Penetration testing fundamentals overview

Goodreads: Penetration Testing Fundamentals: A Hands-On Guide to Reliable Security Audits (Pearson IT Cybersecurity Curriculum (ITCC))


PCI DSS Standard

  1. Preparation *
    1. Scope (what target, how much testing?)
    2. Qualifications (what do you need to know?)
    3. Methodology
  2. Pre-Engagement
  3. Actual Test
  4. Post-Engagement

NIST 800-115

  1. Planning
    1. What goal?
    2. Pre-Engagement
  2. Execution
    1. Network discovery
    2. Vulnerability scan
    3. Attack
    4. Add report
    5. (Repeat)
  3. Post-Execution
    1. Whole report


  1. Pre-Engagement
    1. Scope of test
    2. Goals
    3. Timeframe
    4. Required standards
  2. Engagement
    1. Passive scanning: Open source intelligence, netcraft, archive, shodanhq
    2. Active scanning: Scanning target network
      • nmap: port scan ip addresses
      • vulnerability scans: websites, ip addresses, sql servers, ssh, ftp, smb…
    3. Breaching: Actual exploiting
    4. Completing:
      1. Reporting
      2. Example pen tests

Example pen test


After completing the pre-engagement activities and the phase 1 passive scanning, the active scanning is the next phase. In a small network, such as the one described in this scenario, active scanning will flow naturally into phase 3, breaching. It is often easiest to start with external testing.

1. Begin with port scanning all public-facing IP addresses (the web server and gateway router).

2. Then use vulnerability scanners to scan the website (Vega, OWASP ZAP, Burp Suite, etc.).

3. Manually attempt several common attacks on the web server (cross-site scripting, SQL injection, website path traversal, etc.).

4. Try appropriate Metasploit attacks on the web server (depending on the server) and on the router. You may wish to use some Metasploit scans on the web server, particularly an anonymous FTP scan.

5. Attempt to access the wireless. This should include both trying to break into the Wi-Fi as well as attempts to access the administrative screen for the wireless access point.

6. Attempt standard attacks such as grab the banner, zone transfer, etc.

7. Try default passwords on any public-facing device.


Now move internally. This part is done from inside the network.

1. Begin with network enumeration, which is internal active scanning.

2. Perform a network-wide vulnerability scan using one or more tools.

3. Nmap scan the entire network. Identify what ports and services are running to determine if they all need to be running.

4. Use a packet sniffer to scan network traffic including wireless traffic. Note any sensitive data that is being sent unencrypted and whether the wireless traffic is secure.

5. Perform the standard Metasploit scans (Anonymous FTP, SMB, SSH, SQL Server, etc.).

6. Attempt to exploit any vulnerabilities found.

7. Attempt standard attacks including:

a. Try to connect to computers’ shares.

b. Try to crack passwords on key machines.

c. Try to telnet or ssh to printers.

d. Attempt default passwords on any servers, printers, switches or routers, and wireless access points.