Do you want to enhance your organisation’s cybersecurity by identifying and addressing vulnerabilities before they can be exploited? Mastering the art of penetration testing is a vital skill for any security professional and an essential component of a robust security strategy. In this blog post, we’ll guide you through “how to do penetration testing”, providing valuable insights and actionable recommendations to strengthen your security posture.

Key Takeaways

• Cyber security strategy is incomplete without this security validation to plug gaps.
• Penetration testing is a cybersecurity practice that uncovers potential weaknesses and improves an organisation’s security posture.
• The process involves reconnaissance, intelligence gathering, vulnerability discovery, strategic execution of the test with essential tools and utilities, gaining access to the target environment & simulating advanced threats.
• Organisations must adhere to ethical and legal standards when conducting penetration tests to ensure security compliance while navigating ethical boundaries.

Deciphering Penetration Testing

Penetration testing, or pen testing, is a critical cybersecurity practice where a simulated attack is conducted on a company’s infrastructure, systems, and applications to identify security vulnerabilities that malicious hackers could exploit. Organisations must protect their sensitive data and comply with various regulations as technology and internet reliance grows.

In today’s digital era, penetration testing has become crucial to an organisation’s cybersecurity strategy. With the rising sophistication of cyber threats, organisations must proactively identify and address potential vulnerabilities in their systems and networks.

A penetration tester aims to emulate real-world attackers using automated tools and manual techniques to uncover potential weaknesses. From network penetration testing to web application and mobile app penetration testing, a comprehensive pen test covers a wide range of attack vectors. Penetration testing offers significant insights for IT and security teams, helping them prioritise their remediation efforts and improve their overall security posture.

Different pen tests, such as white box, grey box, and black box tests, provide varying information about the target environment to the pen tester. Regardless of the type, a well-executed penetration test can help organisations identify and address vulnerabilities, reduce the risk of breaches, and maintain compliance with industry regulations.

What does a penetration test cover?

A penetration test, i.e. a network penetration test or web application penetration testing exercise, typically includes various stages:

1. Defining objectives and scope: Establish the pen test’s purpose, goals, and limits.
2. Intelligence gathering: Collect info about the target’s network, system configurations, and security mechanisms.
3. Vulnerability discovery: Identify security gaps or weaknesses through scanning or manual testing.
4. Exploitation and Post Exploitation: Safely exploit vulnerabilities to understand the potential impact of an attack.
5. Data Analysis and Reporting: Analyse test data and report on vulnerabilities, exploits, compromised data, and risk mitigation recommendations.

Defining Objectives and Scope

Clear objectives and a defined scope are necessary for a focused and efficient assessment of the target environment during a penetration test. The goals may include:

• Evaluating the security of IT environments
• Assessing resilience to cyberattacks
• Evaluating technology assets for security safeguards and controls
• Identifying weaknesses in defences against attacks

The scope of the penetration test will depend on the specific objectives and the type of test being conducted.

For example, an internal test, similar to a white box test, provides the tester with information about the target environment, primarily an internal network. However, an internal test is also performed as a blind test where zero information is provided to the security consultant.

In contrast, a grey box test offers limited knowledge and a standard user account. By defining the objectives and scope, the penetration tester on the job can tailor their approach and focus on the most critical aspects of the target environment. Based on these behaviours, penetration test cost may vary along with other factors such as asset base and testing window.

Surveillance and Intelligence Gathering

Surveillance and intelligence gathering are crucial to gaining valuable insights into the target system. During this phase, pen testers use:

• Passive techniques, such as researching publicly accessible information and network architecture
• Active approaches like discovery scanning and risk analysis
• Social engineering techniques for gathering information

Vulnerability Discovery

The vulnerability discovery phase holds a significant role in the penetration testing process. Pen testers use tools like port scanning and vulnerability scanners to identify potential pathways to access the network and its systems.

Once vulnerabilities have been identified, pen testers can exploit these weaknesses to gain unauthorised access to the target environment.

By discovering and documenting vulnerabilities, organisations can better understand and address potential security risks, ultimately enhancing their overall security.

For example, we will share an extensive example of vulnerability discovery, exploitation and post-exploitation scenarios around injection attacks. A SQL injection attack is present due to an application’s inability to sanitise the user input. 

A SQL injection (SQLi) attack targets web applications that interact with databases. Malicious actors insert rogue SQL code into input fields, manipulating the application’s queries to the database. For instance, an attacker might enter ' OR 1=1-- into a username field, effectively bypassing authentication checks by making the SQL query always evaluate to true. This could grant unauthorised access to sensitive data or allow the attacker to modify the database content.

