Penetration tests have multiple objectives and goals. Each penetration test is different based on the target scope. But there are methodologies that are same as foundational steps in order to achieve the goal. Penetration test stages:
Information Gathering
This stage involves collecting as much publically accessible information about a target/organisation as possible, for example, OSINT and research. this stage has two sub-branches. Active and passive information gathering.
Enumeration
This stage involves discovering applications and services running on the systems. For example, web server and application version detection.
Exploitation
This stage involves leveraging vulnerabilities discovered on a system or application. This stage can involve the use of public exploits or exploiting application logic.
Privilege Escalation
after gaining initial access privilege escalation helps to escalate attacker's abilities to maximum (as root or admin user).
Post-exploitation
This stage involves process to target as many system as possible and escalate the attack surface of target.
Reporting
The final stage is to organize and document each step during the pentest and list all the discovered flaws and security suggestion in order to enhance the security
Methodologies
OSSTMM
The Open Source Security Testing Methodology Manual provides a detailed framework of testing strategies for systems, software, applications, communications and the human aspect of cybersecurity.
OSSTM is used during testing:
Telecommunications
Wired Networks
Wireless Communication
OWASP
The "Open Web Application Security Project" framework is a community-driven and frequently updated framework used solely to test the security of web applications and services.
All most all web applications are tested based on these guidelines.
NIST Cybersecurity Framework 1.1
The NIST Cybersecurity Framework is a popular framework used to improve an organizations cybersecurity standards and manage the risk of cyber threats. This framework is a bit of an honourable mention because of its popularity and detail.
NCSC CAF
The Cyber Assessment Framework (CAF) is an extensive framework of fourteen principles used to assess the risk of various cyber threats and an organization's defence against these.
Top comments (1)
Wow, great breakdown of Penetration Testing Stages and Methodologies! Understanding these steps is vital for Penetration Testing Companies to ensure comprehensive assessments and robust security measures. Keep up the insightful content!