Wikipedia

Draft:Penetration Testing Methodology

  • Comment: I suggest you publish this elsewhere, perhaps on Wikibooks. I think this is unlikely to be encyclopedic, as you yourself described it as a "paper." Alternatively, you could simply work on the existing article on penetration testing. JJPMaster (she/they) 21:03, 13 November 2024 (UTC)

Introduction

           Penetration testing is a proactive method of evaluating computer systems, networks, and applications with authorization. The penetration tester, or pen-tester, is responsible for safely identifying and exploiting vulnerabilities discovered during the assessment—vulnerabilities that could potentially be exploited by an attacker. This proactive approach enables clients to implement appropriate defense mechanisms to secure their assets before any malicious incidents occur..[1]

           To conduct a penetration test effectively, a penetration tester must have a clear plan or guidelines to follow. This ensures that no important steps are overlooked, which could lead to inaccurate results. The plan that the tester adheres to is known as a penetration testing plan, and it outlines a step-by-step process for testing the organization's security.

           The penetration testing plan outlined in this paper employs a Hybrid penetration testing methodology. This approach offers comprehensive guidelines from both a project management and a technical perspective. These guidelines address all aspects of penetration testing in a well-structured manner. Traditionally, penetration testing can be conducted in two ways: automated and manual. Automated pen testing uses tools and software for scanning vulnerabilities, simulating attacks, and generating reports with minimal human input. Manual pen testing, however, involves cybersecurity professionals who probe systems to find weaknesses using their expertise and creativity. Automated testing is efficient and cost-effective but may lack depth and generate false positives. Manual testing is thorough and adaptable but can be time-consuming and expensive.

PENETRATION TESTING PLAN

There are seven sections in the Hybrid Penetration Testing Guidelines, and these sections are divided into three different phases. The seven sections are as follows:

1.    Before penetration testing

  • Pre-engagement interactions

2.    During penetration testing.

  • Intelligence gathering
  • Threat modeling
  • Vulnerability analysis
  • Exploitation
  • Post-Exploitation

3.    After penetration testing.

  • Reporting

The “before penetration testing” is the first phase in the penetration testing that uses Hybrid Penetration Testing guidelines, in which all the pre-engagement interactions take place.[2]

a)    Pre-engagement interactions: These interactions include activities and sub-processes such as defining the scope, developing questionnaires, signing a non-disclosure agreement (NDA), establishing rules of engagement, providing emergency contact information, setting up communication channels, outlining goals, defining payment terms, and conducting denial-of-service (DoS) or stress testing. Additionally, it is important to specify inclusion and exclusion criteria for the test. These activities and sub-processes help both the client and the penetration tester gain a clear understanding of the test before it begins.

  1. Contractual Obligations: This document outlines the responsibilities of both the penetration tester and the client. Establishing these contractual obligations protects both parties and helps minimize potential conflicts. In the contract agreement, both parties detail their terms and conditions to ensure that the testing is conducted in accordance with the agreed-upon guidelines. Additionally, the cost of hiring a lawyer for contractual matters is typically less than the expenses associated with a lawsuit. The contractual obligations also include permissions for conducting the tests and a "get out of jail free" card that must be signed by executives at the "C-level." Furthermore, a non-disclosure agreement should be signed alongside the contract to safeguard the organization’s data and test results.
  2. Non-Disclosure Agreement: This legal contract between the pen tester and the client prohibits the tester from disclosing confidential material, information, knowledge, and test results to third parties.
  3. Get Out of Jail Free: The pen tester should obtain a "get out of jail free" card, which indicates that not only is the pen test authorized, but also that the client has the legal authority to approve the test.
  4. Goals: Setting clear goals in penetration testing is crucial, as all penetration tests should be goal-oriented. The client must be precise in defining the objectives for the penetration tester. This clarity benefits both parties, enabling them to establish clear objectives for the test. There are two types of goals: primary and secondary. Primary goals focus on identifying the organization’s most critical assets, while secondary goals are related to compliance.
  5. Define Scope: Defining the scope is a crucial component of penetration testing, as it outlines "what will be tested." This includes specifying the range of IP addresses involved, as well as the start and end dates of the engagement. It is essential for the client to clearly define the scope, and for the penetration tester to fully understand these boundaries. Exceeding the agreed-upon scope could lead to legal repercussions for the tester.
  6. Rules of Engagement: The scope defines what will be tested, while the rules of engagement specify how the testing will occur and everything that takes place between the start and end of the engagement. It is essential to understand that defining the scope and the rules of engagement are two distinct aspects, and confusion between them is common; therefore, they should be addressed separately. The rules of engagement include activities such as establishing timelines, determining testing locations, scheduling regular status meetings, specifying the time of day for testing, managing shunning and evidence handling, obtaining permission to test, and considering legal requirements.
  7. Timeline: Timelines assist in completing pen-testing tasks within designated timeframes. Organizations typically utilize Work Breakdown Structures (WBS) to segment the work and assign time for each task.
  8. Locations: This perimeter is used to define the locations where the pen-test will be performed.
  9. Regular status meetings: Regular status meetings should focus on plans, progress, and problems. These meetings should be brief and held daily to update on the current testing status.
  10. Time of the day to test: Organizations typically require testing to be conducted during non-business hours to avoid any disruption to regular operations. Therefore, the specific time of day should be included in the rules of engagement.
  11. Permission to test: This document outlines the scope and authorization for penetration testing, signed by a C-level executive. The permission to test document is the most critical document required for conducting penetration testing.
  12. Legal considerations: Penetration testing can be conducted in multiple locations for an organization with branches in different areas. Thus, it is crucial to understand local laws, leading to legal considerations based on various locations.
  13. Inclusion and exclusion for the test: The inclusion and exclusion of the test define what networks and servers are included in pen testing and what networks and servers are excluded during the test.
  14. Establishing communications: The communication with the client can be the difference between good pen-testing and great pen-testing. Communication allows the pen-tester to better understand the client’s needs and keep them updated about the progress of the test.
  15. Emergency contact information: This list consists of contact information for all the executives who are involved in the scope of pen testing. This proves vital in case of any emergency.
  16. Payment terms: This establishes how the payment is made, there are three common methods to do so the first one is the “Net 30” in which the total amount is paid within 30 days of delivering the final report, the second method is “half upfront” half payment and is paid before the testing begins, the third method is “recurring” in this the client pays in installments.    The second phase of the PTES guidelines is the “during pen-testing” phase. In this activities like intelligence gathering, threat modeling, vulnerability analysis, exploitation, and post-exploitation take place.