Exploitation and Post-exploitation

In this phase, the pen tester attempts to leverage the discovered vulnerabilities to gain unauthorised access. It’s a crucial step to understand the potential impact an attacker could have and the one that differentiates pen testing from vulnerability scanning. The goal is not just to gain access but to know how the vulnerability can be exploited. Post-exploitation activities might involve maintaining access, pivoting to other systems, or exfiltrating data to demonstrate a real-world attack scenario.

After gaining initial access, maintaining access to the target environment requires exploiting identified vulnerabilities and establishing persistence. Standard methods of gaining access include:

• Web application attacks, such as cross-site scripting and SQL injection
• Backdoors
• Physical penetration testing
• Scanning and enumeration
• Technical tools are used to perform vulnerability scans and identify gateways for unauthorised access.

Establishing persistence during a penetration test involves techniques that enable the tester to maintain long-term access to systems or networks even after disruptions such as restarts or changed credentials. This allows the pen tester to:

• Reconnect to the compromised host
• Use it as a remote access tool
• Provide valuable insights into the target environment’s security and potential weaknesses.

We will extend the SQL injection example from the previous phase to this one, showing how exploitation leads to the next step. During a pen test, a tester would use tools like SQLMap or Burp Suite to automate SQLi attacks, testing various input fields for vulnerabilities. If an SQLi vulnerability is discovered, exploitation is done by checking if a pen tester can cause the application to respond with the desired output. For instance, a small SQL statement that shows 0 or 1 output or causes to display data. When this works, this process is continued with queries to enumerate the backend database. Risk remediation often involves input validation and parameterised queries. Input validation ensures that only expected data types are accepted, while parameterised queries treat user input as data, not code, preventing SQL injection attempts.

Data analysis and reporting

After concluding the pen test, it is essential to record and examine the results to understand the identified vulnerabilities and their potential impact on the target environment. Comprehensive and accurate reporting helps organisations prioritise vulnerabilities, suggest remediation actions, and guide them in improving their overall security position.

Documenting exploits and vulnerabilities in a standardised penetration testing report template allows organisations to maintain a clear record of the security weaknesses identified during testing. By classifying the severity of exploits and vulnerabilities based on their potential impacts and risks to the business, organisations can prioritise which vulnerabilities should be addressed first and plan remediation efforts accordingly.

The most suitable format for documenting exploits and vulnerabilities in a penetration test report includes the following:

1. Executive summary
2. A comprehensive description of the vulnerabilities identified.
3. Business impact of the vulnerabilities
4. Risk scores associated with each vulnerability
5. Remediation plan

Proper documentation ensures that organisations understand the security risks and potential consequences, allowing them to make informed decisions and prioritise actions to address the identified vulnerabilities.

For example, cross-site scripting vulnerability identified during a pen test may vary in its implications based on the input fields, the underlying functionalities it impacts and dependencies. This is how the severity of the issue may change when aggregated environment metrics are taken into account. Therefore, this also impacts the priority assigned to remediate a problem.

Your pen testing report is the security passport for your product and services to the world. It demonstrates the validation of your security measures and cyber security strategy at a wider level. 

Crafting recommendations includes analysing the identified vulnerabilities’ root causes and potential impacts, providing detailed explanations, and offering actionable solutions. By following industry best practices and tailoring recommendations to the organisation, a penetration testing report can provide valuable guidance for ongoing security improvement and help organisations mitigate potential risks in the future.

Real-World Pen Testing Examples

Read our examples from the front line of how we support our customers. 

Online retail / eCommerce provider’s mobile application security improvement

A leading online fashion retailer preparing to launch a mobile app for its supply chain engaged Cyphere’s security consultants to ensure the app’s protection of sensitive customer data. Cyphere’s comprehensive mobile pen testing assessment uncovered critical vulnerabilities, including a backdoor susceptible to insider attacks and broken API access controls that could expose data to unauthorised users.

Cyphere provided immediate remediation guidance, helping with prioritising fixes for these critical issues and outlining a risk-based approach to address other vulnerabilities. By proactively identifying and resolving these security flaws, Cyphere enabled this retailer to launch its mobile app confidently, protecting customer data and brand reputation and mitigating the risk of costly data breaches.

Construction giant’s request for a stealth penetration test to check MSSP’s effectiveness

A leading UK homebuilder with over £700 million in revenue sought to validate the effectiveness of its recent security enhancements, including vulnerability management and an outsourced Security Operations Center (SOC). Cyphere conducted a tailored assessment, including stealth penetration testing to evaluate the SOC’s responsiveness, device security checks for offsite usage, and a digital attack surface assessment.

