pirate.moo's gitbook
  • 🏴‍☠️pirate.moo's gitbook
  • WEB
    • OWASP TOP 10
    • Notes
    • Lab Write-Ups
      • SQLi in WHERE clause
  • PENTESTING
    • CHECKLIST
    • REPORTING
    • SCRIPTS
  • EXPLOITATION
    • reverse shells
    • dns/subdomain
    • ssl
    • Handy cmds
    • VULNERABILITIES
      • Log4Shell
      • Dirty Pipe
      • Pwnkit
  • CTF
    • CTF Tools
  • CERTIFICATIONS
    • PNPT
    • CPTS
      • 1. Process
      • 2. Getting Started
      • 3. NMAP
      • 4. Footprinting
        • FTP
        • SNMP
        • SMB
        • NFS
        • MySQL/MSSQL
        • Oracle TNS
    • CPTS Machines
      • Nibbles
    • OSCP
    • ISC2-cc
      • 1. Security Principles
      • 2. Incident Response
      • 3. Access Control
      • 4. Network Security
      • 5. Security Operations
  • MOBILE
    • History
    • Forensics
  • MOOSINT
Powered by GitBook
On this page
  1. CERTIFICATIONS
  2. CPTS

1. Process

PreviousCPTSNext2. Getting Started

Last updated 1 year ago

Penetration Testing Overview

Penetration Test: Authorized targeted, attack on infrastructure

Red Team Assessment: May be scenario based: Focuses on leveraging vulns for certain goals

Risk Management: Evaluate, mitigate, risks that could be damaging Reduce risk: Implementing appropriate controls, policies, measures Inherent risk: Level of risk present even with appropriate controls Vulnerability Assessments: Term for penetration tests

Automated tools , , :

  • Automated: Can't adapt: Manual testing has to also be done

  • : Keep info private

Methods

External-facing hosts, obtain and gain access to data, internal network

  • Done with a VPN/VPS to avoid ISP blocking

Within corporate network: Assumed breach scenario

Types of Testing

Essential info: Only like IP's, domains given

Given additional info: Specific URLs, hostnames, subnets

Everything disclosed: Internal view of everything, prepared attacks

Combined with others: Can include physical, social engineering

Combined with others: Working with defenders

webapp, mobile, API, thick, network, cloud, source code, physical, employee, IOT, server, policies, firewalls, IDS/IPS, hosts

Laws/Regulations

USA

Federal: Criminal to access computer w/out auth

Hacking, id theft, malware

Criticism:

  • Provisions too far-reaching: Could criminalize research

  • Definitions can present on things without intent

: Prohibits circumventing measures to protect copyrights

  • digital locks, encryption, authentication, firmware, digital content

: Interception of electronic comms, includes internet

  • Unlawful to intercept, access, monitor, store comms without consent

  • No using intercepted comms as evidence in court

  • Responsibilities for SP's, they can't divulge contents of comms

  • Protects privacy, ensures individuals aren't subjected to illegal interception

Governs use/disclosure of PHI

  • Encryption, data access, sharing records

  • Research conducted policies, procedures, gov must approve

  • Mindful of possible data breaches, ensure PHI is secure

Collection of PII of children under 13

Precautionary Measures

  • Written consent? Owner, auth representative

  • Stay in scope of consent obtained: Follow limitations

  • Take measures to prevent damage

  • Don't access, use, disclose, personal data, info obtained during test without permission

  • Don't intercept electronic comms without consent

  • Don't conduct testing on networks covered by HIPAA without authorization

  1. Deterministic: Each state is causally dependent on, determined by previous states

  2. Stochastic: One state follows from other states only with a certain probability

  3. Pentesting: Successive steps performed by tester to find path to predefined objective

  1. Pre-Engagement: Educating, adjusting contract: Strictly defined, recorded

    • Conference, arrangements: NDA, Goals, Scope, Time Est., RoE

  2. Info Gathering

  3. Vuln Assessment: Analyze results

  4. Exploitation: Using results to test attacks

  5. Post-Exploitation: Privesc/hunt for sensitive data: Demonstrate impact

  6. Lateral Movement: Within internal network to access additional hosts

  7. PoC: Documents, screenshots, steps, write-up

  8. Post-Engagement: Clean up, documentation, report, modify report if needed

Pre-Engagement

Questions asked, contracts made: Clients tell us what they want

3 components: Scoping questionnaire, Pre-engagement meeting, Kick-off meeting

NDA: Non-Disclosure Agreement: must be signed by all parties

Types of NDA's

Only 1 party maintains confidentiality: Other can share info with 3rd parties

Both parties obligated to keep info confidential: Most common

Confidentiality by more than 2 parties: All parties responsible/involved sign

  • Who is permitted to contract us? CEO, CTO, CISO, CSO, CRO, CIO

Computer Misuse Act Documents

  1. NDA: After initial contact

  2. Scoping Questionnaire: Before pre-engagement

  3. Scoping Document: During pre-engagement

  4. SoW: Scope of Work: During pre-engagement

  5. Roe: Before kick-off

  6. Contracts Agreement (physical): Before kick-off

  7. Reports: During/After test

Should clearly explain services: May ask to choose one/more:

  1. External, Internal Vuln Assessment, Pentest

  2. Wireless, Webapp, app, physical, SE, RT: Allow client to be specific

  3. Critical pieces of info:

    • How many hosts, IPs/CIDR ranges, domains/subdomains, SSIDs

    • How many web/mobile apps? How many roles (standard, admin)?

    • Phishing: How many users targeted? Will client provide a list, or we gather it?

  4. Physical: How many locations? If multiple sites, geographically dispersed?

  5. RT: Objective? Any activities out of scope?

  6. Separate AD Assessment?

  7. Bypass NAC: Network Access Controls?

  8. Black box, grey box, white box?

  9. Non-evasive, hybrid-evasive (quiet-to-louder), fully evasive?

Scoping Document: Based on questionnaire info

Discuss essential components with customer

Pentest Proposal/Scope of Work (SOW): Info we gather, with data from questionnaire Contract

Checklist: NDA: Signed pre-kick-off, goals, scope, pentest type, methodologies, locations, time

Evasive Testing: Passing traffic, systems in infra

Risks: Inform about risks involved in tests and possible consequences

Scope Limitations: What's off limits and when

Information Handling: HIPAA, PCI, HITRUST, FISMA/NIST

Physical: Additional agreement: Different laws apply

  • Intro, contractor, purpose, goal, pentesters, contact info, physical addresses, building name

  • floors, physical room id, physical components, timeline, notarization, permission

  1. CC info - PCI (Payment Card Industry)

  2. Electronic PHI - HIPAA

  3. Private Banking Info - GLBA

  4. Gov info - FISMA

  1. NIST: National Institute of Standards/Tech

  2. ISO: International Org for Standardization

  3. GDPR

  4. FedRAMP: Federal Risk/Auth Management Program

  5. AICPA: American Institute of Certified Public Accountants

  6. CIS Controls: Center for Internet Security Controls

  7. PCI-DSS: Payment Card Industry Data Security Standard

  8. COBIT: Control Objectives for info/tech

  9. ITAR: International Traffic in Arms Regulations

  10. NERC CIP Standards: NERC Critical Infrastructure Protection

Test how far we can move in the network: What vulns we can find from internal

Some techniques allow us to use an exploited host as a proxy

Nessus
Qualys
OpenVAS
Data Protection Act
Computer Fraud/Abuse Act
Digital Millennium Copyright Act
Electronic Comms Privacy Act
Health Insurance Portability/Accountability Act
Children's Online Privacy Protection Act