But before hiring penetration testers or starting a pentesting program, any organization should be aware of the phases and steps involved in the process. These tests are critical for obtaining an integrated view of a system, understanding how possible security breaches can occur, getting into the mindset of cyber criminals, and patching flaws.
Penetration testing can use different techniques, tools, and methods. For example, they might simulate an external attack, as in a black box pen test; an internal attack, or a white box pen test; or an external attack that has internal credentials, called a gray box pen test, which cyber criminals usually obtain through phishing. The different variables require all sides to be fully informed for a practical penetration test to be successful.
See the Best Penetration Testing Tools
What are the 7 Penetration Testing Phases?
Some organizations list five penetration phases while others list six or seven. Additionally, organizations may have different names for each phase, despite the processes of the phase being identical.
The discrepancy in the number of test phases is due to two stages that occur before the test and once it is concluded, which some organizations leave out. While they are not technical parts of the test, they have proven vital for security. This report includes all seven stages to give full visibility of the processes required for a penetration test.
The seven phases of penetration testing are:
- Reconnaissance or Open Source Intelligence (OSINT) Gathering
- Scanning or Discovery
- Vulnerability Assessment: Gaining Access
- Exploitation: Maintaining access
- Post-Exploitation, Reporting, and Risk Analysis
Pre-engagement is a phase often left out. However, it is fundamental for penetration testers and organizations to be on the same page. Built In explains that it is a bad idea to hire a penetration tester and let them run wild on your network. The pre-engagement phase is where the scope, logistics, rules of engagement, and timeline of the entire pen test are set with clear goals, targets, and objectives.
If there is no understanding of what needs to be tested and what type of tests are required, the results of a penetration test will be incomplete or even irrelevant. Pre-engagement is where the test is planned; therefore, no organization nor pentester should start without going through this first step.
Additionally, to thoroughly test the system, actions are required from pentesters that would be illegal without explicit consent or authorization. This is why organizations should also set clear rules of engagement in contracts with testers. Contracts, signed during pre-engagement, should also list critical assets, the main goals of the test, and other precautions.
2. Reconnaissance or open-source intelligence (OSINT) gathering
EC-Council Cybersecurity Exchange explains that reconnaissance is where testers gather as much information about the system as possible. But it’s not just about collecting random data. The goal is to gather data relevant to the tests that will be executed. This is why the first stage is critical. Planning the penetration test allows the tester to be more precise when determining what type of data they gather to plan an effective attack strategy.
Reconnaissance can be active, when the tester engages directly with the target system, or passive, where publicly available information is obtained. Usually, comprehensive testers use both methods.
Active data gathering might include networks, operating systems and applications, user accounts, domain names, and mail servers. At the same time, passive techniques or open-source intelligence may use social media, websites, tax information, and other public information.
Some tools used to gather network information include Censys or Shodan. Reconnaissance tools scan public-facing IP addresses and index their response headers, giving pentesters a complete idea of the external networks without having to run scans actively.
The OSINT Framework, used in penetration testing data gathering phases, reveals how vast resources of open-source information are available for this stage. Cipher explains that pentesters use an exhaustive checklist to find open entry points and vulnerabilities within the organization.
3. Scanning or discovery
In this phase, testers look for entry points. Ideally, they seek to identify as many open ports as possible. Several tools are used in this stage to identify the open ports and check network traffic.
The discovery phase consists of scanning and asset analysis using tools such as Nmap, which is a network scanner used to discover hosts and services on a computer network by sending packets and analyzing the responses. In this phase, the tester can gain information on available assets and information, such as operating systems, open ports, and running services.
If the tester runs a white box test, the organization may have already provided the list of IPs to target, assets, and other network information. However, if they are running gray or black box tests, they simulate an actual attack and work without this information. Therefore, this phase is critical when running gray and black box tests.
4. Vulnerability assessment: Gaining access
Using the data gathered during the previous phases, the tester will begin building a threat model and assess vulnerabilities. Targets are identified, and the tester maps the attack vectors.