Cyphere’s stealth pentesting helped the company strengthen its defences against insider threats and improve overall security controls and processes with its MSSP. The assessment also provided insights into the organisation’s expanding infrastructure and identified potential threat indicators online. This comprehensive evaluation empowered the homebuilder to proactively address vulnerabilities and enhance its overall security posture, safeguarding its operations and data.

You can also read our retail, fintech, construction, housing and social care case studies. 

Crafting Your Penetration Testing Toolkit

Constructing a broad penetration testing toolkit is necessary for carrying out practical assessments. The right tools for this purpose include:

• Port and vulnerability scanner
• Network sniffers
• Web proxies
• Password crackers
• Disassemblers
• Exploitation frameworks
• Post exploitation tools

These tools can help identify and exploit vulnerabilities and potential attack vectors in the target computer system environment, including operating systems.

Choosing the proper penetration testing tools is critical to achieving high-quality results. Factors to consider when selecting tools include:

• Effectiveness
• Ease of use
• Compatibility
• Support

By selecting the right tools for the job, penetration testers can streamline the penetration testing process and focus on uncovering any security flaws and issues.

Some popular and effective penetration testing utilities include:

• NMap
• Nessus
• Burp
• Linux Kali and similar OS distributions meant for security teams
• Lots of scripts and utilities that are open-source or proprietary to some research teams

These utilities cover various aspects of penetration testing, from network scanning and vulnerability assessment to web application testing and automated attack simulation. The use of network services test tools varies depending on the scope of the penetration test.

For instance, a vulnerability assessment may not need as many toolsets to be ready as a network penetration test that involves manual and automated testing. Vulnerability scans are often broad and operate ‘fire and forget’ mechanisms utilising commercial vulnerability scanners. Meanwhile, web application or network penetration testing on an internal network involves manual and automated testing with lots of skill-set-based thinking and logical steps.

Ensuring that your toolkit is comprehensive and up-to-date can give you the edge in identifying security vulnerabilities in your organisation’s systems and networks.

Selection Criteria for Tools

Choosing penetration testing tools requires consideration of various factors, including:

• Convenience of implementation
• Methodology
• Testing necessities
• Certifications
• Reputation
• Expertise
• Functionality

Ease of use is critical, as user-friendly tools improve efficiency, minimise the learning curve, and allow testers to focus more on the actual testing process.

Compatibility is another crucial consideration when selecting penetration testing tools. Ensuring the chosen tools are compatible with the systems, frameworks, and technologies being tested helps guarantee accurate and complete testing results. Additionally, having proper support for the tools ensures:

• Reliability
• Compatibility
• Ease of implementation
• Consistent updates and maintenance

Must-Have Pen Testing Utilities

Every penetration tester should have several essential utilities in their toolkit. These utilities include:

• Port and vulnerability scanners
• Network sniffers
• Web proxies
• Password crackers

These tools help identify vulnerabilities in the target environment and provide valuable insights that can be used to craft an effective penetration testing strategy.

Some of the most highly-rated penetration testing utilities available today are:

• Burp Suite
• Metasploit
• Nmap
• Wireshark
• OWASP ZAP

These utilities cover many penetration testing scenarios, from network scanning and vulnerability assessment to web application testing and automated attack simulation. By incorporating these must-have utilities into your toolkit, you can ensure a comprehensive and effective penetration testing process.

Our penetration testing is similar to everybody else’s, except that we extend this with several factors, such as the personalised approach to every proposal, customer context, reporting requirements, and post-engagement service. The following areas discuss what sets a pen test apart from the standard ‘report and run’ providers. 

Simulating Advanced Threats

Simulating advanced threats during a penetration test involves replicating advanced persistent threats (APTs) or employing a threat library to emulate a range of attacks and techniques. This enables organisations to evaluate their security defences against realistic and sophisticated cyber threats.

By simulating advanced threats, organisations can:

• Identify potential vulnerabilities and weaknesses that traditional security measures may not detect
• Take a preemptive approach to strengthening their security controls
• Reduce the risk of real-world attacks
• Ensure the effectiveness of their defences against advanced threats

This insight helps organisations improve their overall security posture, including network security, and protect against evolving cyber threats.

Documenting Exploits and Security Vulnerabilities

Documenting the exploits and vulnerabilities discovered during a pen test is crucial for several reasons. It enables the organisation to:

• Maintain a comprehensive record of security weaknesses
• Analyse their root causes and potential impacts
• Prioritise and plan remediation efforts
• Ensure compliance with industry regulations and standards.

