First of all thank you for reading the Penetration Testing Part 1, Lets start with Part2.
Here I will show you how to conduct a penetration test for an organization XYZ before starting the actual penetration test lets see at the types of penetration test and the methodology for penetration testing and the tools available for conducting a penetration test.
Penetration Testing Methodology:
Generally there are four phases to conduct a penetration test as we discussed before in Part1 are
1. Planning
2. Discovery
3. Attack
4. Reporting
Types of penetration test:
1. Black Box
2. White Box
3. Grey Box
Black box:
Black-box testing involves performing a security evaluation and testing with no prior knowledge of the network infrastructure or system to be tested. Testing simulates an attack by a malicious hacker outside the organization's security perimeter
White box:
White-box testing involves performing a security evaluation and testing with complete knowledge of the network infrastructure such as a network administrator would have
Grey box:
Grey-box testing involves performing a security evaluation and testing internally.
Testing examines the extent of access by insiders within the network.
Scenario:
A firm named XYZ is consulting with a firm who conducts penetration test as a third party. Company XYZ need to have a black box pen testing due to some legal requirements and in order to evaluate the security measures placed to control the access.
Now the consulting firm only has a named XYZ to start the penetration test for the company.
Mr.RAK has been assigned the task to conduct the pen test in this consulting firm; here I will show you how the methodology will be followed.
Planning:
MR.RAK should have signed NDA so that findings should be kept confidential secondly SLA should be present in order to know at what levels or till what depth should the penetration be occur in order to completeness plus the time limit should be mentioned before starting the test
Discovery:
Passive:
Here the information gathering phase is starting now; good sources would be search engines, XYZ's official website, job postings and more...
Homepage https://www.hedgehogsecurity.co.uk/