Within computer security, there are several processes that mainly differ in the way they are executed, but all always seek the same goal, which is to improve information security, one of them is the pentesting, known in Spanish as intrusion test or penetration test, this discipline is becoming increasingly demanded by the strong need for cybersecurity that is needed in companies, that is why in this article we will investigate more about the pentesting and its types.
What is pentesting
Pentesting is the acronym of penetration testing, whose objective is to be able to detect most of the vulnerabilities in the computer assets that are audited, these assets are obviously audited with a previous authorization and with contracts in between, this procedure is carried out by means of methodologies that, within each one of them a pentesting can be divided in several phases, let’s see the phases of a pentesting based on the OWASP methodology with slight modifications so that you understand in a better way.
Phases of pentesting
As we mentioned, a good pentesting consists of different phases, depending on the methodology used, the phases may vary, but in general what is sought is a collection of information, an analysis of possible vulnerabilities, an exploitation of the above mentioned and, finally, communication with the client, teaching the procedure through the reports you generate and, as mentioned before, we will see the phases based on the OWASP methodology with slight modifications.
Pre-agreement phase
It is the procedure before starting the test, where issues about the scope, objectives, dates, type of pentesting to be performed and in general to define very well the way to carry out the pentesting.
Information gathering phase
Once the pre-agreement phase is concluded, the test is carried out, starting with a search for information on the agreed assets to be audited, this phase in turn is divided into two more, since the collection of information can be both passive and active.
Passive information gathering: Information is obtained from public sources and without interacting at all with the assets, not even accessing their website (if they have one).
Active information gathering: Information is obtained by interacting with the target, for this phase if or if you must have permission and authorization to interact with the target.
Vulnerability analysis phase
After obtaining a good base of information about the assets to be audited, we proceed to search both manually and automatically for security flaws in those assets, remember that we are in a pentesting, so our goal is to get as many bugs as possible, it is not a network team exercise, so even if you get a vulnerability, you should keep looking because what we want is that the customer is informed of as many bugs in their assets so they can correct them and improve their security.
Vulnerability exploitation phase
Next, with all the vulnerabilities detected, the objective is now to exploit all of them manually and/or automated, analyzing both the complexity of exploitation and the privileges obtained.
Post-exploitation phase
On the other hand, in this phase can vary, depending on the scope and objective of pentesting will determine what to do here, we can, escalate privileges, maintain access, pivot to another network segment and so on, but generally I want you to keep in mind that the post-exploitation is not always the escalation of privileges, even this phase sometimes may not even be implemented, it depends on the objectives of the pentesting to be done.
Drafting phase
Finally, once all the previous phases have been completed, we proceed to communicate with the client to show him the results and deliver the reports agreed upon in the pre-agreement phase where we explain (depending on the context) what was done in the pentesting.
Types of pentesting
There are also several types of pentesting, depending mainly on the information accessed before testing.
- White box: A wide and almost complete information of all the assets to be audited is provided.
- Black box: No information is provided on any asset to be audited. This type of pentesting can be considered the most realistic test, since the pentester starts from a scenario where he knows nothing about the assets to be audited.
- Gray box: It provides information that is not as extensive as in the white box but not non-existent as in the black box, it is an intermediate between the two types.
To conclude, being a pentester is a profession that will continue to gain more relevance every day, because, fortunately, companies are understanding that cybersecurity will NEVER be an expense but a complete investment because information is the most important asset nowadays and it is our duty to protect it.