The first phase is a conversation and agreement of what the goal of the pentest project is and what the scope and boundaries of it are as well. Here is where most of the planning, goal setting and expectations are discussed.
Things to consider:
- In-scope and out-of-scope servers. Eg production servers are excluded. Pentesting during the weekends yes/no, etc
- Signing of NDAs (Non-disclosure agreements) and other legal documents
- Type of testing to perform (black box, white box, internal, external)
- Getting authorisation for a part or the entire of your team
Recon, from where Reconmap takes its name, is the phase of the project where the pentesters gather all available information about the in-scope targets. The information gathering done during this phase is critical for the rest of the project.
Typical activities include:
- Getting information about DNS entries, domains (and subdomains!)
- OSINT. Intelligence gathered from publicly available information and networks (especially social media)
- Por scanning, network and service enumeration
- Banner grabbing
- Packet sniffing
Once information about the systems is gathered, the pentester will need to identify all the known, and possibly unknown until them, vulnerabilities available to them. Using a combination of manual tools, automation and human intuition, the pentester will come up with a vulnerability list that will form part of the vulnerability assessment.
Probably the most fun part of a pentest project. This is where we take the vulnerabilities and we exploit them to breach into the systems. Evidence of these breaches need to be collected and presented in the report to execs and the security and technical teams of the companies we are working with.
Some tools used during this phase are:
- Cobalt strike
Pentesters, hackers and other InfoSec professionals are very creative and enjoy most the previous phases of the project but not so much the reporting phase. This is when all the findings, together with an executive summary needs to be redacted and shared.
The typical report will include all the system weaknesses as well as suggestions on how to fix them. The results and findings need to be clear and detailed for the client to be able to address them correctly.
Other sections of the report include:
- Potential business impact
- Risk ratings
- Glossary of terms
- Proof of concepts (PoC code)
- Steps to reproduce
After a pen test concludes the responsability for fixing the reported issues (following recommendations included in our original report) lies on the owner of the system. Depending on what the agreement was on the first phase of the project, your work as pentester might include re-testing the affected areas to confirm their correct resolution. A new report is generated and shared with the client.