Phases of Penetration Testing

Summarizing the Five Phases of Penetration Testing.

In the ethical hacker class on our website, the course begins by recapping the five phases of penetration testing. Essentially, the five phases of pen testing is a module that summarizes what the rest of the ethical hacker class is going to look like. The five phases refer to each primary step in the process of operating a penetration test, and the concept is critical for a new entrant into the field. Here is a brief overview of the five phases of penetration testing:

Phase 1 | Reconnaissance:
Reconnaissance is the act of gathering preliminary data or intelligence on your target. The data is gathered in order to better plan for your attack. Reconnaissance can be performed actively (meaning that you are directly touching the target) or passively (meaning that your recon is being performed through an intermediary).

Phase 2 | Scanning:
The phase of scanning requires the application of technical tools to gather further intelligence on your target, but in this case, the intel being sought is more commonly about the systems that they have in place. A good example would be the use of a vulnerability scanner on a target network.

Phase 3 | Gaining Access:
Phase 3 gaining access requires taking control of one or more network devices in order to either extract data from the target, or to use that device to then launch attacks on other targets.

Phase 4 | Maintaining Access:
Maintaining access requires taking the steps involved in being able to be persistently within the target environment in order to gather as much data as possible. The attacker must remain stealthy in this phase, so as to not get caught while using the host environment.

Phase 5 | Covering Tracks:
The final phase of covering tracks simply means that the attacker must take the steps necessary to remove all semblance of detection. Any changes that were made, authorizations that were escalated etc. all must return to a state of non-recognition by the host network’s administrators.


Basic Common Ports

Common ports, such as TCP port 80 (HTTP), may be locked down — but other ports may get overlooked and be vulnerable to hackers. In your security tests, be sure to check these commonly hacked TCP and UDP ports:


Port TCP UDP Description
9   UDP Wake-on-LAN
13 TCP UDP Daytime Protocol
20 TCP UDP File Transfer Protocol (FTP) data transfer
21 TCP\SCTP12 UDP File Transfer Protocol (FTP) control (command)
22 TCP\SCTP UDP Secure Shell (SSH), secure logins, file transfers (scp, sftp) and port forwarding
23 TCP UDP Telnet protocol—unencrypted text communications
25 TCP UDP Simple Mail Transfer Protocol (SMTP), used for e-mail routing between mail servers
37 TCP UDP Time Protocol
43 TCP UDP WHOIS protocol
49 TCP UDP TACACS+ Login Host protocol
53 TCP UDP Domain Name System (DNS)
69 TCP UDP Trivial File Transfer Protocol (TFTP)
79 TCP UDP Finger protocol
80 TCP\SCTP UDP[44] Hypertext Transfer Protocol (HTTP)
88 TCP UDP Kerberos authentication system
107 TCP UDP Remote User Telnet Service (RTelnet)
109 TCP UDP Post Office Protocol, version 2 (POP2)
110 TCP UDP Post Office Protocol, version 3 (POP3)
111 TCP UDP Open Network Computing Remote Procedure Call (ONC RPC, sometimes referred to as Sun RPC)
113 TCP   Ident, authentication service/identification protocol,used by IRC servers to identify users
113 TCP UDP Authentication Service (auth), the precedessor to identification protocol. Used to determine an user’s identity of a particular TCP connection.
115 TCP UDP Simple File Transfer Protocol
123 TCP UDP Network Time Protocol (NTP), used for time synchronization
135 TCP UDP Microsoft EPMAP (End Point Mapper), also known as DCE/RPC Locator service,used to remotely manage services including DHCP server, DNS server and WINS. Also used by DCOM
137 TCP UDP NetBIOS Name Service, used for name registration and resolution
138 TCP UDP NetBIOS Datagram Service
139 TCP UDP NetBIOS Session Service
143 TCP UDP Internet Message Access Protocol (IMAP), management of electronic mail messages on a server
152 TCP UDP Background File Transfer Program (BFTP)
153 TCP UDP Simple Gateway Monitoring Protocol (SGMP), a protocol for remote inspection and alteration of gateway management information
161 TCP UDP Simple Network Management Protocol (SNMP)
162 TCP UDP Simple Network Management Protocol Trap (SNMPTRAP)(citation needed]
179 TCP\SCTP UDP Border Gateway Protocol (BGP),[72] used to exchange routing and reachability information among autonomous systems (AS) on theInternet
199 TCP UDP SMUX, SNMP Unix Multiplexer[importance?]
209 TCP UDP Quick Mail Transfer Protocol
220 TCP UDP Internet Message Access Protocol (IMAP), version 3
311 TCP   Mac OS X Server Admin (officially AppleShare IP Web administration)
384 TCP UDP A Remote Network Server System
389 TCP UDP Lightweight Directory Access Protocol (LDAP)
427 TCP UDP Service Location Protocol (SLP)
434 TCP UDP Mobile IP Agent (RFC 5944)
443 TCP\SCTP UDP Hypertext Transfer Protocol over TLS/SSL (HTTPS)
444 TCP UDP Simple Network Paging Protocol (SNPP)
445 TCP   Microsoft-DS Active Directory, Windows shares
445 TCP   Microsoft-DS SMB file sharing
465 TCP   URL Rendezvous Directory for SSM (Cisco protocol)
464 TCP UDP Kerberos Change/Set password
513 TCP   rlogin
514 TCP   Remote Shell, used to execute non-interactive commands on a remote system (Remote Shell, rsh, remsh)
514   UDP Syslog,used for system logging
515 TCP   Line Printer Daemon (LPD), print service
543 TCP   klogin, Kerberos login
544 TCP   kshell, Kerberos Remote shell
546 TCP UDP DHCPv6 client
547 TCP UDP DHCPv6 server
548 TCP   Apple Filing Protocol (AFP) over TCP[11]
587 TCP   e-mail message submission(SMTP)
631 TCP UDP Internet Printing Protocol (IPP)[11]
636 TCP UDP Lightweight Directory Access Protocol over TLS/SSL (LDAPS)
646 TCP UDP Label Distribution Protocol (LDP), a routing protocol used in MPLS networks
674 TCP   Application Configuration Access Protocol (ACAP)
691 TCP   MS Exchange Routing
873 TCP   rsync file synchronization protocol
989 TCP UDP FTPS Protocol (data), FTP over TLS/SSL
990 TCP UDP FTPS Protocol (control), FTP over TLS/SSL
991 TCP UDP Netnews Administration System (NAS)[100]
992 TCP UDP Telnet protocol over TLS/SSL
993 TCP   Internet Message Access Protocol over TLS/SSL (IMAPS)
994 TCP UDP Internet Relay Chat over TLS/SSL (IRCS)[73]
995 TCP   Post Office Protocol 3 over TLS/SSL (POP3S)[11]
1027   UDP Native IPv6 behind IPv4-to-IPv4 NAT Customer Premises Equipment
1029     Microsoft DCOM services
1433 TCP UDP Microsoft SQL Server database management system (MSSQL) server
1521 TCP UDP nCube License Manager
1720 TCP UDP H.323 call signaling
1723 TCP UDP Point-to-Point Tunneling Protocol (PPTP)[11]
1755 TCP UDP Microsoft Media Services (MMS, ms-streaming)
2000 TCP UDP Cisco Skinny Client Control Protocol (SCCP)
2049 TCP UDP Network File System (NFS)[11]
3000 TCP   Ruby on Rails development default[143]
3128 TCP ? Squid caching web proxy[147]
3306 TCP UDP MySQL database system
3389 TCP UDP Microsoft Terminal Server (RDP) officially registered as Windows Based Terminal (WBT)
4899 TCP UDP Radmin remote administration tool
5000 TCP   commplex-main
5051 TCP   ita-agent Symantec Intruder Alert
5060 TCP UDP Session Initiation Protocol (SIP)
5190 TCP   AOL Instant Messenger protocol
5357 TCP UDP Web Services for Devices (WSDAPI) (only provided by Windows Vista, Windows 7 and Server 2008)
5432 TCP UDP PostgreSQL database system
5631 TCP   pcANYWHEREdata, Symantec pcAnywhere (version 7.52 and later  data
5666 TCP   NRPE (Nagios)
5800 TCP   VNC remote desktop protocol over HTTP
5900 TCP UDP Remote Frame Buffer protocol (RFB)
6000-6063 TCP UDP X11—used between an X client and server over the network
6262 TCP   Sybase Advantage Database Server
6646   UDP McAfee Network Agent[citation needed]
7070 TCP UDP Real Time Streaming Protocol (RTSP), used by QuickTime Streaming Server. TCP is used by default, UDP is used as an alternate.
8000 TCP UDP iRDMI (Intel Remote Desktop Management Interface)—sometimes erroneously used instead of port 8080
8008 TCP   HTTP Alternate
8009 TCP   ajp13—Apache JServ Protocol AJP Connector
8080 TCP   HTTP alternate (http_alt)—commonly used for Web proxy and caching server, or for running a Web server as a non-root user
8081 TCP   HTTP alternate, VibeStreamer, e.g. McAfee ePolicy Orchestrator (ePO)
8443 TCP   SW Soft Plesk Control Panel
8888 TCP   HyperVM HTTPS
9100 TCP UDP PDL Data Stream, used for printing to certain network printers
10000 TCP UDP Network Data Management Protocol

