Before jumping into the basic resources that a pentester should be familiar with, we first need to have an overview on what Penetration Testing actually is. As most online resources will mention, pentesting is an exercise where security experts try to identify and exploit vulnerabilities in different systems. As this is a methodical process rather than just a bunch of tools, the following phases best describe the approach in such an engagement:
- Vulnerability Assessment
As there are extensive definitions and explanations on what each phase consists of, we are only going to focus on what we, TwelveSec consultants, usually use when dealing with such engagements.
Phase 1: Reconnaissance
This phase usually implies gathering OSINT data from multiple open-source and paid tools. Even though there are tons of such tools, what we mostly use is:
- SpiderFoot HX -> for internet data crawling and asset mapping
- Intelligence X -> to find potential sensitive information leaks (previous breaches)
- Shodan -> discover assets and map them with technologies used
- Censys -> shodan alternative that can help mapping certificate names to real server IPs
- Recon-ng -> framework that perform a number of searches for a provided domain, IP and reports data in a formatted manner
Besides automated tools, we also use classic search engines (Google, DuckDuckGo, Bing) as well as social media platforms (Linkedin, Facebook, Twitter) to gather potential names, emails, phone numbers and other personal data to be used later on during the engagement. Worth noting is that Penetration Testing is a term used widely for a lot of types of engagements, which define if OSINT process will take place or not.
An important aspect to remember is that reconnaissance is the result of passive scanning and thus not an intrusive action.
Phase 2: Scanning
At this point we should already know the exact target and can launch several active scanning tools to identify potential vulnerabilities. Depending on the type of system we are assessing, we would use different tools as follows:
- Web Application -> BurpSuite, nikto, feroxbuster
- Mobile Application -> MobSF, JDGui, IDA
- Infrastructure Systems -> nmap, Nessus, rEngine
Phase 3: Vulnerability Assessment
This step usually refers to the triage process where consultants will look at the data gathered from passive and active scanning and combine to an actual vulnerability. At this point in the process, issues discovered by automated scanners are manually reviewed to cross out possible false positives and narrow the number of intrusive exploits that will be used later on.
Phase 4: Exploitation
This is where the actual “magic” happens and consists of the usage of “offensive”/”hacking” tools. Once a potential vulnerability is spotted, our security experts will use a variety of tools to confirm and fully exploit the issue to prove it’s risk.
Similar to the scanning phase, depending on the systems in scope, we would use different tools to exploit vulnerabilities:
- Web Applications -> sqlmap, commix, open-source exploits from exploit-db.com
- Mobile Applications -> Frida
- Infrastructure Systems -> Metasploit, routersploit, aircrack
Phase 5: Reporting
This is where every piece of evidence gathered throughout the engagement is converted into a report that is delivered to the client and that focuses on key aspects such as business risk, likelihood and impact. Even though the final form of a report is usually a PDF document, we use extensive tools during the engagement to document findings as well as store observations and checklists such as:
After reading this post, one should have a basic understanding of how security experts look at a penetration testing engagement as well as the means used to methodically assess a system’s security. Following this blog post, we will also release an intermediate and advanced posts where we describe what extra resources can help get a better understanding of different system’s design and vulnerabilities as well as dig deeper into how we maximize the efficiency of our tools.
Good overall, it’s comprehensive and straight-forward. I think it’s also worth to highlight the manual process of identifying vulnerabilities and developing exploits on phases 2 and 4 respectively.