Reconnaissance phase
Is the act of gathering preliminary data or intelligence of the target machine is vital to identify the attack surfaces and gather as much as possible data:
Gather initial Data
Determine the network range.
Identify active machines.
Discover open ports and access points.
Fingerprint the operating systems.
Uncover services on ports.
Map the network.
Scanning phase
Scanning can be classified into two main parts:
Network Scan
Can be thought a part of scanning phase as well as reconnaissance phase and used to discover end user devices, servers and peripherals that exist on the network.
The results can include details of the discovered devices including IP addresses, device names, operating systems, running applications and services, open shares, usernames and groups.
Tools used are Network mappers, port scanners, ping tools, etc.
Vulnerability scan
Inspection of potential exploit points on a computer or network.
Detect and classifies system weaknesses.
Vulnerability scanner are used for this purpose in general.
Exploitation and post Exploitation phase
Also known as gaining access and maintaining access to the target systems.
Exploitation is taking control of one or more network devices in order to either extract data from the target or use the device to then launch attacks.
Post Exploitation
Maintaining control of the machine for later use.
Determining the value of the compromised machine.
Value is determined by the sensitivity of the data stored and usefulness of the machine for further use.
Covering Tracks Phase
Covering tracks phase is the final phase before reporting and it consists of the following steps:
Return everything to initial state.
Remove exception rules:
Created by admins before the pen-test.
Created by pen-tester to gain advantage on the network, IDS, IPS, WAF, Firewall, etc.
Delete any user added during the Pen-test.
Remove backdoors.
Remove Key-loggers if any.
Reverse the configuration changes made.
Reporting phase
Report is the “tangible” output of the penetration test, a Pen-test report typically consists of the following sections:
Introduction: Summary, purpose, scope, duration of the test.
Management summary: Summary of tests results with summary security state of the organization and if the pen tester was successful to gain access or not.
Finding section: list all the vulnerabilities found during the pen-test. Since the finding is going to be the most important section of the report, the following details should be given about the findings:
Short name of the vulnerability.
Severity level (urgent, critical, High, Medium, low, information disclosure.
List of vulnerable assets.
Detailed explanation of the vulnerability.
Brief summary of how the vulnerability identified.
Share the references about the vulnerability.
Recommendation section: include how the owner can harden the system.
Legal Issues
Before beginning a pen-test the penetration tester and the company should enter into a contract indicating exactly what the pen-tester will do and will not do. The range of IP addresses, subnets, computers, networks or devices that will be the subject of the pen-test.
The contract should indicate not only that the pen-testing is authorized by the customer, but also the customer has the legal authority to authorize the penetration test. This very important subject specially in Cloud based systems because if the customer authorize the pen-tester to perform pen-testing on a system or application that reside in the cloud, The customer does not have the legal authority over the Cloud system and he should obtain authorization from the Cloud Service Provider first. If the Cloud Service Provider is uninformed and did not authorized the test he might go after the pen-tester for un-authorize access.
None Disclosure Agreement (NDA) is a legal contract that outline confidential material, knowledge or information that the customer will share with Pen-tester but wishes to restrict access to or by third parties because Pen-tester will learn almost everything.
Penetration Testing standards
Since Penetration testing is very important for cyber security, there are serval organizations and consortiums that documented guidelines for Penetration Testing such as:
PCI DSS: Payment Card Industry – Data Security standard.
OWASP: Open Web Application Security Project.
PTES: Penetration Testing Execution Standard.
OSSTMM: Open Source Security Testing Methodology Manual.
NIST SP 800-115: National Institute of Stand.
Конец ознакомительного фрагмента.
Текст предоставлен ООО «ЛитРес».