Crafting recommendations that are more than reference links

Providing recommendations for strengthening your resilience involves analysing the identified vulnerabilities and their potential impacts, prioritising them based on severity, and offering actionable solutions for remediation. These recommendations should consider industry best practices and be tailored to the specific needs and context of the organisation.

By following the guidance in a penetration test report, organisations can address the identified vulnerabilities, improve their overall security posture, and reduce the risk of future attacks. This proactive approach to infrastructure testing and security management helps organisations avoid emerging threats and ensures their defences effectively detect and mitigate potential risks.

For example, by default, Cypher ensures strategic and tactical recommendations are provided with every project we undertake. Additionally, we ensure a debrief is set up with stakeholders, including functional and technical teams, to ensure an understanding of issues and support for a straightforward risk remediation process.

Ensuring Ethical Conduct and Legal Compliance

While penetration testing is valuable for improving an organisation’s security posture, maintaining ethical conduct and legal compliance throughout the testing process is crucial. This involves:

• Navigating ethical boundaries
• Obtaining proper authorisation
• Respecting privacy
• Maintaining professional integrity during the penetration test

Complying with regulations and standards, such as SOC 2 and ISO 27001, guarantees that the penetration test aligns with industry best practices and legal obligations. Adhering to these standards also helps organisations demonstrate their commitment to security and compliance to stakeholders, regulatory bodies, and auditors.

By ensuring ethical conduct and legal compliance during penetration testing, organisations can achieve several benefits:

• Identify and address vulnerabilities
• Demonstrate commitment to security
• Instill trust in customers and partners
• Maintain a strong reputation in the industry

Navigating Ethical Boundaries

Navigating ethical boundaries during penetration testing requires:

• Obtaining appropriate authorisation and consent before testing
• Defining the exact scope of testing and not exceeding it
• Taking responsibility for all actions during the test
• Respecting the confidentiality and privacy of sensitive information
• Handling any potential illegal discoveries appropriately

An ethical hacker must adhere to legal and regulatory requirements, maintain professional integrity, and ensure that their actions do not cause harm to the target system or to network traffic. By navigating ethical boundaries during penetration testing, organisations can ensure that the testing process is conducted responsibly and in line with industry best practices.

Complying with Regulations and Standards

Following regulations and standards during penetration testing is vital for upholding industry best practices and meeting legal requirements. Compliance with SOC 2 and ISO 27001 positively improved testing, ensuring the test is conducted per established information security management system (ISMS) standards.

Compliance with these standards also helps organisations:

• Recognise areas of non-compliance
• Address associated vulnerabilities
• Enhance their overall security posture
• Meet regulatory requirements

By adhering to regulations and standards, organisations can ensure that their penetration testing process is effective and in line with industry best practices and legal obligations.

Why do we talk about this topic?

Mastering the art of penetration testing is essential for organisations looking to strengthen their security posture and protect their valuable assets. Organisations can identify and address potential weaknesses in their systems and networks by following the discussed steps, including defining objectives and scope, gathering intelligence, discovering vulnerabilities, and executing strategically. Ensuring ethical conduct, legal compliance, and adherence to industry best practices throughout the testing process further enhances the effectiveness of penetration testing and provides organisations with a strong foundation for maintaining a robust security posture in an ever-evolving digital landscape.

Set up a casual chat and see what we are doing differently to others. 

Should you wish to request a quote, check our CREST penetration testing services. 

Frequently Asked Questions

What are the five steps of penetration testing?

Reconnaissance, Scanning, Vulnerability Assessment, Exploitation, Reporting.

What are the three types of penetration tests?

Black box (simulates external attacker), white box (authorised tester with full knowledge), and grey box (mix of both).

Is pen testing hard?

It depends on your experience and the scope. Basic tests can be learned, but advanced skills require dedication and training.

Where do I start with pen testing?

Learn ethical hacking basics, practice in safe environments like CTFs, and consider certifications like OSCP, Burp BCSP, TCM Security, and CREST.

What is the goal of penetration testing?

To identify and exploit vulnerabilities before attackers do, improving your cyber security posture.

What is an example of a pentest?

Testing a website for SQL injection and XSS vulnerabilities to see if attackers could exploit such vulnerabilities and steal user data.

What are the first steps in pen testing?

Define scope, gather information, and map the target system.

What should be included in a pen test?

Clear objectives, methodology, vulnerability assessment, exploitation attempts, and a detailed report.

How do you perform a standard penetration test?

Follow a structured methodology like PTES or OSSTMM, adapting it to your needs.