Penetration Testing Steps
Introduction to the process
NOTICE: All the tutorials on this website are meant to help you find security vulnerabilties on your own network and devices to understand your security posture before black hats do.
Penetration testing without a written consent is illegal and you can be prosecuted. Use these tutorials to secure your own networks or those whose permission you have been granted. Keep it ethical and keep it professional.
Conducting an ethical penetration test involves simulating cyberattacks on a system, network, or application to identify vulnerabilities and weaknesses. It's important to follow a structured approach to ensure a comprehensive assessment. This section shows the steps and lists some of the common tools that are used in penetration testing.
Planning
- The purpose of this is to have some goals that should be followed, some objectives to meet, a clear idea of what has to be tested and to what extent. You could be carrying out a penetration test for a specific web application or a specific system in a network or the whole network. We need to clearly define this. In addition to this, a written formal consent from the owner is needed before you start any testing or you can end up in legal trouble.
Reconnaissance
- Once we know, what we are testing, we now need to gather as much information as possible about the target. Depending on what you are testing, you might want to gather the following;
- email addresses
- IP addresses
- Network Infrastructure
- sub domains
- Technology Stack
- Employee information
- Social Media Activity
- Geolocation
There are a number of tools that can be used for this including the following;
Free Reconnaissance Tools for Penetration Testers and Ethical Hackers
- theHarvester - heHarvester is an information-gathering tool designed for penetration testing and reconnaissance. It searches for email addresses, subdomains, hosts, and open ports from different public sources.Runs on Linux and macOS.
- Sublist3r - Sublist3r is a subdomain enumeration tool that helps discover subdomains using various search engines, DNS services, and web scraping techniques.Runs on Linux and Windows.
- Maltego - Maltego is an open-source intelligence (OSINT) and data mining tool for link analysis. It visualizes relationships between different entities to provide insights into the target.Runs on Windows, Linux, and macOS.
- Nmap - Nmap is a powerful network scanning tool used for host discovery, port scanning, version detection, and OS fingerprinting. It helps map the network topology and identify live hosts and services.Runs on Linux, Windows, and macOS.
- Recon-ng - Recon-ng is a web reconnaissance framework that provides modules for information gathering from various sources, including DNS, domains, and more.It runs on Linux.
- Shodan - Shodan is a search engine for discovering internet-connected devices. It provides information about devices, open ports, and services.
- SpiderFoot - SpiderFoot is an open-source OSINT automation tool that automates the process of collecting information from various public sources, including social media, DNS, WHOIS, and more.Runs on Linux, Windows, and macOS.
- Metagoofil - Metagoofil is a tool designed for extracting metadata from public documents such as PDFs, DOCs, XLSs, and PPTs. It helps in gathering information about the target's infrastructure.Runs on Linux.
- WhatWeb - WhatWeb is a web application fingerprinting tool that identifies technologies used on a website. It helps in understanding the target's technology stack, which is crucial for potential vulnerabilities.Runs on Linux and macOS.
- Censys - Censys is an internet-wide scanning project that allows users to explore data collected from the entire IPv4 address space. It can help identify devices, services, and vulnerabilities.
Scanning
- We now need to scan the network figuring out information about systems. Tools such as NMAP allow the penetration tester to scan for the following;
- Live hosts in the network
- Open ports on individual systems
- Network Services running
- Operating Systems of the devices
These are some of the most common free network scanning tools
Free Network and System Scanning Tools for Penetration Testers and Ethical Hackers
- Nmap (Zenmap for the GUI version on Windows Systems) - Perhaps the most common. Can find live hosts, IP addresses, network services and Operating Systems
- MassScan - This is a fast port scanner meant to scan large ntworks very quickly.
- Amap(Applicaiton Mapper) - Used to finger print services running on specific port numbers. It checks for application layer protocols and maps them to the open ports.
- Legion - A python based GUI applicaiton that combines features of tools like Nmap and Nikto to streamline the scanning and enumeration process.
- NetCat - Versatile network utility for multiple purposes including port scanning. It can do more things for other stages of the Penetration testing process so it does not have as many port scanning features as other scanners on this list.
