The following is a brief reference to an effective – step by step – Pentesting process…
Phase 1. Reconnaissance/Footprinting: This introduction phase primarily utilizes passive and “incognito” methods of approach to gaining information from the target, as opposed to more active methods which will be used in later phases. Typically, interaction with a target – and operation within close proximity to the target – will be kept to a bare minimum as to avoid the possibility of detection. A variety of methods is available to this particular process such as Whois queries, Google searches, job board searches, discussion groups, etc.
Phase 2. Scanning: Scanning is the phase of operation in which the information that was gathered from the Reconnaissance/Footprinting phase can be used to target your attack in a more precise manner (stealth and subtlety should still be a focused practice in this phase as much as the circumstances will allow). During scanning, tasks like ping sweeps, port scans, and observations of facilities will be performed (remote observation is an option through programs such Google Earth). A useful port scanning tool is Nmap, a free/open-source program available at nmap.org.
Phase 3. Enumeration: In enumeration, information that is acquired during the scanning phase will undergo a detailed extraction process, that information will then be observed and analyzed to determine it’s usefulness/uselessness. Results of this process can include lists of UserNames, Groups, Auditing Information, etc.
Phase 4. System Hacking (Follows Enumeration): This is the phase of operation in which the pentester now possesses the adequate intel to form a plan of offense and execute an attack against his/her target. The “plan” of attack (don’t forget) is enabled due to the information gathered during the enumeration phase of operation. The plan of attack should revolve around a single “Attack of Opportunity” a.k.an Exploit. Secondary Exploits may be used as alternate attacks or used in Daisy Chaining.
Phase 5. Escalation of privileges (Phase 2 of System Hacking): In this phase, You may begin to obtain privileges that are only allowed to higher level privileged accounts than were originally hacked into. The goal is to move from a low-level account – such as a guest account – to the Administrator account or System-Level Access.
Phase 6. Covering your tracks: This is the phase where you will remove the evidence of your presence within the system to become a ghost, purging all of your traces i.e. log files, event files, the DNS cache, “recent places”, cookies, etc.
Phase 7. Planting backdoors (enabling points of re-entry): During this exit phase, you will leave behind a point of Re-Entry such as a Trojan or a “Special Account“. This will ensure ease of access back into the system.