Hack the 10 Steps of the Pentesting Routine

Soothe the Pain Points, Expand Your Tooling, Pentest Like a Pro

Penetration testing is a vital and highly utilized means of increasing an organization’s cybersecurity posture by having professional hackers examine the network, systems, or apps for potential vulnerabilities before weaknesses are exploited by the bad guys. Penetration testing is an important step in a program becoming more mature and is highly accessible as it can be almost entirely outsourced.

For those professionals doing the testing or running pentesting practices, maximizing time spent hacking and continuously upping your game are key to retaining elite professionals, growing the practice, and making a real difference in the cybersecurity of your clients.

PlexTrac Hacker in Residence Nick Popovich and Career Pentester and Product Evangelist Joe Pierini shared their wealth of experience in a webinar: Hack Your Pentesting Routine: Secrets for Success. The full presentation covered each step in the penetration testing lifecycle offering pro tips for improving effectiveness and efficiency at every point.

Don’t have time for the full hour or already watched? Use our reference below of the top takeaways for each stage. Ready to streamline the process from start to finish with the premier reporting and management platform for pentesters? Request a PlexTrac demo today.

Step 1: Setup

The setup for a penetration testing engagement may be the most important stage in the cycle, as it is critical for establishing scope and expectations with the customer. The importance of communicating with all stakeholders and documenting a detailed plan before beginning any work can’t be overstated.

Pentesting Pain Point Soothed

Establishing a single source of truth for all information about the engagement at the setup stage will save many headaches throughout the full penetration test. Poor project management, which is often exacerbated by insufficient tooling, can lead to inefficiency at best and costly mistakes or miscommunications at worst.

Pentesting Tools to Try

While email, Google or Microsoft Suite, and Slack are all great products that help with productivity and communication, none are designed for project management. Jira may be your go to ticketing tool and can certainly help with the logistics of a penetration test. However, PlexTrac is specifically designed to support the management of penetration tests from data ingestion to read-out — and with the PlexTrac/Jira integration, you can easily output tickets in a format your team is already comfortable with.

Pentesting Pro Tip

Joe’s pro tip: “Communication is key. Don’t end up flying to the wrong location because you lack a single source of truth. The client details, the statement of work, the standard operating procedures should all be in a single, easy to source place so there are no questions, and fewer chances of mistakes.”

Step 2: Discovery

In the discovery phase, you will be conducting reconnaissance and system scanning to determine what hosts, systems, applications or endpoints are “live” and communicable. This information gathering step sets the stage for how the rest of the engagement will proceed.

Pentesting Pain Point Soothed

During discovery, it is again important to validate scope. Failing to do so can lead to missed opportunities or flat out wasted time. Avoid pain at this point by communicating again with the client to confirm your parameters for the next phase. “Trust but verify” is the name of the game.

Pentesting Tools to Try

Check out the following scanning and discovery tools that are helpful at the discovery phase:

Nmap (link)
masscan (link)
Sublist3r (https://github.com/aboul3la/Sublist3r)
Nuclei (https://github.com/projectdiscovery/nuclei)
Shodan (https://www.shodan.io/)
Urlscan.io (https://urlscan.io/)
Censys.io (https://search.censys.io/)

Pentesting Pro Tip

Nick’s pro tip: “Leverage tools like OWASP amass (https://github.com/OWASP/Amass) and use some of the free (or pay-for) API keys to get access to feeds of data that can really aid in your discovery of domain names related to your target. Some of my favorites are censys.io, shodan, security trails, cert.sh. Use amass and the enum and intel switches to observe additional hostnames from DNS and SSL certificates. Further, amass has the ability to inspect the SAN (subject alternative name) of SSL certificates to find more viable hostnames.”

Step 3: Enumeration

Enumeration is the first touch point with the client’s systems. Here you will be gathering all the data needed to exploit vulnerabilities in the system. Essentially, enumeration involves defining the viable attack surface.

