Penetration Testing Execution Standard by Mind Map: Penetration Testing Execution
Standard
4.7 stars - 6 reviews

Penetration Testing Execution Standard

Pre Engagement Interaction

  *John Strand* Ian Amit Joe McCray Nicholas J. Percoco  

Scoping

How to scope

Metrics for time estimation, Estimating project as a whole, Additional support based on hourly rate

Questionaires, Questions for Business Unit Managers, Questions for Systems Administrators, Questions for Help Desk, General Employee Questions

Scope Creep, Specify Start and End Dates, Letter of Amendment (LOA), LOA - Based on Scope Size, but not overall project direction, LOA - Based on vulnerabilities found during the engagement, LOA - Based on change in the direction of the overall project, Tie back to goals section

Specify IP ranges and Domains, Validate Ranges

Dealing with Third Parties, Cloud services, ISP, Web Hosting, MSSPs, Countries where servers are hosted

Define Acceptable Social Engineering Pretexts

DoS Testing

Payment Terms, Net 30, Half Upfront, Interest, Recurring, Monthly, Quarterly, Semi-Annual

Delphi Scoping, you actually work with the target in iterations... gotta break my noodle on how to get it in here

Goals

Identifying goals, primary, secondary

Business analysis, Defining a company's security maturity

Needs analysis

Testing terms and definitions

Pentesting Terms Glossary

Establish lines of communication

Emergency Contact information

Incident Reporting process, Incident Definiton, Incident Threshold

Status Report Frequency

Establish a Primary POC

PGP and other alternatives (Encryption is not an "option")

Define communication parameters with external 3rd parties (hosting, ...)

Rules of Engagement

Timeline, Defining Roadblocks and Gates, Work Breakdown Structure, Assign Responsibilities of the team, When things go wrong - or delayed, how to cope with scope creep, or the client has to pause the pentest

Locations

Exploitation Control (free-form, coordinated, formally monitored...)

Disclosure of Sensitive Information, PII, Credit Card Information, PHI, Other: We cannot contain Security to PII and PHI. Examples: BoA and Wikileaks, Dell, Intel and the Aurora attacks.

Evidence Handling

Regular Status Meetings, Plans, Progress, Problems

Time of the day to test

Dealing with shunning

Permission to Attack

Capabilities and Technology in Place

Incident response and monitoring, Ability to detect and respond to information gathering, Ability to detect and respond to footprinting, Ability to detect and respond to scanning and vuln analysis, Ability to detect and respond to infiltration (attacks), Ability to detect and respond to data aggregation, Ability to detect and respond to data exfiltration

Protect yourself

Preparing your Testing System, Encryption, Validate Firewall Rules, Results Scrubbed From Previous Tests

Pre Engagement Checklist

Packet capture

Post Engagement Checklist

Intelligence Gathering

  *Chris Gates* Chris Nickerson Iam Amit Stefan Friedli Nicholas J. Percoco * Add listing of relevant tools *

Target selection

Admin

High Level Employee

Random Employee

Employee w/ specific access, Engineer, Secretary, Developer, Network Engineer, Accounting, Human Resources, Procurement, Sales

OSINT

Corporate, Physical, Locations, owner, land/tax records, shared/individual, timezones, Pervasiveness, Relationhips, Logical, Business Partners, Competetiors, touchgraph, Hoovers profile, Product line, Market Verticle, Marketing accounts, Meetings, signifigant company dates, Board meetings, holidays, anniversarys, product/service launch, job openings, Charity affiliations, Org chart, Position identification, Tansactions, Affiliates, Electronic, Document/metadata leakage, marketing communications, Assets, Network blocks owned, mail addresses, external infrastructure profile, Technologies used, purchase agreements, Remote access, application usage, defense technologies, human capability, Financial, Reporting, market analysis, trade capital, value history

