Penetration testing

Penetration testing methodologies and standards

Irfan Shakeel
December 2, 2016 by
Irfan Shakeel

Cybercriminals are targeting personal and corporate information by using different attacking vectors. The main reason behind their success is the lack of efficient policies and standards. That allows them to exploit the system and steal the information. To prevent the attackers, some tough protocols were developed previously that are somehow working effectively and preventing many attackers, but rapid change in the attacks has also bypassed this wall. The researchers are working hard to develop more effective ways to prevent attackers. The Successful standards for security are discussed below to give an idea how information security is achieved:

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

PTES (Penetration Testing Methodologies and Standards)

The penetration testing execution standard covers everything related to a penetration test. From the initial communication, information gathering it also covers threat modeling phases where testers are working behind the scenes to get a better understanding of the tested organization, through vulnerability research, exploitation and post-exploitation.

The penetration testing execution standard consists of seven phases:

PTES defines a baseline for the minimum that is required for a basic pentest, as well as several advanced scenarios that provide more comprehensive activities required for organizations with higher security needs.

Pre-engagement interactions

In this phase, we prepare and gather the required tools, OS, and software to start the penetration testing. Whereas selecting the tools required during a penetration test depends on several factors such as the type and the depth of the engagement.

There are some common and basic tools that are compulsory to complete penetration testing with the expected results, include:


VMware enables us to run multiple instances of the operating system on a single workstation.

Linux based operating system

As Linux is the most recommended OS for penetration testing, mostly penetration testing is carried on Linux based system.

Windows-based operating system

Windows XP/7 is required for certain tools to be used. Many commercial tools or Microsoft-specific network assessment and penetration tools are available that run cleanly on the platform.

Wifi adapter

An 802.11 USB adapter allows the easy connection of a wireless adapter to the penetration testing system. The 802.11 USB adapter is recommended as other don't support the required functions.

Spectrum analyzer

A spectrum analyzer is a device used to examine the spectral composition of some electrical or optical waveform. A spectrum analyzer is used to determine whether or not a wireless transmitter is working according to defined standards.

Series of software

The software requirements are based upon the engagement scope. However, some commercial and open source software that could be required to conduct a full penetration test properly are listed below:

  • Maltego
  • Nessus
  • Nespose
  • Rainbow Crack
  • Dnsmap
  • The Social Engineering Toolkit (SET)
  • The Metasploit Toolkit
  • Dnsrecon

Intelligence gathering

In this phase, the information or data or intelligence is gathered to assist in guiding the assessment actions. The information gathering process is conducted to gather information about the employee in an organization that can help us to get access, potentially secret or private "intelligence" of a competitor, or information that is otherwise relevant to the target.

Threat modeling

Threat modeling is a process for optimizing network security by identifying vulnerabilities and then defining countermeasures to prevent, or mitigate the effects of threats to the system. The threat modeling is used to determine where the most effort should be applied to keep a system secure. This is a factor that changes as applications are added, removed, or upgraded or user requirements are evolved.

Vulnerability analysis

Vulnerability Analysis is used to identify and evaluate the security risks posed by identified vulnerabilities. The Process of vulnerability is divided into two steps, Identification and Validation.

  • Identification: Discovering the vulnerability is the main task in this step.
  • Validation: In this step, we reduce the number of identified vulnerabilities to only those that are actually valid
Exploitation After finding the vulnerabilities, we try to exploit those vulnerabilities to breach the system and its security. For the Exploitation we use different framework and software that are recommended for exploitative purpose and are freely available. Some of the most recommended tools include:
  • Core IMPACT
  • SAINT Scanner and Exploit
  • Metasploit Framework
  • SQL Map
  • Canvas
  • Social Engineering Toolkit
  • Netsparker


In the Post-exploitation phase, we determine the value of the machine compromised and to maintain control of the machine for later use. The value of the machine is determined by the sensitivity of the data stored on it and the machine's usefulness in further compromising the network.


In this phase, we report the findings in a way that is understandable and acceptable by the organization that owns that system or hardware. It includes the defects that allow an attacker to violate an explicit (or implicit) security policy to achieve some impact (or consequence). In particular, defects that allow intruders to gain increased levels of access or interfere with the normal operation of systems are vulnerabilities.

There are different types of reporting that depends on the genre of authority to which we are reporting.

  • Executive-level reporting
  • Business Impact
    • Customization
    • Talking to the business
    • Affect bottom line
    • Strategic Roadmap
    • Maturity model
    • Appendix with terms for risk rating
  • Technical reporting
    • Identify systemic issues and technical root cause analysis
    • Maturity Model
    • Technical Findings
      • Description
      • Screenshots
      • Ensure all PII is correctly redacted
      • Request/Response captures
      • PoC examples
      • Ensure PoC code provides benign validation of the flaw
    • Reproducible Results
      • Test Cases
      • Fault triggers
    • Incident response and monitoring capabilities
      • Intelligence gathering
      • Reverse IDS
      • Pentest Metrics
      • Vulnerability Analysis
      • Exploitation
      • Post-exploitation
      • Residual effects (notifications to
      • 3rd parties, internally, LE, etc...)
    • Common elements
      • Methodology
      • Objective(s)
      • Scope
      • Summary of findings
      • Appendix with terms for risk rating
      • OWASP

The Open Web Application Security Project (OWASP) is an open community dedicated to finding and fighting the causes of insecure software. OWASP is a new type of entity in the security market that provides free tools and documentations to anyone in improving application security.

OWASP is dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. OWASP is not affiliated with any technology company, although it supports the informed use of security technology.


OWASP provides different licenses for the use, modification, and distribution of OWASP materials. Anyone can use this for strengthening the application security.


