Reconnaissance is a systematic attempt to locate, gather, identify and record information about the target. It is necessary to collect as much information as we can about the organization before we start targeting the organization for an actual exploit. So what type of information we are desiring? Well, we are going to gather any information like ⚊ phone numbers, contact names, email addresses, security-related information, information systems used, job posting, resumes, etc. There are two types of reconnaissance:

• Passive Reconnaissance:

Passive reconnaissance is an attempt to gain information about targeted computers and networks without actively engaging with the systems. You can use google dork here.

• Active Reconnaissance:

Passive reconnaissance is an attempt to gain information about targeted computers and networks without actively engaging with the systems. You can use google dork here.

In this phase, we need to scan the target to find vulnerabilities. We need to perform different types of scanning to find vulnerabilities. A good example would be ⚊ use of a vulnerability scanner on a target network. We can classify the scanning activities into two main parts-

• Network Scan:

Network scan is used to discover devices such as end-users computers servers and peripherals that exist on a network. Results can include details of the discovered devices including IP addresses, device names, operating systems, running applications, and services. Since we gather information about the network and system this process is often related to the reconnaissance phase as well. Tools- Network mappers, Port scanners, Ping tools, etc.

• Vulnerability Scan:

A vulnerability scan detects and classifies system weaknesses and computer networks and communication equipment and predicts the effectiveness of countermeasures now. Since there are thousands of different systems and services. We should perform thousands of analyses to understand whether or not a service has vulnerabilities and the vulnerability scanners are used to automate this process makes our job a whole lot easier.

This is the phase that requires taking control of one or more network devices in order to either extract data from target or to use that device to then launch attacks on other targets. The goal is to see exactly how far they can get into the environment, identify high-value targets, and avoid any detection to achieve a persistent presence in the exploited system— long enough for a bad actor to gain in-depth access. The idea is to imitate advanced persistent threats that often remain in a system for months in order to steal an organization’s most sensitive data.

Here the post-exploitation phase comes. We have done everything for example- the target we have exploited. Now in the post-exploitation, the tester should clean up the environment, reconfigure any access he/she obtained to penetrate the environment, and prevent future unauthorized access into the system through whatever means necessary. The tester can rate the vulnerabilities like ⚊ critical, high, medium, low and informative. The purpose of the post-exploitation is to determine the value of the Machine compromised and maintain control of the machine for later use. In this phase pen testers need to delete any user-added during the penetration test, remove backdoors, remove key loggers if have any, reverse the configuration changes made. After everything is done the pentester should return everything to the initial state.

The report is the fruit of the pen test. It’s the outcome of the actions you performed throughout the pen test. The pen test report typically consists of the following sections:

• An introduction ⚊ Summary, Purpose, Scope, etc.
• Management Summary
• The screenshot of the IT system to show how vulnerable it is
• Findings ⚊ All the vulnerabilities found during the pen test.
• Recommendations- This includes how the owner can harden the system.