On this page
Introduction to Pentesting Introduction
A Penetration test or pentest is an ethically-driven attempt to test and analyse the security defences to protect these assets and pieces of information.
A penetration test involves using the same tools, techniques, and methodologies that someone with malicious intent would use and is similar to an audit.
Penetration Testing Ethics
Hackers are sorted into three hats, based on their ethics and motivations behind their actions.
White hats
Grey hats
Black hats
White Hats
Good hackers.
Follows rules and use their skills to benefit others.
Grey Hats
Does not follow rules all the time.
Uses their skills to benefit others often.
Black Hats
Evil hackers.
Often seek to damage organizations.
Rules of Engagement (ROE)
The ROE is a document that is created at the initial stages of a penetration testing engagement.
This document consists of three main sections.
Permission - This section gives explicit permission for the engagement to be carried out.Test Scope - This section will annotate specific targets to which the engagement should apply.Rules - This section will define exactly the techniques that are permitted during the engagement.
Penetration Testing Methodologies
The steps a penetration tester takes during an engagement is known as the methodology.
The steps involved in a typical penetration test are as below
Information Gathering
Enumeration/Scanning
Exploitation
Privilege Escalation
Post-exploitation
This stage involves collecting as much publically accessible information about a target as possible.
Example: OSINT and research.
This does not involve scanning any systems.
Enumeration or Scanning
This stage involves discovering applications and services running on the systems.
For example: Finding open ports, finding a web server that may be potentially vulnerable.
Exploitation
This stage involves leveraging vulnerabilities discovered on a system or application.
This stage can involve the use of public exploits or exploiting application logic.
Privilege Escalation
After exploitation, privilege escalation is an attempt to expand your access to a system.
There are two types of privilege escalations.
Horizontal escalation : Accessing another account of the same permission group (i.e. another user)Vertical escalation : Accessing another permission group (i.e. an administrator).
Post Exploitation
This stage includes the following
What other hosts can be targeted (pivoting).
What additional information can we gather from the host now that we are a privileged user.
Covering your tracks.
Reporting.
OSSTMM
OWASP
Open Web Application Security Project - https://owasp.org/
Community-driven and frequently updated framework used solely to test the security of web applications and services.
Read about the top 10 vulnerabilities here: https://owasp.org/Top10/
NIST Cybersecurity Framework 1.1
National Institute of Standards and Technology - https://www.nist.gov/cyberframework/
Popular framework used to improve an organisations cybersecurity standards and manage the risk of cyber threats.
NCSC CAF
Principles of Security
CIA Triad
The CIA triad is an information security model that is used in consideration throughout creating a security policy.
The model consists of three sections: Confidentiality, Integrity and Availability (CIA).
Confidentiality is the protection of data from unauthorized access and misuse.Integrity is the condition where information is kept accurate and consistent unless authorized changes are made.Availability is the condition where information should be available when authorised users need to access it.
Principles of Privileges
Two key concepts are used to assign and manage the access rights of individuals.
Privileged Identity Management (PIM)
Privileged Access Management (PAM)
PIM is used to translate a user's role within an organisation into an access role on a system.PAM is the management of the privileges a system's access role has, amongst other things.
Security Models
Some popular and effective security models used to achieve the three elements of the CIA triad.
The Bell-La Padula Model
Biba Model
The Bell-La Padula Model is used to achieve confidentiality.
This model uses the rule "no write down, no read up".
The Bell LaPadula Model is popular within organisations such as governmental and military.
The Biba model is arguably the equivalent of the Bell-La Padula model but for the integrity of the CIA triad.
This model uses the rule "no write up, no read down".
For example: a doctor would not be able to read the notes made by a nurse in a hospital with this model.
Threat Modelling & Incident Response
Threat Modelling
Threat modelling is the process of reviewing, improving, and testing the security protocols in place in an organisation's information technology infrastructure and services.
An effective threat model includes:
Threat intelligence
Asset identification
Mitigation capabilities
Risk assessment
There are frameworks such as STRIDE, to help implementing the threat model.
Spoofing identity
Tampering with data
Repudiation threats
Information disclosure
Denial of Service
Elevation of privileges
Incident Response
A breach of security is known as an incident.
An incident is responded to by a Computer Security Incident Response Team (CSIRT).
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned