For your information, several methodologies exist for performing a pen test; however, we will be using the Penetration Test Execution Standard framework (PTES) to execute the assessment. PTES consists of seven guidelines to follow during an evaluation:
Pre-Engagement Interactions occurred when management approved conducting a pen test of the network. Additionally, we have defined the scope of the project, including the goals of the assessment, which tools will be used to conduct the evaluation and how long it will take to complete the penetration test.
Intelligence Gathering entails collecting as much information about the network as possible to use during the vulnerability analysis and exploitation phases of the assessment. Specifically,…show more content… The targets for “attack” will become clear after we use the OpenVAS tool to find weak systems on the network. For example, it has already been determined that the file server is vulnerable, so it is logical to focus on the system during the assessment. In sum, threat modeling is critical to the pen test since the targets are identified for the scope of the project.
Vulnerability analysis occurs when we use the OpenVAS tool to assess the weaknesses in systems, software, and hardware to decide which ones can be exploited to gain access to the network. Ultimately, this is considered the pre-hacking phase of the penetration test and every device in the scope of the project is tested for known vulnerabilities at this point of the pen test.
Exploitation of the vulnerabilities found on the targets ensues at this phase of the assessment; albeit, only the objects within the scope of the project are “attacked” during the evaluation. We will use the Metasploit framework software to launch an automated attack against the targets identified in the vulnerability analysis phase. Ultimately, the goal of this exploitation phase is to gain access to the systems by “hacking” their