Individual, Employee, History, EDGAR (SEC) data, court records, political donations, professional licenses or registries, SocNet Profile, Metadata leakage, tone, frequency, location awareness, bing map apps, foursquare, google latitude, yelp, Social Media, Facebook / openbook, Linkedin, Xing, twitter, blogger / blogspot, MySpace, wordpress, livejournal, foursquare, yahoo, google profile, Gowalla, entitycube, picasa, Flickr, yfrog, twitpic, PicFog, DeviantArt, aim, irc, icq, qq, JUST USE NAMECHK or something likeit, wikipedia, google groups / newsgroups, Internet Footprint, Email addresses, Usernames/Handles, Personal Domain Names, Static IPs, Bloggosphere, Active updates, physical, logical, Physical location, active, passive, Mobile footprint, Phone #, Device type, Use, Installed applications, owner/administrator, For Pay Information, Background Checks, For Pay Linked-In, LEXIS/NEXIS, Other

Covert gathering

on-location gathering, Physical security inspections, wireless scanning / RF frequency scanning, Employee behavior training inspection, accessible/adjacent facilities (shared spaces), dumpster diving, types of equipment in use

offsite gathering, Datacenter locations, Network provisioning/provider

HUMINT (if applicable)

Key employees

Partners/Suppliers

Social Engineering

Footprinting

External Footprinting, Identifying Customer Ranges, whois lookup, bgp looking glasses, subsidiaries, third party identification and right to audit, Verification with customer, Newsgroup Headers, Mailing List Headers, Robtex, Passive Reconnaissance, Search Engine Hacking, Google, Yahoo, Bing, Manual browsing, shodan, Active Footprinting, Port Scanning, Banner Grabbing, Zone Transfers, SMTP Bounce Back, Web Application Language Mapping, PHP, ASP, easy targets, Banner Grabbing, SNMP Sweeps, Forward/Reverse DNS, DNS Bruting, Website Mirroring, Robots.txt Harvesting, Establish target list, Mapping versions, Identifying patch levels, Looking for weak web applications, Identify lockout threshold, Error Based, Identify weak ports for attack, Outdated Systems, Virtualization platforms vs VMs, Storage infrastructure

Internal Footprinting, Active Footprinting, Port Scanning, SNMP Sweeps, Zone Transfers, SMTP Bounce Back, Forward/Reverse DNS, Banner Grabbing, VoIP mapping, extensions, special mailboxes, authentication, Arp Discovery, DNS discovery, Passive Reconnaissance, Packet Sniffing, Broadcast Traffic Anaysis, ARP, NetBios, Other UDP, Establish target list, Mapping versions, Identifying patch levels, Looking for weak web applications, Identify lockout threshold, Error Based, Identify weak ports for attack, Outdated Systems, Virtualization platforms vs VMs, Storage infrastructure

Identify protection mechanisms

Network protections, "simple" packet filters, Traffic shaping devices, DLP systems, Encryption/tunneling

Host based protections, stack/heap protections, whitelisting, AV/Filtering/Behavioral analysis, DLP systems

Application level protections, Identify application protections, Encoding options, Potential Bypass Avenues, Whitelisted pages

Storage Protection, HBA - Host Level, LUN Masking, Storage Controller, iSCSI CHAP Secret

Exploitation

  *Dave Kennedy* Paul Asadoorian Joe McCray Stefan Friedli  

Precision strike

Well researched attack vector

Ensure countermeasure bypass

AV, Encoding, Packing, Whitelist Bypass, Process Injection, Purely Memory Resident

Human

HIPS

DEP

ASLR

VA + NX (Linux)

w^x (OpenBSD)

WAF

Stack Canaries

Customized exploitation avenue

List of tools

Best attack for the organization: Possibly move to Precision Strike

Zero day angle, Fuzzing, Dumb Fuzzing, "intelligent" Fuzzing, Code Coverage, Reversing, Deadlisting, Live Reversing, Dealing with Symbol Striping, Traffic Analysis, Protocol Analysis, Reviewing RFCs, Reviewing Development Documentation, Protocol Reversing

Public exploit customization, Changing Memory locations in Existing Exploits, Important for Foreign Pentests, Altering payload, Rewriting shellcode, Add protection bypasses (DEP, ASLR, etc.)

