What are the six stages of Penetration Testing?
Penetration testing can be broken down into six stages:
- Reconnaissance: Gathering information on the target to be used to better attack the target. For example, using google hacking to find data that can be used in a social engineering attack.
- Scanning: Using technical tools to gain further knowledge of the target’s externally facing assets, e.g. using Nmap to scan for open ports.
- Gaining access: Using the data gathered in the reconnaissance and scanning phases, the pen tester can deliver a payload to exploit the target. For example, Metasploit can be used to automate attacks on known vulnerabilities like those listed on CVE.
- Maintaining access: After gaining access, the pen tester may take steps to gain persistent access to the target in order to extract as much data as possible.
- Covering tracks: The final step is to clear any trace of their access by deleting audit trails, log events, etc.
- Reporting: Outlines the findings, providing a vulnerability assessment with suggested remediation steps