Pentesting Pain Point Soothed

A pain point during enumeration can be an over reliance on automation tools that fails to take advantage of the elite skills of the human hacker. Use those automation tools, but be sure to also account for the holes that they can’t cover.

Pentesting Tools to Try

Try out these tools at the enumeration phase.

nmap’s “list scan” option (https://nmap.org/book/host-discovery-controls.html)
Enum4Linux (https://github.com/CiscoCXSecurity/enum4linux)
DirBuster (And it’s variations) (https://www.kali.org/tools/dirbuster/ and https://www.kali.org/tools/gobuster/)
rpcclient & smbclient (Native *NIX tools)

Pentesting Pro Tip

Step 4: Detection

During detection, you’ll be identifying and documenting the vulnerabilities you’ve discovered. You haven’t actually exploited them yet but have a clear picture of all the areas of concern and how to take advantage of them.

Pentesting Pain Point Soothed

Communicating with the client again at the detection phase before actually breaking things is essential to avoid problems in the active phases of the penetration test.

Pentesting Tools to Try

Check out the following detection tools:

Exploit-DB (https://www.exploit-db.com/)
Vulners (https://vulners.com/)
Vulners NSE Script for nmap (https://github.com/vulnersCom/nmap-vulners)
ScoutSuite (https://github.com/nccgroup/ScoutSuite)
Kube Bench (https://github.com/aquasecurity/kube-bench)
Wireshark (https://www.wireshark.org/)
Responder (https://github.com/lgandx/Responder)
EyeWitness (https://github.com/FortyNorthSecurity/EyeWitness
Pcredz (https://github.com/lgandx/PCredz)

Pentesting Pro Tip

Joe pro tip: “Detection is where a lot of work by the community is being done, so spend a little time refreshing your toolkit from time to time. Even tried and true tools get forked and new functionality gets added. This is also where you will reap the benefits of automation. If you have to do the same task more than once, it’s time to script it.”

Step 5: Exploitation

To quote Obi-Wan Kenobi, “This is where the fun begins.” The exploitation stage is the active part of the penetration test where you really get to exercise skill and creativity by actually testing the identified vulnerabilities in the system.

Pentesting Pain Point Soothed

While it seems like exploitation is the stage that you were actually hired to perform, things can get sticky when you start actively hacking. It is important to establish some rules of engagement at this point so the client is prepared for whatever disruption the active testing could cause.

Pentesting Tools to Try

Give these tools a try at the exploitation phase:

Metasploit (https://www.metasploit.com/)
Core Impact (https://www.coresecurity.com/products/core-impact)
Canvas (https://immunityinc.com/products/canvas/)
The Veil-Framework (https://github.com/Veil-Framework)
PowerSploit (https://github.com/PowerShellMafia/PowerSploit)
Empire Framework (https://www.kali.org/tools/powershell-empire/)

Pentesting Pro Tip

Nick pro tip: “Take an active approach and a broad view of the term ‘exploitation.’ Don’t be limited by semantics and miss opportunities to add value to the client.”

Step 6 Post Exploitation

In the post-exploitation phase, the main object is to demonstrate the scope of impact exploitation could have on the organization. You’ll see how far down the rabbit hole you can go and how valuable the assets you are able access are to the client.

Pentesting Pain Point Soothed

Once again, communication is key to avoiding inefficiency or worse as you delve deeper into the client’s environment. Be sure to obtain consent or permission to see how far things go so your creativity and skill don’t extend beyond what the client is prepared for.

Pentesting Tools to Try

Post exploitation is where your l33t skills really shine. It’s time to avoid automation and live off the land as you really test out what experienced human hackers could do in the environment; that said, these are also some helpful resources to check out:

Bloodhound (https://github.com/BloodHoundAD/BloodHound)
Live off the Land (LotL) (https://www.sans.org/white-papers/39450/)
Bettercap (https://www.bettercap.org/)
SQLMap (https://sqlmap.org/)

Pentesting Pro Tip

Nick and Joe pro tip: “Don’t forget to clean up after yourself!”

