2
Chapter 1
The Phases of the PTES
PTES phases are designed to define a penetration test and assure the client
organization that a standardized level of effort will be expended in a pene-
tration test by anyone conducting this type of assessment. The standard is
divided into seven categories with different levels of effort required for each,
depending on the organization under attack.
Pre-engagement Interactions
Pre-engagement interactions
typically occur when you discuss the scope and terms
of the penetration test with your client. It is critical during pre-engagement
that you convey the goals of the engagement. This stage also serves as your
opportunity to educate your customer about what is to be expected from a
thorough, full-scope penetration test—one without restrictions regarding what
can and will be tested during the engagement.
Intelligence Gathering
In the
intelligence gathering
phase, you will gather any information you can
about the organization you are attacking by using social-media networks,
Google hacking, footprinting the target, and so on. One of the most impor-
tant skills a penetration tester can have is the ability to learn about a target,
including how it behaves, how it operates, and how it ultimately can be attacked.
The information that you gather about your target will give you valuable
insight into the types of security controls in place.
During intelligence gathering, you attempt to identify what protection
mechanisms are in place at the target by slowly starting to probe its systems.
For example, an organization will often only allow traffic on a certain subset of
ports on externally facing devices, and if you query the organization on any-
thing other than a whitelisted port, you will be blocked. It is generally a good
idea to test this blocking behavior by initially probing from an expendable IP
address that you are willing to have blocked or detected. The same holds true
when you’re testing web applications, where, after a certain threshold, the
web application firewalls will block you from making further requests.
To remain undetected during these sorts of tests, you can perform your
initial scans from IP address ranges that can’t be linked back to you and your
team. Typically, organizations with an external presence on the Internet
experience attacks every day, and your initial probing will likely be an unde-
tected part of the background noise.
NOTE
In some cases, it might make sense to run very noisy scans from an entirely different IP
range other than the one you will be using for the main attack. This will help you deter-
mine how well the organization responds to the tools you are using.
Threat Modeling
Threat modeling
uses the information you acquired in the intelligence-gathering
phase to identify any existing vulnerabilities on a target system. When perform-
ing threat modeling, you will determine the most effective attack method,