What is Pentesting, phases and types

October 15, 2022

Within computer security, there are several processes that mainly differ in the way they are executed, but all always seek the same goal, which is to improve information security, one of them is the pentesting, known in Spanish as intrusion test or penetration test, this discipline is becoming increasingly demanded by the strong need for cybersecurity that is needed in companies, that is why in this article we will investigate more about the pentesting and its types.

What is pentesting

Pentesting is the acronym of penetration testing, whose objective is to be able to detect most of the vulnerabilities in the computer assets that are audited, these assets are obviously audited with a previous authorization and with contracts in between, this procedure is carried out by means of methodologies that, within each one of them a pentesting can be divided in several phases, let’s see the phases of a pentesting based on the OWASP methodology with slight modifications so that you understand in a better way.

Phases of pentesting

As we mentioned, a good pentesting consists of different phases, depending on the methodology used, the phases may vary, but in general what is sought is a collection of information, an analysis of possible vulnerabilities, an exploitation of the above mentioned and, finally, communication with the client, teaching the procedure through the reports you generate and, as mentioned before, we will see the phases based on the OWASP methodology with slight modifications.

Pre-agreement phase

It is the procedure before starting the test, where issues about the scope, objectives, dates, type of pentesting to be performed and in general to define very well the way to carry out the pentesting.

Information gathering phase

Once the pre-agreement phase is concluded, the test is carried out, starting with a search for information on the agreed assets to be audited, this phase in turn is divided into two more, since the collection of information can be both passive and active.

Passive information gathering: Information is obtained from public sources and without interacting at all with the assets, not even accessing their website (if they have one).

Active information gathering: Information is obtained by interacting with the target, for this phase if or if you must have permission and authorization to interact with the target.

Vulnerability analysis phase

After obtaining a good base of information about the assets to be audited, we proceed to search both manually and automatically for security flaws in those assets, remember that we are in a pentesting, so our goal is to get as many bugs as possible, it is not a network team exercise, so even if you get a vulnerability, you should keep looking because what we want is that the customer is informed of as many bugs in their assets so they can correct them and improve their security.

Vulnerability exploitation phase

Next, with all the vulnerabilities detected, the objective is now to exploit all of them manually and/or automated, analyzing both the complexity of exploitation and the privileges obtained.

Post-exploitation phase

On the other hand, in this phase can vary, depending on the scope and objective of pentesting will determine what to do here, we can, escalate privileges, maintain access, pivot to another network segment and so on, but generally I want you to keep in mind that the post-exploitation is not always the escalation of privileges, even this phase sometimes may not even be implemented, it depends on the objectives of the pentesting to be done.

Drafting phase

Finally, once all the previous phases have been completed, we proceed to communicate with the client to show him the results and deliver the reports agreed upon in the pre-agreement phase where we explain (depending on the context) what was done in the pentesting.

Types of pentesting

There are also several types of pentesting, depending mainly on the information accessed before testing.

  • White box: A wide and almost complete information of all the assets to be audited is provided.
  • Black box: No information is provided on any asset to be audited. This type of pentesting can be considered the most realistic test, since the pentester starts from a scenario where he knows nothing about the assets to be audited.
  • Gray box: It provides information that is not as extensive as in the white box but not non-existent as in the black box, it is an intermediate between the two types.

To conclude, being a pentester is a profession that will continue to gain more relevance every day, because, fortunately, companies are understanding that cybersecurity will NEVER be an expense but a complete investment because information is the most important asset nowadays and it is our duty to protect it.

Exodia OS

Exodia OS – The new pentesting system

There are many operating systems focused on cybersecurity, both systems focused on...
Diferencia entre exploit y payload

Difference between Exploit and Payload

Within the offensive security procedures mainly, as in a pentesting or Red Team...
Empezar en HackTheBox

Machines to Start at HackTheBox

If you are thinking about starting in HackTheBox, specifically to start making their...

How to connect to TryHackMe VPN

If you are interested in learning cybersecurity you may have heard of TryHackMe, you...

TryHackMe Vs HackTheBox comparison 2023

HackTheBox and TryHackMe are platforms oriented to training focused mainly on offensive...

Alternatives to HackTheBox

When users passionate about cybersecurity are looking for a platform to reinforce and...

What is HackTheBox and how to start

When learning Ethical Hacking it is important that, above all, you practice, that is why...