background image


Chapter 1

The Phases of the PTES

PTES phases are designed to define a penetration test and assure the client 
organization that a standardized level of effort will be expended in a pene-
tration test by anyone conducting this type of assessment. The standard is 
divided into seven categories with different levels of effort required for each, 
depending on the organization under attack.

Pre-engagement Interactions

Pre-engagement interactions

 typically occur when you discuss the scope and terms 

of the penetration test with your client. It is critical during pre-engagement 
that you convey the goals of the engagement. This stage also serves as your 
opportunity to educate your customer about what is to be expected from a 
thorough, full-scope penetration test—one without restrictions regarding what 
can and will be tested during the engagement.

Intelligence Gathering

In the 

intelligence gathering

 phase, you will gather any information you can 

about the organization you are attacking by using social-media networks, 
Google hacking, footprinting the target, and so on. One of the most impor-
tant skills a penetration tester can have is the ability to learn about a target, 
including how it behaves, how it operates, and how it ultimately can be attacked. 
The information that you gather about your target will give you valuable 
insight into the types of security controls in place.

During intelligence gathering, you attempt to identify what protection 

mechanisms are in place at the target by slowly starting to probe its systems. 
For example, an organization will often only allow traffic on a certain subset of 
ports on externally facing devices, and if you query the organization on any-
thing other than a whitelisted port, you will be blocked. It is generally a good 
idea to test this blocking behavior by initially probing from an expendable IP 
address that you are willing to have blocked or detected. The same holds true 
when you’re testing web applications, where, after a certain threshold, the 
web application firewalls will block you from making further requests.

To remain undetected during these sorts of tests, you can perform your 

initial scans from IP address ranges that can’t be linked back to you and your 
team. Typically, organizations with an external presence on the Internet 
experience attacks every day, and your initial probing will likely be an unde-
tected part of the background noise.


In some cases, it might make sense to run very noisy scans from an entirely different IP 
range other than the one you will be using for the main attack. This will help you deter-
mine how well the organization responds to the tools you are using.

Threat Modeling

Threat modeling

 uses the information you acquired in the intelligence-gathering 

phase to identify any existing vulnerabilities on a target system. When perform-
ing threat modeling, you will determine the most effective attack method,