Do you want to enhance your organisation’s cybersecurity by identifying and addressing vulnerabilities before they can be exploited? Mastering the art of penetration testing is a vital skill for any security professional and an essential component of a robust security strategy. In this blog post, we’ll guide you through “how to do penetration testing”, providing valuable insights and actionable recommendations to strengthen your security posture.
Penetration testing, or pen testing, is a critical cybersecurity practice where a simulated attack is conducted on a company’s infrastructure, systems, and applications to identify security vulnerabilities that malicious hackers could exploit. Organisations must protect their sensitive data and comply with various regulations as technology and internet reliance grows.
In today’s digital era, penetration testing has become crucial to an organisation’s cybersecurity strategy. With the rising sophistication of cyber threats, organisations must proactively identify and address potential vulnerabilities in their systems and networks.
A penetration tester aims to emulate real-world attackers using automated tools and manual techniques to uncover potential weaknesses. From network penetration testing to web application and mobile app penetration testing, a comprehensive pen test covers a wide range of attack vectors. Penetration testing offers significant insights for IT and security teams, helping them prioritise their remediation efforts and improve their overall security posture.
Different pen tests, such as white box, grey box, and black box tests, provide varying information about the target environment to the pen tester. Regardless of the type, a well-executed penetration test can help organisations identify and address vulnerabilities, reduce the risk of breaches, and maintain compliance with industry regulations.
A penetration test, i.e. a network penetration test or web application penetration testing exercise, typically includes various stages:
Clear objectives and a defined scope are necessary for a focused and efficient assessment of the target environment during a penetration test. The goals may include:
The scope of the penetration test will depend on the specific objectives and the type of test being conducted.
For example, an internal test, similar to a white box test, provides the tester with information about the target environment, primarily an internal network. However, an internal test is also performed as a blind test where zero information is provided to the security consultant.
In contrast, a grey box test offers limited knowledge and a standard user account. By defining the objectives and scope, the penetration tester on the job can tailor their approach and focus on the most critical aspects of the target environment. Based on these behaviours, penetration test cost may vary along with other factors such as asset base and testing window.
Surveillance and intelligence gathering are crucial to gaining valuable insights into the target system. During this phase, pen testers use:
The vulnerability discovery phase holds a significant role in the penetration testing process. Pen testers use tools like port scanning and vulnerability scanners to identify potential pathways to access the network and its systems.
Once vulnerabilities have been identified, pen testers can exploit these weaknesses to gain unauthorised access to the target environment.
By discovering and documenting vulnerabilities, organisations can better understand and address potential security risks, ultimately enhancing their overall security.
For example, we will share an extensive example of vulnerability discovery, exploitation and post-exploitation scenarios around injection attacks. A SQL injection attack is present due to an application’s inability to sanitise the user input.
A SQL injection (SQLi) attack targets web applications that interact with databases. Malicious actors insert rogue SQL code into input fields, manipulating the application’s queries to the database. For instance, an attacker might enter ' OR 1=1--
into a username field, effectively bypassing authentication checks by making the SQL query always evaluate to true. This could grant unauthorised access to sensitive data or allow the attacker to modify the database content.
In this phase, the pen tester attempts to leverage the discovered vulnerabilities to gain unauthorised access. It’s a crucial step to understand the potential impact an attacker could have and the one that differentiates pen testing from vulnerability scanning. The goal is not just to gain access but to know how the vulnerability can be exploited. Post-exploitation activities might involve maintaining access, pivoting to other systems, or exfiltrating data to demonstrate a real-world attack scenario.
After gaining initial access, maintaining access to the target environment requires exploiting identified vulnerabilities and establishing persistence. Standard methods of gaining access include:
Establishing persistence during a penetration test involves techniques that enable the tester to maintain long-term access to systems or networks even after disruptions such as restarts or changed credentials. This allows the pen tester to:
We will extend the SQL injection example from the previous phase to this one, showing how exploitation leads to the next step. During a pen test, a tester would use tools like SQLMap or Burp Suite to automate SQLi attacks, testing various input fields for vulnerabilities. If an SQLi vulnerability is discovered, exploitation is done by checking if a pen tester can cause the application to respond with the desired output. For instance, a small SQL statement that shows 0 or 1 output or causes to display data. When this works, this process is continued with queries to enumerate the backend database. Risk remediation often involves input validation and parameterised queries. Input validation ensures that only expected data types are accepted, while parameterised queries treat user input as data, not code, preventing SQL injection attempts.
