While the typical penetration test procedure can vary somewhat from one person to the next, there are some general guidelines that can make the process easier and more effective. Penetration testing usually begins with extensive planning to determine the goal of the testing and how it will be executed. From this plan, the actual testing can begin, which usually includes network scanning and mapping, attempts at gaining passwords from the network, and attacks against the network to demonstrate how weaknesses might be exploited. After these tests are complete, then standard penetration test procedure usually includes the creation of documentation and reports regarding the results of the test.
A penetration test procedure refers to the process by which someone can perform penetration testing on a computer network. This procedure usually begins with planning the test, often with a team of information security employees and management. The planning stage is used to determine what the goal is for the testing as a whole and how the tests should be performed. This stage is quite important, as it can make the rest of the testing easier, and it gives the testers a chance to ensure they understand the methods they are allowed or expected to use.
Once a plan is created to establish an overall procedure, then the test can begin. This usually starts with scans and mapping of the network by the tester to look for weaknesses he or she can use. There are a number of software programs that can be used for this part of the process, which may help the tester map out the network and identify potential exploits and vulnerabilities within it.
After these weaknesses are found, then a penetration test procedure usually involves an attack on the system to see how vulnerable it really is. Testers often try to gain access to passwords from the system through a combination of methods, including password cracking and social engineering. Cracking is a process by which someone uses computer software to try to determine a password, while social engineering includes methods by which an attacker tries to trick an employee into divulging a password. As different information is gained by the tester, then he or she can continue the attack and try to gain access to the system through unauthorized means.
Once the testing is complete, then a standard penetration test procedure usually dictates that reports and documentation are produced regarding the test. This should follow the plan set out during the first stage of testing, and provide information including what was discovered during testing. The reports should provide clear information to company executives regarding the importance of changes that need to be made to improve security, and detailed information for security teams at the company with advice on how to implement those changes.