- HPing3 - It runs on the command line and can be used to scan the network and carry out security audits. Can be used to craft custom packets and has a number of scanning techniques.
- Nikto - It is meant to scan web servers and find vulnerabilities in the web applicaitons running on them. It llooks for outdated software versions, misconfigurations and common issues that can be exploited.
Vulnerability Analysis
- Sometimes you can be able to go straight to the exploitation phase using the results from the scanning. If NMAP gives a list of services that are known to be vulnerable, we can go straight to exploiting them. In this case we will assume that this is not the case so we carry out a specific step to find vulnerabilities in the systems. Tools such as OpenVAS (Open Vulnerability Assessment System) allow the penetration tester to be able to identify the vulnerabilites in the target system. This is true for vulnerabilities in the operating system as well as those in the network services.
Some free vulnerability scanners include the following
Free Vulnerability Assessment (Scanning) Tools for Penetration Testers and Ethical Hackers
- OpenVAS(Greenbone Security Assistant) - It is a completely open source vulnerability scanner that performs a comprehensive set of vulnerability assessement. It offers a web-based interface for configuration and running OpenVAS scans.
- OWASP ZAP(Zed Attack Proxy ) - Meant for scanning web applications, it findes security vulnerabilities in web applications and has automated scanners as well as manual tests.
- Security Onion - If you want a Linux Distribution specifically meant for intrusion detection, network security monitoring and log management, look no further. Security Onion has tools like the famous snort intrusion detection system, Suricata and others for identifying vulnerabilities.
- Nessus Home (Nessus tenable essentials)- Nessus itself is a commercial tool but there is Nessus Home, a free version for non-commercial use. It allows you to scan networks for vulnerabilities and offers reports.
- Lynis - Completely open source, it can be used for auditing Linux systems, hardening checks, compliance testing and vulnerability scanning.
- Nikto - Scans and finds vulnerabilities in web applicaitons by scanning the web server to find misconfigurations, outdated software and other common issues.
- Vuls - Open Source vulnerability scanner on Linux for scanning vulnerabilities in operating ssystems, libraries and middleware.
- LightHouse - Also open source, scans networks for vulnerabilities and categorises them. It also provides reports with recommendations.
- W3af (Web Application Attack and Audit Framework) - An open source tool to find and exploit vulnerabilities in web applications by running automated and manual tests.
Exploitation
- Once vulnerabilities are found, the penetration tester can then exploit them. This means executing code that is meant to do something on the system based on the vulnerability found. Different exploits do different things such as giving remote access to the system, escalating privileges, changing content on the target system and so on. Perhaps the most popular tool for this is the Metasploit framework found in Kali Linux but there are many others. Here are some free ones to get you started
Free Exploitation Tools for Penetration Testers and Ethical Hackers
- Metasploit - Perhaps the most common framework for testing, developing and executing exploits against a target system. Found in Kali Linux.
- SQLMap - If your target is a web application, this can help with finding SQL injection vulnerabilities and running SQL Injections attacks. Available on Windows and Linux Systems.
- BeEF(Browser Exploitation Framework) - For client-side attacks, this can be used to target vulnerabilities in web browsers making it possible to take control of user sessions.
- OWASP ZAP (Zed Attack Proxy) - While primarily a web application scanner, ZAP also includes features for automated and manual exploitation of web application vulnerabilities. It is particularly useful for identifying and exploiting vulnerabilities such as cross-site scripting (XSS) and SQL injection.
- Armitage - Armitage is a graphical user interface for Metasploit that simplifies the process of exploiting systems. It provides features for managing targets, executing exploits, and visualizing the attack surface. If you want my advice, just learn the command line version of metasploit, it will serve you for many years even if the learning curver is slightly higher.
- Commix - Commix is an open-source automated tool for detecting and exploiting command injection vulnerabilities in web applications. It supports a variety of injection techniques.
- RouterSploit - RouterSploit is an open-source exploitation framework dedicated to embedded devices such as routers. It provides modules to identify and exploit vulnerabilities in various routers.
Reporting
- Lastly, as a penetration tester, you need to report all of your findings to the company or group. Different organisations have different reporting structures so it might be good to look at some.