Pentesting Fundamentals¶
Ethics¶
A penetration test is an authorised audit of a computer system's security and defences as agreed by the owners of the systems. The legality of penetration is pretty clear-cut in this sense; anything that falls outside of this agreement is deemed unauthorised.
Before a penetration test starts, a formal discussion occurs between the penetration tester and the system owner. Various tools, techniques, and systems to be tested are agreed on. This discussion forms the scope of the penetration testing agreement and will determine the course the penetration test takes.
| Hat Category | Description | Example |
|---|---|---|
| White Hat | These hackers are considered the "good people". They remain within the law and use their skills to benefit others. | A penetration tester performing an authorised engagement on a company. |
| Grey Hat | These people use their skills to benefit others often; however, they do not respect/follow the law or ethical standards at all times. | Someone taking down a scamming site without an agreement from the site owners to do so. |
| Black Hat | These people are criminals and often seek to damage organisations or gain some form of financial benefit at the cost of others. | Ransomware authors infect devices with malicious code and hold data for ransom. |
Rules of Engagement (ROE)¶
The ROE is a document that is created at the initial stages of a penetration testing engagement. This document consists of three main sections:
| Section | Description |
|---|---|
| Permission | Gives explicit permission for the engagement to be carried out. This permission is essential to legally protect individuals and organisations for the activities they carry out. |
| Test Scope | Will annotate specific targets to which the engagement should apply. For example, the penetration test may only apply to certain servers or applications but not the entire network. |
| Rules | Will define exactly the techniques that are permitted during the engagement. For example, the rules may specifically state that techniques such as phishing attacks are prohibited, but MITM (Man-in-the-Middle) attacks are okay. |
Methodologies¶
- Information gathering
- Enumeration / Scanning
- Exploitation
- Privilege escalation
- Post-exploitation
OSSTMM¶
The Open Source Security Testing Methodology Manual provides a detailed framework of testing strategies for systems, software, applications, communications and the human aspect of cybersecurity.
OWASP¶
The "Open Web Application Security Project" framework is a community-driven and frequently updated framework used solely to test the security of web applications and services.
NIST Cybersecurity Framework 1.1¶
The NIST Cybersecurity Framework is a popular framework used to improve an organisations cybersecurity standards and manage the risk of cyber threats. This framework is a bit of an honourable mention because of its popularity and detail.
The framework provides guidelines on security controls & benchmarks for success for organisations from critical infrastructure (power plants, etc.) all through to commercial. There is a limited section on a standard guideline for the methodology a penetration tester should take.
NCSC CAF¶
The Cyber Assessment Framework (CAF) is an extensive framework of fourteen principles used to assess the risk of various cyber threats and an organisation's defences against these.
Types of testing "boxes"¶
| Box type | Description |
|---|---|
| Black box | High-level process where the tester is not given any information about the inner workings of the application or service. |
| Grey box | The combination of both black-box and white-box testing processes. The tester will have some limited knowledge of the internal components of the application or piece of software. |
| White box | Usually done by a software developer who knows programming and application logic. The tester will have full knowledge of the application and its expected behaviour and is much more time consuming than black-box testing. |