Penetration testing methodology
To achieve any objective, you need an action plan.
This action plan is called a methodology in the professional world and in the jargon of hacking and penetration testing.
This methodology is the series of steps that we will follow to achieve our final objective, which is to enter our target's network and, in the end, try to protect it.
In this chapter, we will discover together the methodologies that we can use as penetration testers and ethical hackers.
For methodologies, there are several in the professional world.
There is a methodology called PTES (Penetration Testing Execution Standard), another that we call NIST, another OSSTMM, and the most famous is the OWASP methodology.
All of these methodologies were created by organizations or companies well established in the IT security field and industry.
OWASP is very well known, it's an association that does research in the IT security field.
The NIST as well.
But to keep it simple, the most accessible methodology that I use in my penetration testing is the PTES methodology, even though all of these methodologies share more or less the same logic.
However, in this course, I will not directly use these complex standards, but rather a much simpler methodology that will follow the following steps.
As you can see, we have 6 steps.
The methodologies we saw previously each have a specific number of steps.
But to keep it simple, we will follow this chronological order to proceed and execute our penetration testing.
First of all, the first step consists of starting with reconnaissance.
In reality, there is a preliminary step where you will negotiate with the client.
However, you will often work as a pentester within a company that handles the negotiation and the sales process.
You will not have to worry about these aspects.
But you should know that there is a phase before the reconnaissance phase in which you will establish the scope with the client, that is to say the objective, targets, IP addresses and servers that you will target, what you can do and what you cannot do.
For example, the client will tell you: "You are not authorized to scan this specific production server." You will therefore not scan it.
Or again: "You are not authorized to do social engineering." It is very important to know the rules of engagement.
Then comes reconnaissance, in which you will use tools (whether they are open source or developed by yourself) to gather the maximum amount of information on your target.
It can be a single server, an application, or an entire network containing several dozen or even several hundred servers, running under Windows, macOS, etc.
You will use tools, as we will see, that will allow you to gather as much information as possible.
We will see in the lesson on reconnaissance that there are several types of reconnaissance.
But what you need to know is that you need information, and the more you have on your target, the more productive your penetration testing will be.
This is the first step.
The second step is scanning.
In reality, this is part of gathering information, but scanning is a step where you will be much more aggressive in your approach.
We will use tools like the famous Nmap to obtain more advanced and vital information on our target's servers and services.
Next, we have gaining access (exploitation).
In this phase, we will use all the information gathered during the first and second steps to introduce ourselves and penetrate our target's network or system.
This is the most exciting and interesting phase.
From there, we will move on to the next phase: maintaining access.
Once the network or system is penetrated, we will try to establish mechzackms and make manipulations that will allow us to stay on the network in the long term.
Once this is done, we will move on to the next phase: cleaning tracks.
You must know that when you penetrate a server or your target's network, you leave traces (scripts, files, logs).
You must delete everything so as not to leave traces behind you.
It's a professional principle shared by ethical hackers and pirates: all clean their traces.
This phase is even more important for pirates (black hat hackers) because if they leave traces, they risk getting caught and ending up in prison.
This is not our case as ethical hackers, but if you leave traces, it will give a poor professional impression of your penetration testing.
You must therefore always be professional and clean your traces.
Finally, our penetration testing will end with a detailed report on what we have done throughout the test: what we found during the reconnaissance and what we recommend the client to correct or remove.
For example, if we find public information about our client's infrastructure, we will recommend they remove it because a pirate or a black hat hacker could exploit it to attack their network.
The same goes for the scanning phase: we will detail what we found with our scanning tools, as well as for gaining access.
We will present all of this in a simplified way so that our client can understand our approach.
The ultimate goal is to protect our client's infrastructure.
This is therefore the procedure, the test plan or methodology that we will use for this course and for your future penetration testing in your career.
At the end of this course, I will give you resources to take your skills to the next level, including very important practice websites, as well as books to read as a penetration tester and cybersecurity enthusiast.
Finally, I will offer you advanced courses that will allow you to discover very interesting concepts on security, attacking and defending networks and operating systems.