Physical access, Human angle, our pretext, PC access (custom boot CD/USB), USB, Autorun, Teensy, Firewire, RFID, sniffing, Brute-Force, Replay Attacks, MITM, SSL Strip, Print jobs, Extracting of cleartext protocols, Downgrading attacks, ..., Routing protocols, CDP, HSRP, VSRP, DTP, STP, OSPF, RIP, ..., VLAN Hopping, Other hardware (keystroke loggers, etc)

Proximity access (WiFi), Attacking the Access Point, Crypto Implementation Attacks, Vulnerabilties in Access Points: Summon Paul Asadorian, Cracking Passwords, 802.1x, WPA-PSK, WPA2-PSK, WPA2-Enterprise, WPA-Enterprise, Ham Radio Surveillance, LEAP, EAP-Fast, WEP, Attacking the User, Karmetasploit Attacks, Attacking DNS Requests, Bluetooth, Personalized Rogue AP, Attacking Ad-Hoc Networks, RFID/Prox Card, Spectrum Analysis, FCC Business Frequency Search, 802.11, 802.11 Wireless collection tools, Previously-collected data (WiGLE), UHF/VHF/etc., Microwave, Satellite, Guard Radio Frequencies, Wireless Headset Frequencies

DoS / Blackmail angle

Web, SQLi, XSS, CSRF, Information Leakage, Rest of OWASP top 10

Non-Traditional Exploitation, Business Process Flaws, Configuration / Implementation Errors, Trust Relationships, AirGap Hopping, Ethernet Over Powerline, Hardware Implants, Signaling Channels, Physics, Light (LED Signaling), Audio, Emanations, Van Eck

Detection bypass

FW/WAF/IDS/IPS Evasion

Human Evasion

DLP Evasion

Derive control resistance to attacks

Exploit Testing

Reproduce Environment for exploit testing/developement

Type of Attack

Client Side, Phishing (w/pretext)

Service Side

Out of band

Post-Exploitation

  *Carlos Perez* Chris Gates Robin Wood Dave Kennedy  

Infrastructure analysis

netstat etc to see who connections to and from

ipconfig etc to find all interfaces

VPN detection

route detection, including static routes

neighbourhood network/OS X browser (mdns? or bonjour)

Network Protocols in use

Proxies in use, Network Level, Application Level

network layout (net view /domain)

High value/profile targets

Pillaging

Video Cameras

Data exfiltration through available channels, identify web servers, identify ftp servers, DNS and ICMP tunnels, VoIP channels, Physical channels (printing, garbage disposal, courier), Fax (on multifunction printers)

Locating Shares

Audio Capture, VoIP, Microphone

High Value Files

Database enumeration, Checking for PPI, card data, passwords/user accounts

Wifi, Steal wifi keys, Add new Wifi entries with higher preference then setup AP to force connection, Check ESSIDs to identify places visited

Source Code Repos, SVN, Git, CVS, MS Sourcesafe, WebDAV

Identify custom apps

Backups, Locally stored backup files, Central backup server, Remote backup solutions, Tape storage

Business impact attacks

What makes the biz money

Steal It

Sabotage / Modification, Change Pricing, Change Scientific Process Results, Modify Engineering Designs

Further penetration into infrastructure

List of relevant tools

Botnets, Mapping connectivity in/out of every segment, Lateral connectivity

Pivoting inside, Linux Commands, Windows Commands, Token Stealing and Reuse, Password Cracking, Wifi connections to other devices, Password Reuse, Keyloggers, User enumeration, From Windows DC or from individual machines, Linux passwd file, MSSQL Windows Auth users, Application-specific users

Check History/Logs, Linux, Check ssh known hosts file, Log files to see who connects to the server, .bash_history and other shell history files, MySQL History, syslog, Windows, Event Logs, Recent opened files, Browsers, favourites, stored passwords, stored cookies, browsing history, browser cache files

Cleanup

Ensure documented steps of exploitation

Ensure proper cleanup

Remove Test Data

Leave no trace

Proper archiving and encryption of evidence to be handed back to customer

Restore database from backup where necessary

Persistance

Autostart Malware

Reverse Connections

Rootkits, User Mode, Kernel Based

C&C medium (http, dns, tcp, icmp)

