What makes up a Pentest
In this next article we look at a generalised pentest process. This helps us to understand the pentest in general, and introduces some of the topics that we will cover later in the module.
Set Scope and Rules of Engagement (ROE)
Unless you end up going down the Black or Grey hat routes, the ROE are going to define what you do in the test and the types of tools and techniques you will use.
We need to understand the conditions and rules that we can attack a system under. These will be set as part of a negotiation with the customer and give the tester (and testing company) the scope for the work.
While it might seem that this scoping process only happens during a "professional" pen-test, it also applies to things like bug bounty programs. As part of the program an organisation will usually have a set of rules and scope for testing parts of the site (you can usually find these in the security.txt ) For example Google's Security.txt links you to the bug bounty program, which contains the scope of the program, details of how to claim, and the kinds of rewards you might get (and gives you a flag).
Examples of the scoping stage
Examples of thing that will be set out at the scoping stage:
-
What are the aims of the test? Is it just to break into the system, or are other factors like demonstrating resistance to DOS part of the test.
-
What needs to be tested? Is it just a website, or is it a more comprehensive test including other system components like the network. What about social engineering, are you expected / allowed to use phishing (or similar) as part of the process.
-
Are there systems or components that are out of scope? For employees, if we are testing an organisations security, servers that contain employees PII may be out of scope for the engagement?
-
Is it a Black box test, or will the attackers have access to "internal knowledge", for example: network structure, systems details and /or source-code.
-
What are the rules surrounding times of attack. Some tests may be on a live system that is used for business needs, therefore the tests would need to take place outside of normal working hours
-
Are we trying to actively avoid the Blue Team? This will affect some of the tools and techniques we might use.
-
Is the test purely electronic, or is a physical penetration test part required?
Note
Obviously, we wont look at defining the ROE section in too much detail in this moudule (as we dont have have a machine to attack, and the online teaching means we have less to worry about when it comes to IT Services.)
However, there will be some implied ROE here. Don't go trying the tools on systems you don't own or have permission to attack. PLEASE dont play about with the univeristy systems unless you have permission, ITS are quick to anger and their wrath should be avoided.
Why we have scope
Simply put its there to protect you (and the company you are testing).
While you may have permission to attack an organisations computer system as part of a pen-test there are other laws that still need to be considered. For example GDPR details rights of access for employee data and sensitive information. GDPR legislation protects people against accidental as well as malicious data breaches, so if you access this kind of info as part of your pen-test you may be causing a data breach.
By setting out which areas of a system can be attacked, an organisation can put procedures in place that help to protect the core systems they own from accidental damage, or legal issues.
Additionally, it can also help to protect you from the same sort of problems. Having a contract in place that states you are allowed to access parts of the system will make it clear what your roles and responsibilities are in the process, and the extent that you are responsible for the data you can access.
Reconnaissance: Learning about the target.
Once the ROE are clearly defined, the pen-test can move to the next stage.
Reconnaissance (recon) is arguably the most important stage of the pen-test. Though the recon process we will build up a picture of the target, and identify any potential avenues for attack.
The types of reconnaissance will depend on the target and the ROE, and may include both passive and active methods.
We will cover Recon in more detail in the next couple of weeks.
Exploitation: Breaking into the Target.
The fun part of an Ethical hacking career. This is where we will break into the system itself.
The success of this stage will depend on the thoroughness of the reconnaissance effort. If we do a good job on the recon, we are more likely to find flaws. The more issues we find, the less likely we are to need some deep technical voodoo to exploit them.
Obviously, we will cover the exploitation phase later in the module.
Post Exploitation: How far can you go?
Depending on the scope of the pen-test, once we have got our initial access to the system through the exploitation phase, some post exploitation may also be required.
I define the post exploit phase as getting as much information on the system as possible after initial exploit. This might include privilege escalation, or making use of your new access to move further into the network.
Note
Some definitions of the Expliot phase may also include post-exploit as a single item.
I prefer to keep them separate, and take:
- exploitation Getting successful access to the remote system. (You have shown its insecure, so have won.)
- post-exploit Getting as much detail on the system as possible, once you have broken in.
Documentation: The Writeup
Finally, we need to document the pen-test. The actual content of the report will depend on the final target, but you should expect it to cover details of the full penetration test process, from reconnaissance to exploitation.
Summary
In this section we have looked at the penetration test process, and introduced the main stages.
- Scope
- Reconnaissance
- Exploitation
- Post-Exploitation
- Documentation
While some of the stages may be more "fun" than others, they are all an important part of the process.
We will revisit these stages throughout the module, starting with recon, and moving on the the exploitation phases.
Pen Test Methods #testing-methods
Are are also well documented Pen-testing methodologies. For example:
Take a look at one of the standards (for example PTES). How does it map across to the generic stages given above. Are there any extra stages in the standard?