Manage Learn to apply best practices and optimize your operations.

Hacking with Kali: Practical Penetration Testing Techniques

In this excerpt of Hacking with Kali: Practical Penetration Testing Techniques, authors James Broad and Andrew Bindner outline the five phases of the penetration testing lifecycle.

The following is an excerpt from the book Hacking with Kali: Practical Penetration Testing Techniques written by authors James Broad and Andrew Bindner and published by Syngress. This section from chapter six explains the five phases of the penetration testing lifecycle: reconnaissance, scanning, exploitation, maintaining access and reporting.

Introduction to the lifecycle

Hacking with Kali coverMost people assume that all a penetration tester, or hacker, needs to do is sit down in front of a computer and begin typing an obscure string of code and voila any computer in the world is instantly opened. This stereotype based in Hollywood legend is far from the truth. Professionals in this field are very meticulous in the approach used when to uncovering and exploiting vulnerabilities in computer systems. Over time a proven framework has emerged that is used by professional ethical hackers. The four phases of this framework guide the penetration tester through the process of empirically exploiting information systems in a way that results in a well-documented report that can be used if needed to repeat portions of the testing engagement. This process not only provides a structure for the tester but also is used to develop high-level plans for penetration testing activities. Each phase builds on the previous step and provides detail to the step that follows. While the process is sequential, many testers return to earlier phases to clarify discoveries and validate findings.

The first four steps in the process have been clearly defined by Patrick Engebretson in his book The Basics of Hacking and Penetration Testing. These steps are Reconnaissance, Scanning, Exploitation, and Maintaining Access. This book uses these same steps but expands Patrick’s work with an additional step Reporting. Additionally, when compared to the five phase process defined by EC-Council in its popular Certified Ethical Hacking (C│EH) course, many may notice the final phase of that process, Covering Tracks, is missing. This was done intentionally to focus on the earlier phases and include a chapter on reporting, a topic that is omitted from many books on this topic. This book also differentiates from the earlier book by removing the cyclic illustration of the lifecycle and replacing it with a more linear visualization illustration that matches what an ethical hacker would normally encounter in a normal engagement. This would begin with reconnaissance of the target information system and end with the penetration tester or test team lead briefing the information systems leadership and presenting the report of what was discovered. This linear process is illustrated in Figure 5.1.

Hacking with Kali: Penetration Testing Techniques

Authors: James Broad and Andrew Bindner

Learn more about Hacking with Kali from publisher Syngress.

At checkout, use discount code PBTY14 for 25% off

A basic view of each of the phases will be drawn out in this chapter and a more extensive description will be made in the chapters devoted to each phase. In addition to the description common tools for each phase will be introduced in the coming chapters. In this way the reader will not only understand the phases of the lifecycle but also have a view under the hood of what tools are most likely to be used first by engineers in this field of security. These chapters will introduce the reader to the tools but will not be exhaustive and really only scratch the surface of whet each tool or technique can do to assist in conducting these types of tests. Many of the tools or techniques have entire books -- sometimes many books -- devoted to their correct use and application.

Phase 1: Reconnaissance

In a small room with dim lights, analysts and officers scan and inspect maps of hostile territory. Across the room others watch television channels across the globe frantically taking notes. The final group in this room prepares a detailed assessment of everything about the target being investigated. While this scenario details what would normally be done in a military reconnaissance of a possible target, however, it is analogous to what the penetration tester will do during the reconnaissance phase of the penetration testing lifecycle.

This illustrates the type of work done during the reconnaissance phase of the pentesting lifecycle. This phase focuses on learning anything and everything about the network and organization that is the target of the engagement. This is done by searching the Internet and conducting passive scans of the available connections to the targets network. In this phase, the tester does not actually penetrate the network defenses but rather identifies and documents as much information bout the target as possible.

Phase 2: Scanning

Imagine a hilltop deep behind enemy lines, a single soldier crouches hidden among a thicket of bushes and trees. The report being sent back informs others about the location of the camp being observed, the mission of the camp, and types of work that is being done in each building. The report also notes the routes in and out of the camp and types of security that can be seen.

The soldier in this example had a mission defined by the analysis conducted during the reconnaissance phase. This is true of the second phase of the penetration testing lifecycle. The tester will use information gained in phase 1 to start actually scanning the targets network and information system. Using tools in this phase, a better definition of the network and system infrastructure of the information system will be targeted for exploitation. The information gained in this phase will be used in the exploitation phase.

Phase 3: Exploitation

Four soldiers rush through an open field, the moon is only a sliver and obscured by clouds, however, the soldiers see everything is an eerie green glow. They rush the building slipping through a gap in the fence and then through an open back door. After just moments on the target they are on the way back out with vital information about future troop movements and plans for the coming months.

Read an excerpt

Download a PDF of chapter seven to learn more!

Again this matches what the ethical hacker will do in the exploitation phase. The intent of this phase is to get into the target system and back out with information without being noticed, using system vulnerabilities and proven techniques.

Phase 4: Maintaining access

Based on drawings provided by the raid team, a group of skilled engineers excavate earth from deep in the tree line under the room that held the vital information taken earlier. The purpose of this tunnel is to provide easy access to the room for continued exploitation of the enemy. This is the same for the tester, once the system is exploited backdoors and rootkits are left on the systems to allow access in the future.

Phase 5: Reporting

The raid team commander stands in front of a group of generals and admirals explaining the details of the raid. Each step is explained in great detail expanding on each detail that allowed the exploitation to take place. The penetration tester too must develop detailed reports to explain each step in the hacking process, vulnerabilities exploited, and systems that were actually compromised. Additionally in many cases one member of the team, and sometimes more, may be required to provide a detailed briefing to senior leadership and technical staff of the target information system.


The coming chapters will explain each of these phases in greater detail. Each chapter will provide information on the basics of the common tools used for each phase. Using the process detailed in the reader will understand the purpose and advantages of phase being explained and the most common tools used in that phase.

About the author:
James Broad (CISSP, C|EH, CPTS, Security+, MBA) is the President and owner of Cyber-Recon, LLC, where he and his team of consultants specialize in Information Security, Information Assurance, Certification and Accreditation and offer other security consultancy services to corporate and government clients. As a security professional with over 20 years of real-world IT experience, James is an expert in many areas of IT security, specializing in security engineering, penetration testing, vulnerability analysis and research. He has provided security services in the nation’s most critical sectors including defense, law enforcement, intelligence, finance and healthcare.

Next Steps

Learn more about how penetration testing helps secure online data stores, penetration testing methodology and how to make penetration test results matter.

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments