Scope of Penetration Testing
There are different areas in the IT systems that may be subject to Pen-test, the customer should decide the scope of Pen-test and what should be tested under the guidance of the Pen-tester, some of the areas that pen-tester should go through and agree with the customer to be part of the pen-test is:
Inter-Network.
Internal network.
Web applications.
Servers.
Network devices.
Database Management systems.
Applications.
Social Engineering.
DDoS.
Physical Security.
And more, depending on customer environment.
Requirements
Pen-test Requirement is preparation of things that Pen-tester need to do. The Pen-tester and the company should be prepared for the pen-test, in the Pen-tester side:
Hardware (laptop, external Servers, external disks, USB sticks, wireless cards, etc.)
Software Tools.
The customer should have the following setup before the pen test:
Monitoring solution to detect the attack.
Backup (since Pen-test have some risks a backup of critical systems should be taken prior the pen-test.
Emergency response Plan, customer should be ready for service interruption.
Restrictions
A Pen-tester can do anything in the system during the Pentest with having written agreement where the customer define the roles of engagement and what are the restrictions, plus having the Pen-tester to sign the Non-Disclosure Agreement (NDA).
Rules of engagement are:
Scope.
Total Duration.
Attack Times. (during business hours or outside business hours)
Methods (i.e. no DDOS to DBMS systems).
Penetration test Phases
Penetration test consists of five phases:
Reconnaissance Phase: Passive information gathering of preliminary data or intelligence of a target system, the data is gathered in order to plan attack.
Scanning Phase requires the application of technical tools to gather further intelligence on target system but in this case the data gathered is about the systems that customer have in the place, a good example is the use of vulnerability scanner on a target network.
Exploitation and Post exploitation Phase: This phase also known as gaining access, it requires taking control of one or more network devices in order to either extract data from the target or to use that device to launch attacks on other targets. The purpose of the post exploitation phase is to determine the value of the machine compromised and maintain control for later use. The value of the machine is determined by the sensitivity of the data stored on it and the machines usefulness in further compromising the network.
Covering Tracks phase: simply means that the attacker must take steps necessary to remove all trace of detection, any changes that were made, escalation of a privilege, etc. all must return to state of no recognition by the host and network administrators.
Reporting Phase: Reporting is the prove of Pen-tester actions during the Pen-test, it is where the Pen-tester going to report the finding and share recommendations to remediate the vulnerabilities and weaknesses.
Reconnaissance phase
Is the act of gathering preliminary data or intelligence of the target machine is vital to identify the attack surfaces and gather as much as possible data:
Gather initial Data
Determine the network range.
Identify active machines.
Discover open ports and access points.
Fingerprint the operating systems.
Uncover services on ports.
Map the network.
Scanning phase
Scanning can be classified into two main parts:
Network Scan
Can be thought a part of scanning phase as well as reconnaissance phase and used to discover end user devices, servers and peripherals that exist on the network.
The results can include details of the discovered devices including IP addresses, device names, operating systems, running applications and services, open shares, usernames and groups.
Tools used are Network mappers, port scanners, ping tools, etc.
Vulnerability scan
Inspection of potential exploit points on a computer or network.
Detect and classifies system weaknesses.
Vulnerability scanner are used for this purpose in general.
Exploitation and post Exploitation phase
Also known as gaining access and maintaining access to the target systems.
Exploitation is taking control of one or more network devices in order to either extract data from the target or use the device to then launch attacks.
Post Exploitation
Maintaining control of the machine for later use.
Determining the value of the compromised machine.
Value is determined by the sensitivity of the data stored and usefulness of the machine for further use.
Covering Tracks Phase
Covering tracks phase is the final phase before reporting and it consists of the following steps:
Return everything to initial state.
Remove exception rules:
Created by admins before the pen-test.
Created by pen-tester to gain advantage on the network, IDS, IPS, WAF, Firewall, etc.
Delete any user added during the Pen-test.
Remove backdoors.
Remove Key-loggers if any.
Reverse the configuration changes made.
Reporting phase
Report is the “tangible” output of the penetration test, a Pen-test report typically consists of the following sections:
Introduction: Summary, purpose, scope, duration of the test.
Management summary: Summary of tests results with summary security