Cyber Security

What does a penetration tester do?

Guy Davis describes what a penetration tester does, and what a typical pentesting exercise involves.

What is penetration testing?

Pentesting, penetration testing or ethical hacking as it can be known is an authorised “hack” on a computer system. It is designed to expose the weaknesses (vulnerabilities) of a system and is used to provide a risk report, detailing attacks performed and results found.

The detail is far more complicated than this, however. It is true that an attack can be performed on the I.T. systems of an institution, but it’s not necessarily limited to that. Similar testing can be performed against the building, usually building security and indeed the staff that work in the building.

The pentest can be carried out with varying amounts of detail about your system.

Whitebox testing is known as full disclosure. This is where details about IP addresses, network structure and such are already discussed. It’s a quicker and cheaper pentest and is often used for compliance checking.

Blackbox testing or blind testing is as it sounds. No information is divulged about the customer’s network or systems, it all has to be discovered. This takes longer and can be much more expensive. It might also be more disruptive as attempts to scan or break into devices could result in quite an effective denial of service attack. Fragile databases don’t particularly like this sort of treatment.

So the pentest could be just for compliance or it could be a vulnerability hunt, and this would depend on your client's needs. 

The 6 steps of the pentesting process

1. Pre-engagement

This pre-engagement contract is the scope of the pentest, the agreement between the pentest company and the customer. It defines what is out of bounds (it may be that a server or subnetwork contains company secrets and should be left alone), and if will stipulate whether the employees are to be included, maybe in a social engineering test. It becomes a legal document and, if required, might become the pentest company’s get-out-of-jail-free card.

2. Reconnaissance

This involves information gathering, often called foot-printing. The pentesters will use OSINT (open-search intelligence), involving social media sites, company websites and even dumpster diving.

3. Threat modelling

Next, the pentesters will do threat modelling, using scanning tools like NMAP to identify potential targets for further probing. They'll be looking for open ports, live hosts and operating system types/versions.

4. Exploitation

Using the above information, the attack begins. Over a network connection, it might mean using tools such as Metasploit - this toolset contains multiple payloads to trigger a system-level (higher than administrator) connection to then explore the network.

5. Post-exploitation documentation

In truth, post-exploitation documenting would be performed all through the journey, but it’s at this point that it comes together to form a report. The pentesters will now also perform clean-up activities: removing any effects of the attacks, deleting user accounts created, and returning original settings.

6. Reporting

The formal report is the executive summary, with details of any vulnerabilities, suggestions to mitigation risk, and references to NCSC guidance. It will further categorise any threats and suggest a remediation timeline.

Related Articles