Ask the Expert

What structure can I follow for penetration testing?

I am basically interested in penetration testing. I am not able to get the exact methodology and process for the same, if you could provide me some links or materials.

    Requires Free Membership to View

Depending on which book you read or document you examine you will find that the labels used for pen testing are laid out a little differently. Basically the structure is as follows:

1. Legalities – You need to sign a contract with the client and make sure you are legally covered before starting any test.

2. Footprinting – This phase of the pen test involves finding out as much as possible about the client's security posture. These activities can be passive or active.

3. Scanning – This is where the pen test starts to get technical. Various tools can be used to scan for open ports, applications, and vulnerabilities.

4. Enumeration – A more directed query focused on the possible targets for attack.

5. System attack – At this point a member of the pen test team has located a vulnerability that will allow them access to the targeted resource.

6. Privilege Escalation – Not every system hack will initially provide full access to the targeted system, in those circumstances privilege escalation is required.

7. Planting the flag – Most pen tests will have a stated target. Such as gain access to the system, plant a flag, remove the CEO's password, etc.

8. Prepare the report – Here is where the paperwork comes in you will need to document how you were able to gain access, what vulnerabilities were discovered, the risk of the vulnerabilities, and how you propose they be dealt with.

There are many good books on the topic of pen testing. Two I would recommend are: Que's Certified Ethical Hacker Exam Prep and Inside Network Risk Assessment.

This was first published in August 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: