background image

The Absolute Basics of Penetration Testing


the type of information you are after, and how the organization might be 
attacked. Threat modeling involves looking at an organization as an adversary 
and attempting to exploit weaknesses as an attacker would.

Vulnerability Analysis

Having identified the most viable attack methods, you need to consider how 
you will access the target. During 

vulnerability analysis

, you combine the infor-

mation that you’ve learned from the prior phases and use it to understand 
what attacks might be viable. Among other things, vulnerability analysis takes 
into account port and vulnerability scans, data gathered by banner grabbing, 
and information collected during intelligence gathering.



 is probably one of the most glamorous parts of a penetration test, 

yet it is often done with brute force rather than with precision. An exploit 
should be performed only when you know almost beyond a shadow of a doubt 
that a particular exploit will be successful. Of course, unforeseen protective 
measures might be in place on the target that prevent a particular exploit 
from working—but before you trigger a vulnerability, you should know that 
the system is vulnerable. Blindly firing off a mass onslaught of exploits and 
praying for a shell isn’t productive; it is noisy and provides little if any value 
to you as a penetration tester or to your client. Do your homework first, and 
then launch well-researched exploits that are likely to succeed.

Post Exploitation


post exploitation

 phase begins after you have compromised one or more 

systems—but you’re not even close to being done yet.

Post exploitation is a critical component in any penetration test. This is 

where you differentiate yourself from the average, run-of-the-mill hacker and 
actually provide valuable information and intelligence from your penetration 
test. Post exploitation targets specific systems, identifies critical infrastructure, 
and targets information or data that the company values most and that it has 
attempted to secure. When you exploit one system after another, you are try-
ing to demonstrate attacks that would have the greatest business impact.

When attacking systems in post exploitation, you should take the time 

to determine what the various systems do and their different user roles. For 
example, suppose you compromise a domain infrastructure system and you’re 
running as an enterprise administrator or have domain administrative-level 
rights. You might be king of the domain, but what about the systems that 
communicate with Active Directory? What about the main financial applica-
tion that is used to pay employees? Could you compromise that system, and 
then, on the next pay cycle, have it route all the money out of the company 
to an offshore account? How about the target’s intellectual property?