Penetration Testing Methodology


The aim of the Open Source Security Testing Methodology Manual is to set forth a standard for internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independent from other organization concerns, such as the corporate profile of the penetration-testing provider.

There are six distinct parts to Graylion Security penetration test methodology. These are:

1. Passive Information Gathering: Graylion Security gather detailed information from a variety of publicly available sources. The information gathering stage is defined as “passive‟ as it does not interfere with normal operations, and can be conducted using a variety of methods that are undetectable.

2. Target Identification: During this phase of an engagement, Graylion Security identify target networks, servers, and workstations within your infrastructure. The target identification phase allows the establishing of a detailed overview of security threats using techniques such as network mapping. This phase identifies avenues of exploitation and attack against the target that could potentially be exploited by malicious users and intruders.

3. Target Enumeration: This stage of the engagement is used by Graylion Security to fully identify the target resource; in essence, the topology of a client’s network, specific systems and servers in place, security and applied patch levels, as well as communication infrastructures (e.g. open and closed ports on target systems, banner grabbing etc.)

4. Vulnerability Identification: Based upon the results of the Target Enumeration process, Graylion Security will identify vulnerabilities of a target during this phase. These vulnerabilities can be the result of inappropriate security practices, system faults and unresolved hardware and software issues. During this phase of an engagement Graylion Security will assess the targets using best-of-breed commercial and open source tools and a detailed working knowledge of security vulnerabilities.

5. Vulnerability Analysis: Prior to exploiting any vulnerability discovered on a target host, Graylion Security will carefully analyse the data recovered. Our auditors scrupulously assess the potential hazards caused by exploiting any vulnerabilities found. The vulnerabilities discovered and the initial information gathered about targets is considered in tandem to enabling Graylion Security to mitigate risk during the exploitation phase. The main priority of a penetration test carried out by Graylion Security is to ensure the stability of the targeted systems by controlling at all times the scans and the levels of each scan being conducted.

6. Vulnerability Exploitation: will be immediately notified of any high-risk vulnerability and the consequences of exploitation. Graylion Security consultants will work with the client’s technical staff to identify a safe period to verify potentially dangerous vulnerabilities through exploitation. This process is often critical in the removal of false positive results. This allows consultants to fully assess the security flaws within a client infrastructure, and provides the basis of the reporting process.

Report Structure

Vulnerabilities discovered during standard penetration testing will be sorted by IP address and severity, with the most critical vulnerabilities listed first. The report will also include a detailed statement for any vulnerability found on the customer infrastructure, including:

  • Name of vulnerability
  • Category (e.g. File Transfer Protocol (FTP), common gateway interface (CGI)
  • Severity level (see below)
  • Comprehensive explanation
  • Solution
  • Industrial reference numbers such as CVE, CAN or Bugtraq ID
  • References to the companies that provide an immediate solution for the vulnerability (if available)

The following table demonstrates how Graylion Security (based on best practice standards) categorises vulnerabilities. This table is provided to demonstrate the types of vulnerabilities and risks which are considered high level.






Trojan horses, file read and writes exploit, remote command execution



Potential trojan horses, file read exploit



Limited exploit of read, directory browsing and denial of service (DoS)



Sensitive information can be obtained by hackers on configuration



Information can be obtained by hackers on configuration

Severity of Levels

Level 5 vulnerabilities provide remote intruders with remote root or remote administrator capabilities. With this level of vulnerability, hackers can compromise the entire host. Level 5 includes vulnerabilities that provide remote hackers full file-system read and write capabilities, remote execution of commands as a root or administrator user. The presence of back doors and trojans also qualify as level 5 vulnerabilities.

Level 4 vulnerabilities provide intruders with remote user, but not remote administrator or root user capabilities. Level 4 vulnerabilities give hackers partial access to file-systems (for example, full read access without full write access). Vulnerabilities that expose highly sensitive information also qualify as level 4 vulnerabilities.

Level 3 vulnerabilities provide hackers with access to specific information stored on the host, including security settings. This level of vulnerabilities could result in potential misuse of the host by intruders. Examples of level 3 vulnerabilities include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, susceptibility to denial of service (DoS) attacks, and unauthorized use of services such as mail relaying.

Level 2 vulnerabilities expose some sensitive information from the host, such as precise versions of services. With this information, hackers could research potential attacks against a host.

Level 1 vulnerabilities expose information, such as open ports.

Methodologies used for common Penetration Testing concerns

Web Server Testing

In order to comprehensively test the web server, Graylion Security will target it with ICMP, TCP, and UDP probes. Several discovery methods will be used to identify which service is running on the port and confirm the type of service running to obtain the most accurate data. Graylion Security will identify the operating system and web server software installed on target hosts through a process known as TCP/IP stack fingerprinting. This information will be further used for vulnerability assessment. Graylion Security will run exhaustive tests on known vulnerabilities for the OS and the web hosting software identified. Scans include but are not limited to test for SQL injection vulnerabilities, cross site scripting, session security and session IDs, SSL, HTTP, identify brute forcing on NTLM etc.

Internet Firewalls

Firewalls often have insecure configuration vulnerabilities associated with them.

By identifying the firewall platform and operating system, and researching specific configuration vulnerabilities, attempts can be made to compromise the firewall security.

It is often possible to test the firewall rule set by sending specifically crafted packets to open ports on the firewall. Information gained from this exercise can then often be used to analyse firewall response information in order to spoof valid IP packets and gain access to the protected networks.


Safeguarding routing protocols is essential bearing in mind that routers determine how traffic flows around your network. Penetration testing should ensure that routers have the correct information and hackers are incapable of spoofing a route to part of your network and hijacking critical data.

Graylion Security research specific vulnerabilities and exploits associated with your router type and associated operating system. To avoid denial of service these vulnerabilities are tested for with the utmost care.


If an organization has an IDS installed, scanning the environment can potentially trigger a reaction, which will in some cases automatically shut off any communication with the originating IP address used by the scanning tool. Under no circumstance should an IDS/IPS (intrusion prevention system) interfere with the results of a Penetration Test. In many cases however Graylion Security can manually test the IDS to see how it responds to exploit signatures. By monitoring IDS logs it is possible to configure the IDS to a very accurate level, ensuring extreme difficulty in circumventing its detection and reducing the number of false positive reports.

Externally Facing Servers

Hackers will often attempt to gain control of an internet facing server by circumventing firewall rule sets or through an IP port that is permitted by the firewall. As part of Graylion Security’s Penetration Testing service all IP based vulnerabilities associated with internet available servers are comprehensively assessed.

Common vulnerabilities uncovered during Penetration Testing include operating system vulnerabilities and also IP services such as web, mail and DNS vulnerabilities. Level 5 vulnerabilities uncovered often include Back Door worms and services that may have been installed by a previous attacker to control a server.

VPN Connections

In many cases VPN solutions are vulnerable because of associated Firewall vulnerabilities. Graylion Security begin VPN testing by reviewing all active ports in the firewall and scanning for vulnerabilities.

The VPN is further tested through manual probing. This includes testing authentication mechanisms, default accounts, and VPN responses to TCP streams.

CISA2    CISM logo      CGEIT logo         crisc2

PCI logo            oscp            CISSP logo