How to Conduct Pentesting for any organisation (Complete Tutorial)


Pentesting means finding vulnerabilities by using various techniques and methods .





Organisations hire consultants who have team of complete auditors who perfrom the pentesting .





Auditors are those who know how to find vulnerabilities and perform exploits as well to check the securities issues .





Auditors perform the task depending upon the agreement signed between the organisation and the auditors .





Based on the agreement , Pentesting will be performed. Just like we have different type of hackings like … black ,white and grey box .. similarly auditors perform pentesting based on the the rights provided to them.






Types of hacking





External pentesting
This type of hacking is done from the Internet against the client’s public network infrastructure; that is, on those computers in the organization that are exposed to the Internet because they provide a public service. Example of public hosts: router, firewall, web server, mail server, name server, etc.





Internal pentesting
As the name suggests, this type of hacking is executed from the customer’s internal network.





Black box hacking
This mode is applicable to external testing only. It is called so because the client only gives the name of the company to the consultant, so the auditor starts with no information.





Gray box hacking
This method is often refer to internal pentestings. Nevertheless, some auditors also called gray-box-hacking an external test in which the client provides limited information on public computers to be audited.





White box hacking
White-box hacking is also called transparent hacking. This method applies only to internal pentestings and is called this way because the client gives complete information to the auditor about its networks and systems.





Phases of hacking


 


Both the auditor and the cracker follow a logical sequence of steps when conducting a hacking. These grouped steps are called phases.
There is a general consensus among the entities and information security
professionals that these phases are 5 in the following order:
1-> Reconnaissance 2-> Scanning 3-> Gaining Access 4-> Maintaining Access 5-> Erasing Clues
Usually these phases are represented as a cycle that is commonly called “the circle of hacking” with the aim of emphasizing that the cracker can continue the process over and over again.



Though, information security auditors who perform ethical hacking services present a slight variation in the implementation phases like this:






Write a comment