▒█████ █████▒ █████▒ ██████ ▓█████ ▄████▄ ██▒ █▓ ▄▄▄ █ ██ ██▓ ▄▄▄█████▓ ▒██▒ ██▒▓██ ▒▓██ ▒▒██ ▒ ▓█ ▀ ▒██▀ ▀█▓██░ █▒▒████▄ ██ ▓██▒▓██▒ ▓ ██▒ ▓▒ ▒██░ ██▒▒████ ░▒████ ░░ ▓██▄ ▒███ ▒▓█ ▄▓██ █▒░▒██ ▀█▄ ▓██ ▒██░▒██░ ▒ ▓██░ ▒░ ▒██ ██░░▓█▒ ░░▓█▒ ░ ▒ ██▒▒▓█ ▄ ▒▓▓▄ ▄██▒▒██ █░░░██▄▄▄▄██ ▓▓█ ░██░▒██░ ░ ▓██▓ ░ ░ ████▓▒░░▒█░ ░▒█░ ▒██████▒▒░▒████▒▒ ▓███▀ ░ ▒▀█░ ▓█ ▓██▒▒▒█████▓ ░██████▒▒██▒ ░ ░ ▒░▒░▒░ ▒ ░ ▒ ░ ▒ ▒▓▒ ▒ ░░░ ▒░ ░░ ░▒ ▒ ░ ░ ▐░ ▒▒ ▓▒█░░▒▓▒ ▒ ▒ ░ ▒░▓ ░▒ ░░ ░ ▒ ▒░ ░ ░ ░ ░▒ ░ ░ ░ ░ ░ ░ ▒ ░ ░░ ▒ ▒▒ ░░░▒░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░░ ░ ▒ ░░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░
01.penetration testing process
::: PRE-ENGAGEMENT PHASE pentester and client will define some legal and technical matters. the doc or docs that contains all this information are called, "Rules of Engagement". -scope of the engagement -timeline and milestones -liabilities/responsabilities -allowed techniques -deliverables and expectations -statement of work GOAL -why do you want to execute a penetration test ? physical scope (ips, hostnames, domains, etc) and logical scope (one department, entire company, etc) need to be defined during the pre-engagement phase. for web pentest will be more associated to domains, subdomains, etc. a clear information about which ones are in scope is needed. TIMETABLE the client need to be aware of what will happen, when and where. pentester need some tracking tool to keep important information. GANTT Tracking Tool - pentester and client should define the test criticality definitions and come up with emergency steps to undertake if things go badly for client. this will help the client to prepare the personel for any emergency plan. LIABILITIES AND RESPONSABILITIES the pentester will need to ensure that most of things that can be anticipated might go wrong are dealt in the pre-engagement phase. >>> possible liabilities: -you access sensitive data out-of-scope -accidentally remove data -you accidentally cause unavailability of services -other catastrophic event with an impact on the org. >>> responsabilities: -keep the client informed -keep reports and collected data in a safe place (encrypted and destro after the info is shared with the client) -following a code of ethics -nondisclosure of any information EMERGENCY PLAN -timetable -contact in charge of response -solutions to apply to the issue (rollback/backup plan) ALLOWED TECHNIQUES -you should agree with the client beforehand which intrusive techniques you are allowed to use. > list of the most common intrusive techniques: --> brute force attacks --> social engineering --> data harvesting --> phishing attacks NOTE: social engineering and phishing are not always in scope. deliverables = report or reports PENTEST STANDARD / PTES >> pre-engagement interactions >> intelligence gathering >> threat modeling >> vulnerability analysis >> exploitation >> post-explotation >> reporting PTES | Standard PTES | Reporting PTES | Pre-Engagement > TESTING GUIDE PTES | Testing Guide ...> REPORTING what the client wants ? -status of the security of the assets in scope -what is vulnerable -what need to be fixed first ...report needs to be: -exhaustive -clear -on-time -good looking -adherent to client goals the report initiates when the pre-engagement starts. the engagement and client goals need to be part of the report. report will be for "executive" / "IT department" / "development" executive = you have to speak in terms of metrics, risk mitigation and money loss. no more than 2-3 pages. IT department = details about which areas or departments are more affected and to what kind of vulns. development = about exploits, proofs of concept, remediation tips, source code,e tc. (technical one) typical structure = executive summary > vuln report > remediation report. Common Attack Patern Enumeration and Classification WASC THREAT CLASSIFICATION