Step 7: Reporting

Preparing the report should never be an afterthought in the penetration test lifecycle as the report is the primary deliverable and what the client is really paying you for. Thorough, well-formatted reports are what the client will use to actually put the penetration test results to work improving their security.

Pentesting Pain Point Soothed

Waiting until after the testing is done to start preparing the report is a major missed opportunity that will almost certainly cost your time — probably your evenings or weekend. Instead, gather key report elements like data and evidence as you go along so that you aren’t searching or recreating when it comes time to document your work.

Pentesting Tools to Try

PlexTrac … Duh! PlexTrac is the premier platform for pentest reporting allowing you to cut reporting time in half. Among many other features designed to streamline the reporting process, PlexTrac’s ability to easily store, access, and modify libraries of reusable content like finding writeups and narratives provides tremendous value. No more copy and pasting and losing your best stuff.

Pentesting Pro Tip

Joe pro tip: “The report is what we get paid for, not all the fun stuff before. The quality and presentation of your report is critical to its reception and willingness of your client to correct the defects you identified.”

Nick pro tip: “Establishing a solid process for producing reports is everything. Making reporting more efficient is essential for maximizing profits and scaling your practice.”

Step 8: Read-Out

It’s time to walk the client through your work. The read-out is the hand off to the client of the report and an opportunity to add value and answer questions.

Pentesting Pain Point Soothed

Not every hacker is great at communicating. Many hate interfacing with the client at the read-out or just aren’t skilled at getting the right information across. If you can enable your best communicators, even if that’s not the operator, to do the read-out with the client, you’ll be much happier with the results and free up your hackers to do what they do best. Win, win.

Pentesting Tools to Try

Again … PlexTrac. In this case, PlexTrac provides a single source of truth to house all information about the engagement so that anyone on the team can skillfully do the read-out.

Pentesting Pro Tip

Nick pro tip: “Work to understand the audience during the read-out so you can deliver the information they need at the appropriate level of technicality. Avoid just reading through the report, but rather add value beyond what you’ve already documented.”

Step 9: Remediation

While seeing the process through to remediation is not a part of every penetration test, it may be necessary for organizations working within certain regulatory regimes. Even when remediation is not required, factoring time into the project scope to discuss remediation strategy for the most critical findings can be helpful.

Pentesting Pain Point Soothed

If you are tired of coming back year after year and identifying the same issues, try to build in guidance for the client on priorities for remediation. Where can they get the most value for their time and money as they work through the results of your report?

Pentesting Tools to Try

This stage is where you can provide tools to your clients. Be sure to list the tools and the syntax you used in the finding descriptions. Give your client everything they need to be able to reproduce your actions step by step, where possible.

Pentesting Pro Tip

Joe pro tip: “Avoid screen shots of console output and insert the exact commands into the report with a different font to highlight it. Make it easy for the client to cut and paste your commands. We want to reduce the friction to validating remediation and cut down the back and forth with the client.”

Step 10: Final Testing

The final testing phase is again an optional one that probably won’t happen in the majority of penetration tests. This is a step to determine if the remediation was successful and if key issues have been fully addressed. Again, this stage is most likely to be a requirement when industry regulations are involved.

Pentesting Pain Point Soothed

Wouldn’t it be great if final testing were included with every penetration testing engagement? Think of the progress the client would make in maturing their program and, in turn, the improved challenge of the next pentest for the operators. Even if you don’t have final testing in the scope of an engagement, work to build in communication as much as possible throughout to support the client’s ability to take action on your recommendations.

Pentesting Tools to Try

Rinse and repeat!

Pentesting Pro Tip

Joe pro tip: “Remediation disturbs the environment and new vulnerabilities may be introduced by the fixes the client made. Don’t just test for the findings you found the first time. Poke around the edges a little to see if there’s anything else you might discover.”