After concluding the pen test, it is essential to record and examine the results to understand the identified vulnerabilities and their potential impact on the target environment. Comprehensive and accurate reporting helps organisations prioritise vulnerabilities, suggest remediation actions, and guide them in improving their overall security position.
Documenting exploits and vulnerabilities in a standardised penetration testing report template allows organisations to maintain a clear record of the security weaknesses identified during testing. By classifying the severity of exploits and vulnerabilities based on their potential impacts and risks to the business, organisations can prioritise which vulnerabilities should be addressed first and plan remediation efforts accordingly.
The most suitable format for documenting exploits and vulnerabilities in a penetration test report includes the following:
Proper documentation ensures that organisations understand the security risks and potential consequences, allowing them to make informed decisions and prioritise actions to address the identified vulnerabilities.
For example, cross-site scripting vulnerability identified during a pen test may vary in its implications based on the input fields, the underlying functionalities it impacts and dependencies. This is how the severity of the issue may change when aggregated environment metrics are taken into account. Therefore, this also impacts the priority assigned to remediate a problem.
Your pen testing report is the security passport for your product and services to the world. It demonstrates the validation of your security measures and cyber security strategy at a wider level.
Crafting recommendations includes analysing the identified vulnerabilities’ root causes and potential impacts, providing detailed explanations, and offering actionable solutions. By following industry best practices and tailoring recommendations to the organisation, a penetration testing report can provide valuable guidance for ongoing security improvement and help organisations mitigate potential risks in the future.
Read our examples from the front line of how we support our customers.
A leading online fashion retailer preparing to launch a mobile app for its supply chain engaged Cyphere’s security consultants to ensure the app’s protection of sensitive customer data. Cyphere’s comprehensive mobile pen testing assessment uncovered critical vulnerabilities, including a backdoor susceptible to insider attacks and broken API access controls that could expose data to unauthorised users.
Cyphere provided immediate remediation guidance, helping with prioritising fixes for these critical issues and outlining a risk-based approach to address other vulnerabilities. By proactively identifying and resolving these security flaws, Cyphere enabled this retailer to launch its mobile app confidently, protecting customer data and brand reputation and mitigating the risk of costly data breaches.
A leading UK homebuilder with over £700 million in revenue sought to validate the effectiveness of its recent security enhancements, including vulnerability management and an outsourced Security Operations Center (SOC). Cyphere conducted a tailored assessment, including stealth penetration testing to evaluate the SOC’s responsiveness, device security checks for offsite usage, and a digital attack surface assessment.
Cyphere’s stealth pentesting helped the company strengthen its defences against insider threats and improve overall security controls and processes with its MSSP. The assessment also provided insights into the organisation’s expanding infrastructure and identified potential threat indicators online. This comprehensive evaluation empowered the homebuilder to proactively address vulnerabilities and enhance its overall security posture, safeguarding its operations and data.
You can also read our retail, fintech, construction, housing and social care case studies.
Constructing a broad penetration testing toolkit is necessary for carrying out practical assessments. The right tools for this purpose include:
These tools can help identify and exploit vulnerabilities and potential attack vectors in the target computer system environment, including operating systems.
Choosing the proper penetration testing tools is critical to achieving high-quality results. Factors to consider when selecting tools include:
By selecting the right tools for the job, penetration testers can streamline the penetration testing process and focus on uncovering any security flaws and issues.
Some popular and effective penetration testing utilities include:
These utilities cover various aspects of penetration testing, from network scanning and vulnerability assessment to web application testing and automated attack simulation. The use of network services test tools varies depending on the scope of the penetration test.
For instance, a vulnerability assessment may not need as many toolsets to be ready as a network penetration test that involves manual and automated testing. Vulnerability scans are often broad and operate ‘fire and forget’ mechanisms utilising commercial vulnerability scanners. Meanwhile, web application or network penetration testing on an internal network involves manual and automated testing with lots of skill-set-based thinking and logical steps.
Ensuring that your toolkit is comprehensive and up-to-date can give you the edge in identifying security vulnerabilities in your organisation’s systems and networks.
Choosing penetration testing tools requires consideration of various factors, including:
Ease of use is critical, as user-friendly tools improve efficiency, minimise the learning curve, and allow testers to focus more on the actual testing process.
