Before we get into the article, I would like to emphasize that I am not responsible for any damage you do trying to attack systems. Its illegal. You should have written permission before you even try to scan a system or a network.
Cybersecurity is one of the hottest fields to be in, thanks to companies going remote. Cyber threats are increasing and cybercriminals are finding new ways to exploit systems.
Penetration testing is how the good guys work. They think like hackers and attack their own systems. This helps them understand their strengths and weaknesses and protect their organizational assets.
A pen-test comprises of multiple stages. You cannot simply get into a system by using a tool unless the target is hopelessly vulnerable.
In most cases, systems are secured via firewalls, antiviruses, default operating system configurations, etc. It takes the right tools, a strong skill set, and most importantly, patience, in order to successfully exploit a network.
So let's look at the five main stages a penetration tester will go through along with the tools they use to break into a network.
You can also find the article I wrote on the top 10 tools cybersecurity professionals use here.
“Give me six hours to chop down a tree and I will spend the first four sharpening the axe. — Abraham Lincoln”
Reconnaissance is the most important part of a penetration test. It is where you gain information about the target.
The reason reconnaissance is important is because the more information you have about the target, the easier it gets when you try to gain access. Once you map out an entire network, you can identify the weakest spot and start from there.
Commonly used Recon tools include Google (yeah!) and other social media where you can gather information about the target. If you are performing an audit of a company, you can go through the company’s job posting to see the type of technologies they use.
Once you have gained enough information, you can use a tool like Maltego to map the targets.
Maltego also supports has the ability to automatically import data from social networks, DNS records, and custom plugins like FullContact.
The important thing to remember in terms of recognisance is that you NEVER touch the target. Reconnaissance is similar to scouting and looking for information while you are far away from the target.
This is the part where you come in contact with the target. Scanning is sending packets of data to the target and interpreting their response.
Scanning gives you useful information about the target like open ports, IP addresses, operating system information, services installed, etc.
Nmap is the best scanner to scan a network. Nmap will help you map out a network and provide detailed information about the target systems.
Nmap also provides a number of CLI options including scan exports that you can then import into exploitation tools.
Nessus is another scanning tool but it is a commercial product. While Nmap will give you information about the target, Nessus will tell you how you can exploit the target by matching the vulnerabilities from the Common Vulnerabilities and Exposures database.
OpenVas is another open-source alternative that is similar to Nessus.
This is the part where you gain access to the system. A successful exploit should give you control of the system to at least a user level. From there you perform privilege escalation to gain root access to the target.
When it comes to Exploitation, Metasploit is hands down the best tool in the market. It is open-source (with a commercial version as well) and is easy to work with.
Metasploit is updated frequently updated with new exploits published in the Common Vulnerabilities and Exposures (CVE) database. So you can match your scan results with the available exploits and use that exploit from Metasploit to attack the target.
Metasploit has an advanced payload called Meterpreter. Once you have gained access to the target system, Meterpreter gives you options like opening webcams, dumping password hashes, and so on. Meterpreter also lives in the memory of the target, so it is very hard to detect.
For example, if your scan results tell you that the target has Samba version 3.5, you can use the Samba CVE-2017–7494 Remote Code Execution Vulnerability to send a payload through Metasploit and gain access to the target system.
Metasploit also has a GUI tool called Armitage. Armitage helps you to visualize targets and it recommends exploits by matching the vulnerabilities with the exploits database.
Gaining access to systems is not easy, especially on corporate networks. After all the hard work you have done to exploit a system, it won't make sense to go through the same process to exploit the target again.
This is where maintaining access comes in. You can install backdoors, keyloggers, and other pieces of code that let you into the system whenever you want to.
Metasploit gives you tools like keyloggers and Meterpreter backdoors to maintain access to an exploited system. You can also install custom Rootkits or Trojans after gaining access.
A rootkit is a piece of code that lets the attacker have admin access to the system it is attached to. Rootkits can also be installed when you download files from malicious websites.
Trojan horses are software that looks like useful software (eg. adobe photoshop) but can contain a hidden piece of malicious software. This is common among pirated software where attackers embed trojans within popular software like MS Office.
Reporting is the final part of a penetration test. It is what differentiates between an attacker and an ethical hacker.
Once your penetration test is complete, you summarize all the steps you have taken from recon to gaining access. This will help the organization to understand its security architecture and defend itself better.
A report is also useful when you are working as a team. You will not be able to conduct a penetration test for a large organization alone. Reports will also make the client understand the efforts of the team and helps justify the compensation.
Cybersecurity is a great career choice, especially during these uncertain times. More devices are exposed to the network every single day. It is the job of the penetration tester to help defend an organization’s network.
Hope this article helped you understand the different stages of a penetration test. If you have any questions, let me know in the comments.