Penetration Testing Methodologies

WHAT IS PENETRATION TESTING?

A Penetration test or pentest is an ethically-driven attempt to test and analyse the security defences to protect these assets and pieces of information. A penetration test involves using the same tools, techniques, and methodologies that someone with malicious intent would use and is similar to an audit.

Every website is different in its own way so we have to take a different approach on every website .

No Penetration Test Is The Same

Penetration tests have a wide variety of objectives and target scopes. The approach we use during a penetration test is known as methodology. Wireframing a methodology is a smart choice before attempting a penetration test.

Methodologies

Stage and Description:-

1. Information gathering:-This stage involves collecting as much publically accessible information about a target as possible, for example, OSINT and research.
2. Enumeration/Scanning:-This stage involves discovering applications and services running on the systems. For example, finding a web server that may be potentially vulnerable.
3. Exploitation:-This stage involves leveraging vulnerabilities discovered on a system or application. This stage can involve the use of public exploits or exploiting application logic.
4. Privilege Escalation:-Once you have successfully exploited a system or application (known as a foothold), this stage is the attempt to expand your access to a system. You can escalate horizontally and vertically, where horizontally is accessing another account of the same permission group (i.e. another user), whereas vertically is that of another permission group (i.e. an administrator).
5. Post-exploitation:-This stage involves a few sub-stages:

• what other hosts can be targeted
• what additional information can we gather from the host now that we are a privileged user
• covering your tracks
• reporting

In upcoming blog I will talk about tools used in the methodologies and their uses