Penetration testing is not an exact science, therefore having a well-defined methodology to optimize the results as required. Fortunately, many well-known organizations and researches labs have already created and published a lot of methodologies ready to use. However, each of those methodologies is made for a specific type of situation. Therefore, knowing what already exists and which one fits your needs is really important as a penetration tester. What are penetration testing methodologies?
Here are the best penetration test methodologies in the market:
Penetration testing methodologies are not very different from each other. However, in this blog post, I will explain some small differences between each one of them while recommending the best one for each penetration test situation. So if you are interested just keep reading.
Before we start digging deeper into the subject of methodologies you should understand the difference between a methodology, a framework, and a standard.
A methodology is basically a precise set of tools, and guidelines that you should follow to get to a goal. However, frameworks give much more general guidelines and recommendations for tools to get to the same objective, which gives more flexibility. Using a framework means that you need to tailor the specified practices to your environment.
Both methodologies and frameworks, do not oblige you to follow exactly what they have said. Contrarily to a standard that is well defined and requires a strict follow of all its instructions like ISO27001 for example.
When you first start learning penetration testing, the first certification you will hear about is the CEH. CEH is a certification made by the ec-council, and it is basically made for people who just started in the field and want to learn some technical skills.
Therefore, the CEH certification, give its student a basic methodology to follow when conducting penetration testing. This methodology is somehow simple to follow and based on the well-known frameworks and standards.
Here are the different steps of the CEH methodology:
Recon or reconnaissance is the first step in every penetration test methodology. Knowing the target is the most important step. The more information you get about the target the faster you will find weaknesses to penetrate the system.
The reconnaissance step can be performed in two ways:
To perform the reconnaissance, here is a list of useful tools:
Scanning is the next step just after the active recon. Basically, it is just an automated way to perform the active recon. In this step, the penetration tester starts to use tools to get better information about the target.
The scanning process can also include some vulnerabilities scanners to identify potential vulnerabilities without any exploitation. Usually, the scanning process will disturb the network, by sending a lot of requests per second. Therefore, it is recommended to perform this step in a time frame where the production network traffic is very low.
In this step, tools like the following can be used:
Once you get enough information about the target, you will need to start creating attack scenarios. The attack scenarios are based on the weaknesses identified in the target during the recon phase and the ability to exploit them. Therefore, the more information you get about the target the more scenarios you will create, and the easier you will penetrate the target.
Gaining access phase is the fruit of a very good reconnaissance
Here is a list of some tools that can be used during this phase:
Maintaining access to the system is a very important task once you successfully penetrate the tested system. This step is not required will performing a professional penetration test. However, in a real attack, a black hat hacker would attempt to perform such actions on the hacked machine to be able to reaccess the system even if you fix the vulnerability he exploited the first time.
In a professional penetration test, making a proof of concept, by for example creating a file in the root folder of the server, is more than enough to prove your access to the system.
Clearing tracks is also an important task that needs to be performed once the penetration test has ended. This process can be performed in two steps:
Unfortunately, some penetration tester forgets to remove those files and accounts created for the purpose of pentest, which leaves the system vulnerable to potential attacks.
The CEH penetration test methodology is not the standard or the best one in the market. I have started with it as it is the first one a new penetration test practitioner would see when he started in the market.
The Open Source Security Testing Methodology Manual (OSSTMM) is an open-source solution made by the Institute for Security and Open Methodologies (ISECOM). This manual has a lot of instructions on how to make a penetration test.
This manual also provides test cases that result in verified facts. These facts provide actionable information that can measurably improve your operational security.
The methodology described in the manual concern the 5 following security channels:
OSSTMM manual offers a more general methodology that can be applied to basically any type of situation.
OSSTMM methodology link
The OSSTMM can be divided in 4 phases:
The OSSTMM is a more generic methodology which as I said can be used in multiple situations. Therefore, in this methodology, the first steps (induction and interaction) are here to first determining the penetration test perimeter and the scope. The type of tests and the limitations are also discussed in this step.
Those two steps are very important to avoid losing time and to optimize the results. Every detail should be discussed with the client and well understood by the service provider.
In the inquest and the intervention phases, the penetration tester should start collecting freely available information about the target and start executing the tests.
Personally, I think that the way the OSSTMM methodology was made, makes it very complex for inexperienced penetration tester. However, mastering this methodology will give you a sort of Swiss knife to perform any type of penetration test.
The penetration testing execution standard (PTES) is a penetration test standard that defines the different steps and elements to test during a penetration test. This standard gives vague instructions on what needs to be tested without giving the details about the tools and the used techniques.
However, this standard comes with very detailed technical guidelines that describe those elements. The level of detail that these guidelines give is very impressive, and I highly recommend inexperienced penetration tester to take a look at it.
This methodology is divided into the following 7 steps:
The pre-engagement interaction step deals with scoping and defining the perimeter of the tests. This is as I said for the other methodologies a very important step in the penetration test, as it helps the service provider to focus on the right assets and for the client to better control the penetration test progress.
