A penetration test is an ethically-driven, authorised attempt to test and analyse the security defences to protect these assets and pieces of information. The pentest involves using the same tools, techniques, and methodologies that someone with malicious intent would use and is similar to an audit.
Prior to pentesting, written permission must be obtained.
[!hint] It doesn't have anything to do with testing pens.
Glad to help.
Ethics
Pentesters are often faced with potentially morally questionable decisions, eg.
- they are gaining access to a database and being presented with potentially sensitive data
- performing a phishing attack on an employee to test an organisation's human security
Hats
- White hats - lawful good guys
- Grey hats - chaotic good guys
- they usually have best intentions, but not always follow the law or ethical standards
- hacktivists
- black hats - evil ones, criminals
Methodologies
A practical methodology is a smart one, where the steps taken are relevant to the situation at hand.
No pentest is the same, but there's a general theme of the following stages:
- Information Gathering - osint and research of the target organisation. This does not involve scanning any systems.
- Enumeration/Scanning - discovering applications and services running on the systems, e.g. finding a web server that may be potentially vulnerable.
- Exploitation - leveraging vulnerabilities discovered on a system or application; can involve the use of public exploits or exploiting application logic.
- successful exploit is known as the foothold
- Privilege Escalation - the attempt to expand the access to a system. We can escalate horizontally and vertically:
- horizontally - accessing another account of the same permission group (i.e. another user),
- vertically - accessing another permission group (i.e. an
root).
- Post-exploitation
- What other hosts can be targeted (pivoting)
- What additional information can we gather from the host now that we are a privileged user
- Covering tracks
- Reporting
Frameworks
- OSSTMM
- OWASP
- NIST Cybersecurity Framework 1.1
- NCSC CAF
Scopes of testing
Our understanding of our target will determine the level of testing that we perform in your penetration testing engagement.
- Black Box Testing - zero knowledge, eg. only the URL of the application, or list of IP addresses
- a high-level process
- the tester is not given any information about the inner workings of the application or service
- the tester acts as a regular user
- can involve interacting with the interface to see whether the intended result is returned
- no specific knowledge
- time consuming in terms of information gathering and enumeration
- osint is quite important within this scope, as the pentester might need to do lots of reconneisance
- Gray Box Testing - partial knowledge
- the most popular in pentesting
- combination of both black-box and white-box testing processes
- the tester has limited knowledge of the internal components the tested piece
- it's still interacting with the application as if it were a black-box scenario and then using the knowledge to try and resolve issues found
- the limited knowledge given saves time, and is often chosen for extremely well-hardened attack surfaces.
- White Box Testing - full knowledge
- a low-level process usually done by a software developer who knows programming and application logic
- The tester tests the internal components of the tested piece, e.g. ensuring that specific functions work correctly and within a reasonable amount of time
- much more time consuming than black-box testing
- the full knowledge in a White-Box testing scenario provides a testing approach that guarantees the entire attack surface can be validated