During penetration testing, testers use a methodical approach to identify vulnerabilities and recommend fixes in a company environment before they can be exploited by real threat actors. A pentest is a systematic and multi-phase process. During each phase, pentesters leverage multiple tools to support their goals and ultimately ensure that the exercise yields useful insights for the organization.
This article will review some popular tools used in each phase and how they help power pentests.
Phase 1: Pre-engagement
During the first phase, testers define the test’s scope, target environment, objectives, goals, and expectations. They also identify any risks and decide on the best testing strategy and methodology. This phase requires a lot of human analysis and communication, so automated tools don’t really play a role here.
Phase 2: Reconnaissance
The reconnaissance phase is about gathering detailed information about the test environment. This is a crucial phase because it enables testers to understand which systems and operations they will exploit before they start exploiting them.
Google and other search engines are a must-have in the reconnaissance toolkit. Testers also have many other reconnaissance tools at their disposal, such as:
- crt.sh: A distributed database to find SSL certificates, domain names, and other sensitive information exposed to external threats
- Shodan: A search engine to identify vulnerable Internet-connected devices that provide entry points to attackers
- Nmap: An active recon tool to find the hosts, running services, and operating systems on a network
- Maltego: An interactive data mining tool to link various pieces of information and inform online investigations during reconnaissance
- FireCompass: A recon tool that discovers and maps the attack surface, including exposed databases, code leaks, open ports, exposed credentials, and risky cloud assets
Phase 3: Threat Modeling and Vulnerability Identification
In this “pre-attack” phase, the goal is to identify, categorize, and prioritize threats and vulnerabilities that may be putting the organization at risk. Two of the most useful tools for this phase are port scanners and vulnerability scanners.
A port scanner reveals network entry points that threat actors may exploit to get remote access to target machines. It provides an external view of enterprise systems so testers can see how a malicious hacker may attack, and provide recommendations to help the organization strengthen its cyber defenses.
Some popular port scanners include:
A vulnerability scanner is an automated tool to detect exploitable vulnerabilities on a target system. It automatically scans enterprise network, systems, and applications, and finds security gaps that could open the door to cyberattacks.
Security auditors may use many kinds of vulnerability scanners, depending on the target system and testing goals. For instance, they may use a network vulnerability scanner to find open vulnerabilities on a web server, and its operating system, daemon, and database services. Similarly, they may use a web application vulnerability scanner to find vulnerabilities in web-based applications and websites.
Some popular vulnerability scanners are:
This data should be structured and normalized to proceed penetration testing in the most productive and convenient way. Here comes Hive.
Phase 4: Exploitation
The exploitation phase is where penetration testers simulate the actions of real attackers to actually execute an attack on the target system. To do this, they obtain a foothold on the target and leverage multiple techniques and tools to deliver the attack payload.
For instance, they may use Sqlmap to detect and exploit SQL injection issues in an application. They may also use Metasploit to escalate privileges and exploit vulnerabilities in a target system, such as web applications, networks, and servers. Two other popular exploitation tools are Gophish to set up and execute phishing engagements, and Sqlninja to exploit vulnerabilities in SQL databases.
Phase 5: Post-exploitation
After the exploitation phase, the tester maintains access to a compromised system and tries to escalate their privileges on it. The goal is to stay connected and assess how a long-term threat actor could introduce malicious payloads or exfiltrate sensitive data if they remain within the system.
Cobalt Strike is a useful post-exploitation tool to emulate a long-term or advanced adversary in the target network and replicate their tactics and techniques. Metasploit also contains post-exploitation modules to mimic long-term attackers and their actions. Similarly, tools like Nmap, Netcat, and Burp Suite also enable pen testers to carry out post-exploitation exercises. They can better understand how adversaries could attack the target system and maintain access to achieve their objectives.
In the end, this whole process should be summarized and presented to the customer. Pentest report is the summary of proceeded attacks, methodologies and found vulnerabilities. The final phase is retesting and traditional pentest methods ususally allows to retest in 6 moths after provided pentest. With Hive and Apiary real-time dashboards this time can be reduced by 1o times!