Compatibility is another crucial consideration when selecting penetration testing tools. Ensuring the chosen tools are compatible with the systems, frameworks, and technologies being tested helps guarantee accurate and complete testing results. Additionally, having proper support for the tools ensures:
Every penetration tester should have several essential utilities in their toolkit. These utilities include:
These tools help identify vulnerabilities in the target environment and provide valuable insights that can be used to craft an effective penetration testing strategy.
Some of the most highly-rated penetration testing utilities available today are:
These utilities cover many penetration testing scenarios, from network scanning and vulnerability assessment to web application testing and automated attack simulation. By incorporating these must-have utilities into your toolkit, you can ensure a comprehensive and effective penetration testing process.
Simulating advanced threats during a penetration test involves replicating advanced persistent threats (APTs) or employing a threat library to emulate a range of attacks and techniques. This enables organisations to evaluate their security defences against realistic and sophisticated cyber threats.
By simulating advanced threats, organisations can:
This insight helps organisations improve their overall security posture, including network security, and protect against evolving cyber threats.
Documenting the exploits and vulnerabilities discovered during a pen test is crucial for several reasons. It enables the organisation to:
Providing recommendations for strengthening your resilience involves analysing the identified vulnerabilities and their potential impacts, prioritising them based on severity, and offering actionable solutions for remediation. These recommendations should consider industry best practices and be tailored to the specific needs and context of the organisation.
By following the guidance in a penetration test report, organisations can address the identified vulnerabilities, improve their overall security posture, and reduce the risk of future attacks. This proactive approach to infrastructure testing and security management helps organisations avoid emerging threats and ensures their defences effectively detect and mitigate potential risks.
For example, by default, Cypher ensures strategic and tactical recommendations are provided with every project we undertake. Additionally, we ensure a debrief is set up with stakeholders, including functional and technical teams, to ensure an understanding of issues and support for a straightforward risk remediation process.
While penetration testing is valuable for improving an organisation’s security posture, maintaining ethical conduct and legal compliance throughout the testing process is crucial. This involves:
Complying with regulations and standards, such as SOC 2 and ISO 27001, guarantees that the penetration test aligns with industry best practices and legal obligations. Adhering to these standards also helps organisations demonstrate their commitment to security and compliance to stakeholders, regulatory bodies, and auditors.
By ensuring ethical conduct and legal compliance during penetration testing, organisations can achieve several benefits:
Navigating ethical boundaries during penetration testing requires:
An ethical hacker must adhere to legal and regulatory requirements, maintain professional integrity, and ensure that their actions do not cause harm to the target system or to network traffic. By navigating ethical boundaries during penetration testing, organisations can ensure that the testing process is conducted responsibly and in line with industry best practices.
Following regulations and standards during penetration testing is vital for upholding industry best practices and meeting legal requirements. Compliance with SOC 2 and ISO 27001 positively improved testing, ensuring the test is conducted per established information security management system (ISMS) standards.
Compliance with these standards also helps organisations:
By adhering to regulations and standards, organisations can ensure that their penetration testing process is effective and in line with industry best practices and legal obligations.
Mastering the art of penetration testing is essential for organisations looking to strengthen their security posture and protect their valuable assets. Organisations can identify and address potential weaknesses in their systems and networks by following the discussed steps, including defining objectives and scope, gathering intelligence, discovering vulnerabilities, and executing strategically. Ensuring ethical conduct, legal compliance, and adherence to industry best practices throughout the testing process further enhances the effectiveness of penetration testing and provides organisations with a strong foundation for maintaining a robust security posture in an ever-evolving digital landscape.
Set up a casual chat and see what we are doing differently to others.
Should you wish to request a quote, check our CREST penetration testing services.
Reconnaissance, Scanning, Vulnerability Assessment, Exploitation, Reporting.
Black box (simulates external attacker), white box (authorised tester with full knowledge), and grey box (mix of both).
It depends on your experience and the scope. Basic tests can be learned, but advanced skills require dedication and training.
Learn ethical hacking basics, practice in safe environments like CTFs, and consider certifications like OSCP, Burp BCSP, TCM Security, and CREST.
To identify and exploit vulnerabilities before attackers do, improving your cyber security posture.
Testing a website for SQL injection and XSS vulnerabilities to see if attackers could exploit such vulnerabilities and steal user data.
Define scope, gather information, and map the target system.
Clear objectives, methodology, vulnerability assessment, exploitation attempts, and a detailed report.
Follow a structured methodology like PTES or OSSTMM, adapting it to your needs.