Nov 8 2012

Phases of Penetration Testing

Author: admin | Category: Cyber Security, Information Security, Penetration Testing | Leave a Comment

We covered penetration testing, its types and benefits in our previous posts. In this post, we will deal with phases of penetration testing. As already explained, a penetration test should closely mimic the activities of an attacker. The test is carried out typically in three phases, namely:

1. Pre-attack Phase
2. Attack Phase
3. Post-attack Phase

The activities in these phases depend on the type of the penetration tests opted by the organization. To view it in a broader perspective, we will assume the penetration testing model as Black-Box and see the activities in each phase.

Pre-attack Phase

In the pre-attack phase, an attacker will collect as much as information against the target of evaluation. Patience is the key factor of this stage because this is the longest of all three phases. The information gathering activities are known as reconnaissance and they can be classified into two components:

1. Passive reconnaissance
2. Active reconnaissance

In passive reconnaissance, the information is collected from publicly available sources. This will ensure zero contact between the tester and the target organization’s network. Also the possibilities of detecting these activities are minimal. The public sources such as, the company’s website, social networking sites, Whois database, Edgar database, Newsgroups, ARIN, RIPE, APNIC, LACNIC databases, Google,, etc, are explored for information. The attacker or the tester will move to active reconnaissance only after all sources of passive reconnaissance are exhausted.

In active reconnaissance, the tester tries to probe the public exposure of the targets with scanning tools. It’s done with the help of tools available for scanning like Banner grabbing, War dialing, DNS zone transfers, Sniffing traffic and Wireless war driving. Data obtained through port scanning help to conclude identification of live systems, their IP addresses, port state (open, closed, or filtered), protocols used (routing or tunneled), active services and service types, service application type and patch level, OS fingerprinting, version identification and, internal IP addressing. The vital data from a target’s DNS server and zones can be used to map a target organization’s network. Attackers put together all these bits and pieces of information to have a thorough knowledge about the target they are planning to attack.

Since these steps actually touch the network, the possibility of identifying data collection is high. Hackers will often spend more time on pre-attack or reconnaissance activities than on the actual attack itself.

Attack Phase

In this phase, the attacker or tester attempts to penetrate the organization’s system to gain access to protected assets, or to plant malicious code to essentially crash the system. The logical or physical vulnerability discovered during the pre attack phase may be used to compromise the target. There might be a number of vulnerabilities and weaknesses in the system, but the attacker need only one to exploit the system.

After access is gained, it is common to upload root kits or implant programs that provide backdoor access, escalating privileges etc. Following this, the attacker needs to cover his tracks by manipulating the audit logs. The main goal here is to explore the extent to which security defenses fail.

Post-attack Phase

In the post-attack phase, the tester is required to restore the systems back to its original state.

• Activities in this phase include (but are not restricted to) the following:
• Removing all files uploaded onto the system
• Cleaning all registry entries and removing vulnerabilities created
• Reversing all file and setting manipulations done during the test
• Reversing all changes in privileges and user settings
• Removing all tools and exploits from the tested systems
• Restoring the network to the pretest stage by removing shares and connections
• Mapping the network state
• Documenting and capturing all logs registered during the test

Also during this phase, the tester produces the penetration testing deliverable which include detailed reports of observations and tests. Lastly, he or she must prepare a validation report, which incorporates the validation of asset values that are affected by the security breaches, the degree to which the test is successful or unsuccessful, and any associated recommendations.

Related Posts

Types of penetration testing

What is Penetration Testing / Ethical Hacking?

Leave a Reply

Your email address will not be published. Required fields are marked *