Pentesters will map and identify areas and high-value assets, such as:
- Employee data
- Customer data
- Partners and supply chain data
- Technical data
- Internal and external threats from management
Penetration testers can use resources like the National Vulnerability Database (NVD), a repository of vulnerability management data that analyzes software vulnerabilities published in the Common Vulnerabilities and Exposures (CVE) database, EC-Council explains. While manual vulnerability scanning can be done, testers usually use tools like Tenable, Rapid7, Qualys, and Nmap.
Some security organizations refer to this stage as “gaining access.” Imperva explains that testers use web application attacks, such as cross-site scripting, SQL injection, and backdoors, to find vulnerabilities and exploit them by escalating privileges, stealing data, intercepting traffic, and other techniques.
5. Exploitation: Maintaining access
In this stage, testers prove whether the vulnerabilities identified can be exploited. Also known as maintaining access, exploitation is one of the most critical stages because the tester is attempting to breach and access the target system.
In this penetration testing phase, the tester attempts to access the target system and exploit the identified vulnerabilities, typically using a tool like Metasploit, which simulates real-world attacks. Penetration testers are responsible for an organization’s assets, and in this stage, they must ensure the system isn’t compromised or damaged due to their simulations.
Real cyberattacks can range from a couple of minutes to hours, so the vulnerabilities identified in the previous phases must be persistent for them to be exploitable by bad actors. Generally, testers will go after the root or administrator privileges of a device or system.
Metasploit is used due to its streamlined process capabilities for finding and executing publicly available exploits for vulnerabilities. Besides ensuring that vulnerabilities are stable, this phase also measures the consequences of the breach. For example, if the tester could encrypt or exfiltrate data or simulate zero-day attacks or ransomware hacks and to what extent.
What are the Next Steps After a Penetration Test?
The final stages of a penetration test are reporting and remediation. These phases reveal the next steps for an organization and pentesters as they wrap up the discovery of vulnerabilities and the consequences that arise from their exploitation of them. In these stages, the foundations to strengthen security posture are put forward and later implemented.
6. Post-exploitation, reporting, and risk analysis
While most organizations list this step as strictly a reporting stage, other post-exploitation components like clean-up activities need to be included in this stage of the penetration test.
Cipher explains that once the testing is complete and the reports and recommendations are presented, the tester needs to clean up the environment. This implies leaving the system exactly as they found it, reconfiguring access used to breach the IT environment, and restoring other modifications they might have made. Clean-up activities also pave the way to remediation and the final phase of penetration testing.
Typical cleanup activities:
- Removing any executables, scripts, and temporary files from compromised systems
- Reconfiguring settings back to the original parameters before the pentest
- Eliminating any rootkits installed in the environment
- Removing any user accounts created to connect to the compromised system
The report is considered the most critical document generated by the test. It is the final presentation to the organization which hired the pentester. With the report, organizations can take action, fix vulnerabilities, and strengthen their systems and staff if needed.
Reports need to be clear and transparent. Testers must document all phases, the assets targeted, the type of test and technique, and the vulnerabilities and ramifications discovered. Additionally, guides to fix or patch the vulnerabilities can be included.
Pentesting reports include:
- Specific vulnerabilities that were exploited
- Sensitive data that was accessed
- The amount of time the pen tester was able to remain in the system undetected
It is normal practice for an organization to request sanitized example reports from pentesters before they hire their services. This allows them to view the standards and details used by the vendor. Good penetration test reports have findings well-organized and prioritized by risk level.
Remediation is the final phase of a penetration test, and it falls within the organization’s responsibilities. Using the report and findings and the information they have from interacting with the pentester, especially if a white box pentest was done, organizations can begin to make changes to their systems to fix the vulnerabilities that have been revealed.
Remediation can be very challenging for organizations that do not have the resources. Therefore, reports that include guides for remediation are the most valued. After remediation, the phases will often restart to test updates or other systems or run different types of penetration testing.
Understanding the phases of penetration testing is vital for the industry to continue to build resilience in the face of increased cyberattacks. Cyber criminals use techniques to bypass automated and traditional cybersecurity solutions. Simulating real attacks with penetration tests is proving to be one of the most effective tools the security industry has today.
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.