Pentest

The pentest is a method that consists of analyzing a target by putting oneself in the shoes of a malicious hacker, or cyberpirate. This target can be an IP, an application, a web server, a connected device or an entire network.

Let's take an example, you own a beautiful home and you've placed a fairly substantial device to ensure its security. On the front of the house, you've gone all out: armored door, cameras, ... Except that at the back of the house, you forgot that there was a simple door with a padlock . The consultant would have quickly found the flaw: "flimsy" back door

The consultant (called a "pentester") analyzes the target in stages:

• Recognition phase:
  we look globally at what we are going to have to test.
• Mapping and enumeration phase:
  we go into a little more detail about each item found on the previous phase.
• Vulnerability search phase:
  we rack our brains to find the flaw.
• Exploitation:
  we check if the flaw can be exploited. Example: we find a key with an address on it (flaw). On teste la clé à l'adresse définie (exploitation)
• Elevation of privileges:
  We have returned, now we try to access the entire system.
• maintenance:
  We keep an open door to avoid remaking the previous steps.
• propagation / side displacements:
  We have compromised a device, we are now trying to access the others (if there is).
• cleanup:
  At the end of the Pentst, we erase all traces.
• Report presentation:
  The report is written to the applicant.

When we perform a pentest, we turn into Sherlock Holmes looking for clues. Let's say we find a key that is hidden in the doghouse outside the house . This one opens the garage door. Searching the garage, we find a new key that allows us to enter the house. Sometimes it's a chain of actions that achieves the goal.