Editing Penetration test (section)

== Penetration testing phases ==

The process of penetration testing may be simplified into the following five phases:

# Reconnaissance: The act of gathering important information on a target system. This information can be used to better attack the target. For example, open source search engines can be used to find data that can be used in a [[Social engineering (security)|social engineering]] attack.
# Scanning: Uses technical tools to further the attacker's knowledge of the system. For example, [[Nmap]] can be used to scan for open ports.
# Gaining access: Using the data gathered in the reconnaissance and scanning phases, the attacker can use a payload to exploit the targeted system. For example, Metasploit can be used to automate attacks on known vulnerabilities.
# Maintaining access: Maintaining access requires taking the steps involved in being able to be persistently within the target environment in order to gather as much data as possible.
# Covering tracks: The attacker must clear any trace of compromising the victim system, any type of data gathered, log events, in order to remain anonymous.<ref>{{Cite news| url= https://www.cybrary.it/2015/05/summarizing-the-five-phases-of-penetration-testing/ |title= Summarizing The Five Phases of Penetration Testing - Cybrary| date=2015-05-06|work=Cybrary| access-date=2018-06-25|archive-date=April 8, 2019|archive-url=https://web.archive.org/web/20190408063557/https://www.cybrary.it/2015/05/summarizing-the-five-phases-of-penetration-testing/}}</ref>

Once an attacker has exploited one vulnerability they may gain access to other machines so the process repeats i.e. they look for new vulnerabilities and attempt to exploit them. This process is referred to as pivoting.

=== Vulnerabilities ===

Legal operations that let the tester execute an illegal operation include unescaped SQL commands, unchanged hashed passwords in source-visible projects, human relationships, and old hashing or cryptographic functions. A single flaw may not be enough to enable a critically serious exploit. Leveraging multiple known flaws and shaping the payload in a way that appears as a valid operation is almost always required. Metasploit provides a ruby library for common tasks, and maintains a database of known exploits.

When working under budget and time constraints, [[fuzzing]] is a common technique that discovers vulnerabilities. It aims to get an unhandled error through random input. The tester uses random input to access the less often used code paths. Well-trodden code paths are usually free of errors. Errors are useful because they either expose more information, such as HTTP server crashes with full info trace-backs—or are directly usable, such as [[buffer overflow]]s.

Imagine a website has 100 text input boxes. A few are vulnerable to [[SQL injection]]s on certain strings. Submitting random strings to those boxes for a while will hopefully hit the bugged code path. The error shows itself as a broken HTML page half rendered because of an SQL error. In this case, only text boxes are treated as input streams. However, software systems have many possible input streams, such as cookie and session data, the uploaded file stream, RPC channels, or memory. Errors can happen in any of these input streams. The test goal is to first get an unhandled error and then understand the flaw based on the failed test case. Testers write an automated tool to test their understanding of the flaw until it is correct. After that, it may become obvious how to package the payload so that the target system triggers its execution. If this is not viable, one can hope that another error produced by the fuzzer yields more fruit. The use of a fuzzer saves time by not checking adequate code paths where exploits are unlikely.

=== Payload ===

The illegal operation, or payload in Metasploit terminology, can include functions for logging keystrokes, taking screenshots, installing [[adware]], stealing credentials, creating backdoors using [[shellcode]], or altering data. Some companies maintain large databases of known exploits and provide products that automatically test target systems for vulnerabilities:

* [[Metasploit]]
* [[Nessus (software)|Nessus]]
* [[Nmap]]
* [[OpenVAS]]
* [[W3af]]