Penetration Testing

The first phase of penetration testing involves determining the scope and goals of the test. The SNATEK team works with you to figure out the logistics, expectations, objectives, goals, and systems to be addressed. The planning phase will establish whether you are using a black box, white box, or gray box penetration testing method.

In this phase, the “hacker” or penetration tester seeks to discover as much information as possible about their target.
They will gather information about end uses, systems, applications, and more.
The information will be used for precision in the penetration test, using a complete and detailed rundown of systems to understand what, exactly, needs to be addressed and evaluated. Some of the methods used during this phase may include search engine queries, domain name searches, internet footprinting, social engineering, and even looking up tax records to find personal information.

The scanning and discovery phase is built to discover how the target system is going to respond to various attempts at intrusion. The penetration tester will most likely use automated penetration test tools to scan for initial vulnerabilities.
Static analysis and dynamic analysis are two types of approaches used by the penetration tester. Static analysis inspects an application’s code in an attempt to predict how it will react to an incursion. Dynamic analysis looks at an application’s code as it runs, providing a real-time view of how it performs. Other aspects that a pen tester will discover include network systems, servers, and devices, as well as network hosts.

Once the pen tester has gained a complete understanding of the scope and components to be tested, they will attack in a simulated and controlled environment. Mimicking an actual cyberattack, the tester may: take control of a device to extract data, perform a web application attack, such as cross-site scripting or SQL injection, or perform a physical attack, as mentioned previously.

The goal of this phase is to see how far the tester can get into an IT environment without detection. The scope of the project should determine where the limits of the test should end to protect PI and other sensitive data.

Once a pen tester has successfully compromised their target, they should try to expand their access and maintain their presence for as long as possible. Again, the goal is to imitate a real-world bad actor as much as possible.

The penetration tester in this phase will try to expand their permissions, find user data, and remain stealthy while running their programs deeper into the IT infrastructure. For example, the penetration tester may try to escalate their privileges to the role of administrator.

The goal here is to remain undetected in the system for as long as possible and to try to get at the most sensitive data (according to the project scope and goals).