Open Source Security Testing Methodology Manual (OSSTMM) is a peer-reviewed manual of security testing and analysis which result in verified facts. These facts provide actionable information that can measurably improve operational security. OSTMM helps us to know and measure that how well security works.

By using the OSSTMM, you no longer have to rely on general best practices because you will have verified information specific to your needs on which to base your security decisions.

Targeted audience

OSSTMM is written for both the Internet security developers and testers. Networking professionals may also find this manual useful, while this manual is not intended to prepare you to use a particular software or network protocols or how to read the results.

This manual is also useful for developers that will help them in building better networks, firewalls, applications, and testing tools.


A security test is consisting of two different types of attacks.

  • Passive Attack:    It is often a form of data collection that does not directly influence the target system or network.
  • Intrusive Attack: It influences the target system or network and can be logged and alarm the target system or network.

The process in any security test can be broken down into the following:


Visibility is what can be seen on your Internet presence. This includes, but is not limited to, open or filtered ports, systems, the architecture, applications, email addresses, employee names, the software products and the websites visited by employees and everything downloaded. In other words, visibility can also be referred as leaving footprints.


Access can be defined as what users are allowed to read or retrieve. This includes, but is not limited to a web page, server, streaming video, or anything that serves as a service or application where a computer interacts with another computer within your network. In the world of technology where security is highly concerned, access level defines the boundary to access the system.


Trust can be defined as the level of authentication, non-repudiation, data integrity, access control, accountability and data integrity. This includes, but is not limited to VPNs, PKIs, HTTPS, SSH, B2B connectors, database to server connections, e-mail, employee web surfing, or any communication between two computers.


The alarm is the timeliness and appropriateness of alert to activities which violate or attempt to violate Visibility, Access, or Trust. This includes, but is not limited to log file analysis, port watching, traffic monitoring, intrusion detection systems, or sniffing/snooping.

NIST 800-15

The National Institute of Standards and Technology's special research publication series 800-15 is focused on Minimum Interoperability Specification for Public Key Infrastructure (PKI) Components (MISPC). The MISPC supports interoperability for a large-scale Public Key Infrastructure (PKI) that issues, revokes and manages X.509 version 3 digital signature public key certificates and version 2 certificate revocation lists (CRLs).


The MISPC provides a base for interoperation between public key infrastructure (PKI) components from different vendors. This specification came to exist for the companies interested in offering interoperable PKI components, to Federal agencies developing procurement specifications, and to other interested parties.


The MISPC addresses:

  • Public key certificate generation, renewal, and revocation.
  • Signature generation and verification.
  • Certificate and certification path validation.

The transaction includes certification requests, certificate renewal, certificate revocation, and retrieval of certificates and CRLs from repositories.

In NIST's 800-15 specification a PKI is broken into five components:

  1. Certification Authorities (CAs) that issue and revoke certificates.
  2. Organizational Registration Authorities (ORAs) that vouches for the binding between public keys and certificate holder's identities and other attributes.
  3. Certificate holders that are issued certificates and can sign digital documents.
  4. Clients that validate digital signatures and their certification paths from a known public key of a trusted CA.
  5. Repositories that store and make available certificates and Certificate Revocation Lists (CRLs).

Certification Authority (CA)

Certification Authority generates, revokes, publishes, and archives certificate. They rely upon a repository to make certificates and CRLs available to all certificate users. CAs themselves includes both a certificate holder function to request, revoke and renew certificates issued by other CAs and a client function to retrieve certificates and Certificate Revocation Lists and validate certification paths.

CAs performs the following functions:

  • Issue and deliver subordinate and cross certificates;
  • Accept revocation requests from certificate holders and ORAs for certificates it issued;
  • Post certificates and CRLs to the repository; and
  • Request CA certificates.

Organizational Registration Authority (ORA)

ORA list down the identity of entities requesting certification. ORA may verify that identity by requiring the requesting entity to attend the ORA physically with a physical token, or through out-of-band mechanisms.

The entity physically attends the ORA; the ORA also verifies their possession of private key material corresponding to the public key by verifying a signed message. Certificate requests on behalf of a user who does not physically attend the ORA require that the ORA provide authentication information to the entity. This information is used by the entity to authenticate itself to the CA in a self-registration request.

Certificate holder

The PKI provides certificate management functions for certificate holders. Certificate holders include CAs, ORAs and other end entities. End entities may include persons and computing systems (e.g., routers and firewalls) or applications. PKI certificate holders generate signatures and support PKI transactions to obtain, revoke and renew their certificates.

Certificate holders shall be able to:

  • Generate signatures.
  • Generate certificate requests.
  • Request certificate revocation.


Clients use the PKI to provide certificate processing functions for certificate holders and certificate users, including CAs and other end entities. End entities may also include ORAs, persons and computing systems that may include routers and firewalls.

The task done by Clients may include:

  • Verify signatures.
  • Obtain certificates and CRLs from a repository.
  • Validate certification paths.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.


It store and make available certificates and Certificate Revocation Lists (CRLs). It's the last phase where each and every certificate and process related to certificate invoking is completed, and a certificate is generated or made available.

Meanwhile, as the world is adopting new standards and technologies to provide different services to the users, the threats and risks are continuously rising and needed to be addressed with strong standards and infrastructure policies so that potential harm to the information can be prevented.

For that awareness of the new standards and policies should be provided to the end-users and employees in an organization where critical information or customer's credential details are being processed. It will create the first line of defense that can harden the security wall to defeat cybercriminals.


Irfan Shakeel
Irfan Shakeel

Irfan Shakeel is the founder & CEO of An engineer, penetration tester and a security researcher. He specializes in Network, VoIP Penetration testing and digital forensics. He is the author of the book title “Hacking from Scratch”. He loves to provide training and consultancy services, and working as an independent security researcher.