Penetration Testing Execution Standard

Get Started. It's Free
or sign up with your email address
Penetration Testing Execution Standard by Mind Map: Penetration Testing Execution Standard

1. Pre Engagement Interaction

1.1. Scoping

1.1.1. How to scope

1.1.2. Metrics for time estimation Estimating project as a whole Additional support based on hourly rate

1.1.3. Questionaires Questions for Business Unit Managers Questions for Systems Administrators Questions for Help Desk General Employee Questions

1.1.4. Scope Creep Specify Start and End Dates Letter of Amendment (LOA) LOA - Based on Scope Size, but not overall project direction LOA - Based on vulnerabilities found during the engagement LOA - Based on change in the direction of the overall project Tie back to goals section

1.1.5. Specify IP ranges and Domains Validate Ranges

1.1.6. Dealing with Third Parties Cloud services ISP Web Hosting MSSPs Countries where servers are hosted

1.1.7. Define Acceptable Social Engineering Pretexts

1.1.8. DoS Testing

1.1.9. Payment Terms Net 30 Half Upfront Interest Recurring Monthly Quarterly Semi-Annual

1.1.10. Delphi Scoping you actually work with the target in iterations... gotta break my noodle on how to get it in here

1.2. Goals

1.2.1. Identifying goals primary secondary

1.2.2. Business analysis Defining a company's security maturity

1.2.3. Needs analysis

1.3. Testing terms and definitions

1.3.1. