Module 4. Defining the Penetration Testing Process
Penetration Testing#
Also Called Pen Testing, it is the practice of testing computer system, network or web application to find vulnerabilities that an attacker could exploit.
Pen testing is a white hat process that is done legitimately to find vulnerabilities that would then be passed onto the company that built the application or services so they can resolve the problems.
Steps of a penetration test#
- Establish goals and set parameters. Setting the rules of engagement and defining the scope of the test.
- Reconnaissance and discovery. Finding out everything you can about the company and applications using available tools.
- Exploitation and Brute Force. Testing and trying to break the vulnerabilities discovered.
- Take control and escalate privilege. Once access has been granted, trying escalate privilege and move laterally through the system
- Pivoting. trying to access other networks that might only be accessible from having escalated privileges.
- Data collection and reporting. Documenting what has been found and accessed during the pen test.
Types of Reconnaissance#
| Passive Reconnaissance | Active Reconnaissance |
|---|---|
| Utilise publicly accessible methods to discover information | Direct access to the target company |
| No direct contact with target company | Asking questions of employees and management |
| Public Records | Entering the facilities and walking the site |
| Google Searches or GHDB | Seeing where you can go and what you can access |
| Company Website / Wayback Machine | Active scanning/fingerprinting of the network |
Pivoting#
Pivoting is a technique that allows lateral movement from a compromised host.
- Foothold is obtained on a target system.
- Compromised system is then used to access and compromise other normally inaccessible systems.
Many tools, such as Metasploit, have been built to automate this pivoting process.
Initial Exploration#
This is where the rules of engagement are set including:
- Any systems that are off limit
- Hours of operation
- Who are the points of contact
- Blind / Double Blind
This is also the time to know about physical security like:
- Technical / Administrative control
- Monitoring and law enforcement
discover the network layout
- number of internal or external devices
- Routers/switches, printers etc
- OS fingerprints
- Wireless networks
- Mobile devices
Map of Internet Presence
- Web Apps or web services
Persistence#
Install backdoors or methods for maintaining access to networks or hosts
Escalation of Privilege#
Administrator or Root access of the host is the primary goal as this enables the installation of the persistence methods and also allows for scanning for additional exploits, vulnerabilities or misconfigurations.
Some methods of privilege escalation are:
- Hack the local admin account
- Exploit a vulnerability
- Use tools / brute force
- Social Engineering
Black box, White box and Gray box Testing#
- Black box Testing: The tester is given little or no information about the environment, this is more like the real world but more time consuming.
- White box Testing: The tester is given full disclosure about the environment such as network, hosts, source code, protocols, diagrams etc
- Gray box Testing: This is combination of white and black where the tester is given partial information.
Pen Testing vs Vulnerability Scanning#
Vulnerability Assessment. Looks for security vulnerabilities in the network.
Penetration Testing. Assess the potential damages that could arise from the vulnerabilities in the network or systems as well as the likelihood these vulnerabilities are exploited.
Red v Blue Teams#
| Red Team | Blue Team |
|---|---|
| Aggressor Team | Defensive Team |
| Penetration team with limited access to the network | Access to all internal/external resources |
| May launch attack at any time, without notice | Goal is to defend against Red team |