the importance of every vulnerability fix.

   3. We prove that the vulnerabilities exist.

8. Post-engagement

   1. Detailed documentation is prepared now.

   2. We clean up all traces of our actions on all hosts and servers.

   3. We create the deliverables for our client.

   4. Report walkthrough meeting is set up.

In the next article we’ll look at teach of the stages in detail.