The PTES methodology gives a lot of details here that can be very useful for both the penetration tester and the client to correctly define his scope and the rules of engagement.
Once the scope is well defined, the next step is to perform intelligence gathering. This step is identical to the information gathering step in CEH. At this level, the penetration tester starts collecting both passively and actively, as much as possible information about the target.
Threat modeling which is the next step after the intelligence gathering came to identify the company assets while categorizing them into primary and secondary. The idea is to correlate those collected information to identify the potential risks and security threats.
Vulnerability analysis is the process of testing and checking if there is any vulnerability in the system. These vulnerabilities can affect both servers and applications. Once those vulnerabilities are successfully enumerated and listed in a file the exploitation phase start, to validate those vulnerabilities and create the Proof of concept.
Some vulnerabilities can only be found after exploiting other ones. Therefore, validating the possibility to exploit the discovered vulnerabilities in the Pre-engagement Interactions phase is required to get a better result.
Vulnerability analysis and exploitation phase are complementary and could not be separated. In some cases, you might start switching between them while find and testing the discovered vulnerabilities.
Post-exploitation is the step where you start maintaining access into the system by creating backdoors or performing a privilege escalation attack.
Usually, when performing a penetration test, backdoor creation is not a good practice, as it may create potential vulnerabilities in the client environment. The only thing we do is to create a proof of concepts and take screenshots.
Once all those steps are successfully made, the final step is the reporting. In this step, you will need to collect and organize all the information discovered about the target in a professional report. The report needs to include all the steps to successfully reproduce any discovered vulnerability. Those details will then be used by the developers to fix the reported issues.
For more information about the PTES methodology, you can take a look at their website
The Information Systems Security Assessment Framework (ISSAF) methodology is a little bit different than the others. This methodology is divided into three main phases:
The first phase is always the same for all the previous methodologies. The service provider needs to perform meetings with the client to identify the scope, to get the list of contacts that he can communicate with, and the rules of engagements.
In the assessment phase is where the technical penetration test actually starts. This phase is performed following the next steps:
As usual, a passive and active information gathering followed by a number of scans is performed on the target to collect as much information as possible including the network mapping. As I said the goal of the first two steps of this methodology, is basically to understand the target network and identify the assets.
Once you get enough information about the target, a vulnerability identification process starts. During this process, the penetration tester tries to perform both manual and automated vulnerability scans to identify potential security gaps.
In the penetration step, the service provider tries to test the discovered vulnerabilities in the system by finding public exploits or by creating his own ones. Once the exploit is correctly working and tested in a separate environment the penetration tester use it to gain the first access to the system.
The ISSAF methodology makes a separation between the process of penetration and gaining access. However, both things have the same objective which is having first access to the system.
Once you get the first access, the next step is to perform a privilege escalation to gain more authority on the compromised system.
Usually, the compromised machines are somehow connected to each other. Therefore, making more enumeration on the server and the network to which you have a compromised machine is required to better understand the impact of the exploited vulnerability.
This enumeration usually gives more information to the penetration tester on how he can compromise remote machines connected to the compromised machine, which is the next step after the enumeration. This process is also known as network pivoting.
The ISSAF methodology put the maintaining access step after the pivoting process. However, as an expert penetration tester, maintaining access need to be put just after the first access is gained or at least once the service provider gets full privileges on the machine.
Once everything is done, a tracks cleaning process needs to be launched to remove any created accounts or backdoors and to remove any logs on the server.
At the end of the penetration test methodology the pentester should provide a professional and detailed report containing the following elements:
For more information about this methodology, you can take a look into their BOOK
The NIST standard methodology is also divided into three main steps, which are:
The standard gives more generic details about each of those steps in a separate section. However, the main idea remains the same. The planning step means the moment where the scope and the rules of engagement are defined and discussed.
Next, the execution step, where finding the vulnerabilities and testing them using published exploits or a newly created exploit is performed.
Once everything is done, a post-execution process is launched, to collect and organize the findings to produce a professional report.
For more information about this methodology, you can check their PDF and focus on sections 6,7 and 8
The OWASP proposed methodology is a very different one. This is due to the type of tests this methodology was made for. OWASP is an open-source project made to make web applications more secure. Therefore, the methodology developed by the OWASP team is developed for web application penetration test.
The OWASP methodology is based on testing 11 aspects that can make any web application vulnerable. It is more like a testing guide than a methodology.
Here is the list of the 11 aspects that need to be tested in a web application:
Of course, even the OWASP methodology requires an information gathering step before starting to test the 11 aspects.
The SANS methodology is very similar to the PTES methodology and it is composed of 6 steps:
Those steps means the same as those presented in the previous penetration test methodologies.
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).
After years of experience in penetration testing, I can say that one of the best things that can happen during a penetration test is to find a security misconfiguration. Unfortunately, ...
Undoubtedly, ChatGPT stands out as one of the most remarkable inventions of 2021. Its wide-ranging capabilities and applications have opened up endless possibilities for human interaction and problem-solving. Furthermore, certain [...]
Post comments (0)