b)    Intelligence Gathering: This is also known as the reconnaissance stage and in this stage, all the information about the target is collected. This information might come into use during the vulnerability assessment and exploitation sessions.

  1. Target selection: The first step in intelligence gathering is identifying the target. While this is typically addressed in the pre-penetration testing phases, it can become confusing if the organization has multiple servers and domains. Reviewing the rules of engagement is also important, as it helps the penetration tester stay focused. The time spent on intelligence gathering directly impacts the overall duration of the test.
  2. OSINT: Open source intelligence involves collecting information about a target from publicly available sources, such as websites and Google hacking. There are three types of information gathering: passive, semi-passive, and active.
  3. HUMINT: This process involves gathering information about the target from human sources, specifically by interacting with the client. Incorporating a human perspective during the intelligence-gathering phase provides the pen-tester with a clearer understanding.
  4. Footprinting: Footprinting is the process of gathering external information about a target by interacting with it. There are two types of footprinting: external footprinting, which is used to identify a client's external range of networks, and internal footprinting, which is employed when the tester has access to the internal networks.

c)      Threat Modeling: In this phase of penetration testing that follows PTES guidelines, a threat modeling approach is implemented. Although there isn’t a specific model prescribed by this standard, it should be capable of producing consistent results in representing threats along with their capabilities and qualifications in relation to the organization being tested. The two key elements of this standard are assets and attackers[3]

  1. Business Asset Analysis: This is a part of threat modeling in which the penetration tester examines all business assets and related documents, such as policies, plans, technical information, financial data, employee records, and customer information. The tester engages with responsible employees to identify assets that may be vulnerable to attacks and assesses the potential impact on the business by estimating their value.
  2. Business Process Analysis: In this stage, the business processes and assets are analyzed and then it is divided into critical and non-critical functions. This is helpful in identifying a threat to what function will make the organization lose money.
  3. Threat Agents/Community Analysis: In this stage, the threats are identified in terms of location, that is whether it is external or internal to an organization, this helps the establishment of the capabilities and motivations of the agent or community.
  4. Threat Capability Analysis: In this stage, the identified threat is analyzed to predict the actual probability of the identified community/agent by building an accurate threat model using these identified threat communities.

d)    Vulnerability Analysis: This is a process of testing the vulnerabilities discovered in the system or an application that can be the target of the attacker. For every tested component the process of searching for vulnerabilities is completely different depending on what part or component is being tested as the vulnerability can be in a service or application.

  1. Active: This is a type of testing that involves direct interactions with the low stack components like TCP stack or higher stack components like web-based interface depending on which one is tested for vulnerabilities. Automated and manual are the two ways in which interactions can be made with the components.
  2. Passive: This testing is opposite to active testing this testing interacts with the components indirectly. passive testing involves things like metadata analysis and traffic monitoring,
  3.  Validation: Validation includes correlating the tools in which correlations are broken down into specific and categorical correlations based on the type of information, metrics, and statistics. Manual testing is also a part of validation, here the discovered vulnerabilities are manually tested.
  4. Research: There are two types of research they are public research and private research. In public research, the accuracy of the vulnerability is determined after the vulnerability is found on the target system that lies within the scope. The private research is a process of setting up a replica environment on a virtual machine and then testing the environment.[4]

e)     Exploitation: The exploitation is the phase of pen-testing in which actual penetration takes place by gaining access to the system or resource by exploiting vulnerabilities and bypassing the security of the system. This phase is completely dependent on the previous phase of vulnerability analysis if that is done properly then exploitation should be a well-planned hit.