Backdoors

Implants

VPN with creds

Introduction of Vulnerabilities, Web App Source Modification, Remove Input Validation, Add Extra functionality, Downgrade application version, Reintroduce default account/pwd, Re-enable disabled accounts

Reporting

Executive-Level Reporting

Business Impact

Customization

Talking to the business

Affect bottom line

Strategic Roadmap

Maturity model

Appendix with terms for risk rating

Timeline of attack / Gant chart of timeline

Quantifying the risk, Evaluate incident frequency, probable event frequency, estimate threat capability (from 3 - threat modeling), Estimate controls strength (6), Compound vulnerability (5), Level of skill required, Level of access required, Estimate loss magnitude per incident, Primary loss, Secondary loss, Identify risk root cause analysis, Root Cause is never a patch, Identify Failed Processes, Derive Risk, Threat, Vulnerability, Overlap

Technical Reporting

Identify systemic issues and technical root cause analysis

Pentest metrics, # of systems in scope, # of scenarios in scope, # of processes in scope, # of times detected, # of vulns/host, % of scope systems exploited, % of succesful scenarios, % of time / phase, (to be expanded)

Technical Findings, Description, Screen shots, Ensure all PII is correctly redacted, Request/Response captures, PoC examples, Ensure PoC code provides benign validation of the flaw

Reproducible Results, Test Cases, Fault triggers

Incident response and monitoring capabilities, Intelligence gathering, Reverse IDS, Pentest Metrics, Vuln. Analysis, Exploitation, Post-exploitation, Residual effects (notifications to 3rd parties, internally, LE, etc...)

Common elements, Methodology, Objective(s), Scope, Summary of findings, Appendix with terms for risk rating

Deliverable

Preliminary results

Review of the report with the customer

Adjustments to the report

Final report

Versioning of Draft and Final Reports

Presentation, Technical, Management Level

Workshop / Training, Gap Analysis (skills/training)

Exfiltarted evidence, and any other raw (non-proprietary) data gathered.

Remediation Roadmap, Triage, Maturity Model, Progression Roadmap, Long-term Solutions, Defining constraints

Custom tools developed

Threat modelling

* Iftach Ian Amit *

Business asset analysis

This goes beyond PII, PHI and Credit Cards

Define and bound Organizational Intelectual Property

Keys To Kingdom, Trade Secrets, Research & Development, Marketing Plans, Corporate Banking/Credit Accounts, Customer Data, PII, PHI, Credit Card Numbers, Supplier Data, Critical Employees, Executives, Middle Managers, Admins, Engineers, Technicians, HR, Executive Assistants

Business process analysis

Technical infrastructure used

Human infrastructure

3rd party usage

Threat agents/community analysis

Internal Users, Executives, Middle Management, Administrators, Network Admins, System Admins, Server Admins, Developers, Engineers, Technicians

Competitors

Nation States

Organized Crime

Weekend Warriors

Threat capability analysis

Analysis of tools in use

Availability to relevant exploits/payloads

Communication mechanisms (encryption, dropsites, C&C, bulletproof hosting)

Finding relevant news of comparable Organizations being compromised

Vulnerability Analysis

* Eric Smith *

Testing

Active, Automated, Network/General Vuln Scanners, Port based, Service based, banner grabbing, Web Application Scanners, General application flaw scanner, directory listing/bruteforcing, webserver version/vuln identification, methods, network vulnerability scanners, vpn, ipv6, Voice Network scanners, War Dialing, VoIP, Manual Direct Connection, obfucsacted, Multiple Exit Nodes, Ids Evasion, Variable Speed, Variable scope

Passive, Automated, Metadata analysis from Intel phase, Traffic monitoring (p0f etc), Manual, direct connections

Validation

Correlation between scanners

Manual testing/protocol specific, VPN, Fingerprinting, Citrix, Enumeration, DNS, Web, Mail

Attack avenues, Creation of attack trees

Isolated lab testing

Visual confirmation, Manual connection w/review

Research

Public Research, exploit-db, Google Hacking, Exploit sites, Common/default passwords, Vendor specific advisories

Private Research, Setting up a replica environment, Testing configurations, Identifying potential avenues, Disassembly and code analysis

Create your own awesome maps

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account?
Sign In