a basic description of PTES – a common methodology for penetration testing

This is a very basic and concise description of one of the commonly used penetration testing methodologies – PTES methodology. There is definitely more to cover when performing an actual penetration test, thus please refer to the original guidelines of PTES. Hopefully, this will help some people understand the basic principles of how pentests are actually done.

Note: this is an excerpt from a module assessment, thus expect formal language.

The penetration testing execution standard contains 7 phases. Following are the phases that were followed throughout the penetration test:

1. Pre-engagement instructions

The main purpose of the pre-engagement phase is to define the scope and the estimated time of the penetration test. The scope of the engagement determines the specific areas of the network which are to be assessed. Furthermore, incident handling should be discussed if any incidents or emergencies occur during the testing. Besides that, it is extremely important to identify the location of the targeted environments. Depending on where the target systems are located, the testing may be impacted by the laws of the region. The estimated time and date, including start and end dates, of the testing should be explicitly mentioned in order to have a definitive deadline.

2. Intelligence gathering

During the intelligence gathering stage, valuable information is gathered about the targeted systems. The information contains details about the operating system and its version, open
ports, services running on the targeted machine, details about Active Directory, etc. In summary,
active information gathering and enumeration of the targeted system and the network is
conducted. The gathered information helps to determine the potentially vulnerable services
running on the target system later in the penetration test.

3. Threat modelling

Based on the collected data from previously conducted intelligence gathering, threat modelling
is carried out. To simplify, based on the found information during intelligence gathering, various
approaches and strategies are developed to execute attacks against the targeted system. The
primary aim of threat modelling is identifying the potential threats and the severity level that
each threat poses to the company’s assets.

4. Vulnerability analysis

In the vulnerability analysis stage, a discovery of security weaknesses in the targeted systems
and applications is attempted. The main objective of this phase is to discover potential
vulnerabilities that pose a risk to organisation’s assets.

5. Exploitation

The primary focus of the exploitation phase is to gain access to the targeted system on the
network by bypassing security restrictions. The findings in the vulnerability analysis phase are
used in this stage for exploitation of the targeted system.

6. Post-exploitation

During the post-exploitation, the aim is to determine the value of the compromised targeted
systems by the sensitivity of information associated or found on it. Moreover, techniques for
persistence and privilege escalation are conducted.

7. Reporting

In the final phase, a report of a conducted penetration test is compiled. The purpose of the
penetration testing report is to provide an evaluation of the overall security of the assessed
network, including the details of found security vulnerabilities. The information found in the
document informs how to improve the company’s network security posture by providing
The following table defines levels of severity that are used throughout the report to assess
vulnerability and risk impact.Table defining the level severity and risk impact of a vulnerability

Table defining the level severity and risk impact of a vulnerability

The priority is to concentrate on the high and critical severity findings as they pose the highest risk to
the organisation’s assets. However, it is generally a good practice to review and update each affected
system or application accordingly despite the severity level of the vulnerability.