  1. Countermeasures: Intrusion detection systems, intrusion prevention systems, firewalls, and security guards are considered as countermeasures that hinder the ability to penetrate successfully. These countermeasures should be considered before penetrating as there is a risk of tripping the alarms.
  2. Evasion: Evasion is known as a method of escaping detection during the pen-testing by evading technology or a person. The technique of evasion should be planned before the exploit.
  3. Tailored Exploits: In most cases, the exploits designed for an operating system might not work on the other version of that particular operating system so the pen-tester should be able to customize the exploit in order to complete the attack.
  4. Zero-day angle: This is considered as a last resort for the pen-tester as it can be only performed against highly advanced organizations that can handle focused attacks through normal methods.

f)     Post Exploitation: In this phase, the value of the compromised machine is determined by the sensitivity of the data on the machine and the usefulness of the machine for further compromising other networks by maintaining access to the system. This phase helps the pen-tester to identify further vulnerabilities and use them to gain access to other networks.

  1. Rules of engagement: If the methods used in the exploitation differ from those agreed in the Rules of Engagement then the Rules of Engagement specific to the post-exploitation must be followed which includes guidelines to protect the client and protect yourself.
  2. Infrastructure analysis: This is used to identify the network configuration by identifying the interfaces, routing tables, DNS servers, Proxy servers ARP entries. The infrastructure analysis should so identify all the Network services like listening services, VPN connections, directory services, and neighbors.  
  3. Pillaging: After the pen-tester successfully penetrates into the target system he or she needs to obtain information from the target that is relevant to the scope defined in the pre-engagement phase, this is done in order to fulfill the goal or to gain further access into the network this process is called pillaging.
  4. High-value/profile targets: The data gathered from the compromised systems and from those systems and services that interact with the compromised systems can help in identifying the high-value/profile targets. These high-value/profile targets help in identifying and measuring the impact on the business.
  5. Data exfiltration: An exfiltration path should be created from all the areas where the access can be achieved. After the mapping exfiltration testing should be done. The main aim of this test is to see whether the controls in place is able to detect and block sensitive information from leaving the organization.
  6. Clean up: Clean up is the process that is done after the pen-testing is completed. This process cleans up systems by removing all backdoors and rootkits installed and also removing executable scripts, temporary files, and user accounts created for connecting back to compromised systems.  

g)    Reporting: This is a document that is created in a way that is understandable to the client. This document consists of methods and results of the tests that were conducted on various systems. There are two main sections of a report; executive summary and technical report.

  1. The executive summary:  This section is intended for the people who are in charge of the oversight and strategic vision of the security program and also for the members who may be impacted by the threads that are identified or confirmed. The executive summary should consist of a background section, over posture, risk ranking, general findings, recommendation summary, and strategic roadmap.
  2. Technical report: This section should consist of all the technical details of the test and it should also consist of the aspects/components that were agreed upon during the pre-engagement period. There should be a detailed description of the scope, information attack path, impact, and suggestions of the test.[5]

Conclusion

          Hybrid Penetration Testing provides excellent guidelines for a pen-tester to perform pen-test, using the Hybrid Penetration Testing guidelines a tester can cover all the significant aspects of the test in a strategic way. As there are seven sections of the Hybrid Penetration Testing guidelines and each section of the guideline is designated to perform different tasks. These sections are arranged in a way that each section is dependent on the previous section except the first one.

            In the pre-assessment section that is performed in the before-testing phase all the legal elements are taken care of including NDA and get out of jail free card. The second section also known as the intelligence gathering phase in which all the information about the client is gathered and then comes the threat modeling section where the model approach opts and a model is created by the pen-tester to better understand the situation. The vulnerability analysis is the four fourth section in which all the vulnerabilities of the client are analyzed by the tester and then comes the main section of the pen-testing; exploitation, this is the section in which the actual pen testing takes place by exploiting the vulnerabilities that were analyzed in the previous phase. The post-exploitation is all about analyzing infrastructure, pillaging, data exfiltration and clean up. Reporting is the last section of the Hybrid Penetration Testing in which a document is created that consists of all the detailed information about the information, test procedures, and results. Despite doing pen-testing it can reduce the risk of getting attacked but it cannot eliminate the risk as no system is 100% secure.

References

edit

[6]

  1. ^ "Top Penetration Testing Methodologies | IBM". www.ibm.com. 2024-08-01. Retrieved 2024-11-13.
  2. ^ "WSTG - Latest | OWASP Foundation". owasp.org. Retrieved 2024-11-13.
  3. ^ "Threat Modeling - The Penetration Testing Execution Standard". www.pentest-standard.org. Retrieved 2024-11-13.
  4. ^ "Vulnerability Analysis - The Penetration Testing Execution Standard". www.pentest-standard.org. Retrieved 2024-11-13.
  5. ^ "Reporting - The Penetration Testing Execution Standard". www.pentest-standard.org. Retrieved 2024-11-13.
  6. ^ "Penetration Testing | U.S. Department of the Interior". www.doi.gov. 2015-06-08. Retrieved 2024-11-13.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Draft:Penetration_Testing_Methodology&oldid=1257217104"