The Steps to Becoming a Penetration Tester

The Steps to Becoming a Penetration Tester

According to statistics provided by, the cost of cybercrime will top $100 billion this year. Cybercrime affects 18 victims per second for a total of around 556 million victims per year. Just recently, the FBI warned that cyber-attacks have eclipsed domestic terrorism as the primary threat to U.S. security.

Penetration testers fight on the front-lines of cyber security. They give financial institutions, hospitals, government institutions and businesses vital information about how to improve their network security. Penetration testers protect not only institutions but also individual customer’s bank accounts, health records and private information. In a job market that has a profound shortage of cyber security professionals, penetration testers can contribute to society and potentially earn six figures for their efforts.

What is penetration testing?

A penetration tester is paid to hack into the networks of organizations to help organizations identify weak points. Penetration testers may work for companies, not-for-profits or government agencies. They can also offer independent consulting services.

What is a typical day like for a penetration tester?

Penetration testers come up with ingenious ways to launch cyber-attacks against their clients. For example, a tester may sit inside a parked car and attempt to hijack company Wi-Fi to launch a man-in-the-middle attack. A tester may also use a company restroom, drop a corrupted thumb drive on the countertop and then wait to see whether employees pick up the drive.

Testers launch phishing campaigns against company e-mail accounts to educate executives about potential vulnerabilities. They may even try to physically breach security by posing as technicians or delivery personnel. From their own terminals, they may try to launch DDoS or SQL injection attacks against the organizations. Their goal is to find weaknesses and develop strategies that reduce or eliminate threats.

How does someone become a penetration tester?

A strong record of IT experience, along with certification, will help people to find work as penetration testers. For people without IT backgrounds that want to become penetration testers, experts recommend starting by earning A+ Certification and finding a job working a help desk. In addition to A+ Certification, future penetration testers can add credentials like CCNA or Network+ that will enable them to be promoted to network support, network administration and network engineering roles.

To move into information security, penetration testing candidates can earn security certifications, including Security+, CISSP or TICSA. Programming languages like Java, Perl or LISP are important as is the ability to write Unix/Linux distributions and commands. Additionally, people that want to become penetration testers should spend some time learning how to use and manipulate SQL databases.

What certifications are required?

People can earn the Certified Ethical Hacker (CEH) designation from the Internal Council of Electronic Commerce Consultants (EC-Council) by following one of two processes. After completing training or self-study, future penetration testers must pass Exam 312-50 to earn their CEH credential.

  1. EC-Council training program.The EC-Council’s CEH training program is offered at some local universities. It’s also offered online either as a self-paced course or as an instructor-led course. Organizations can also book instructors to teach CEH training courses onsite.
  2. Self-study.People that want to skip the training program can take the certification exam without going through EC-Council training. However, they must submit an application to the EC-Council confirming at least two years of relevant employer-endorsed information security work experience. Without this experience, they can still apply and ask the EC-Council to consider whatever work experience they have. The council makes decisions on a case-by-case basis.

What else is required?

In addition to earning certification, penetration testers need to have good social engineering skills. When trying to break into a datacenter, for example, they’ll need to be able to convince personnel that they’re authorized to be there. They’ll also need to construct realistic social engineering attacks as part of their comprehensive network testing.

Most companies perform background checks before hiring a CEH. For jobs in government that require security clearance, testers should expect a background check and a polygraph test. Also, testers should keep up with EC-Council recertification requirements. Currently, CEH holders must recertify every three years to keep the credential.


The cyber security industry, according to GO-Gulf estimates, will pull in $120.1 billion by 2017. Additionally, many government agencies are keen to hire cyber security professionals. As concerns about cyber-attacks grow, penetration testers can both perform good deeds and enjoy a healthy payday.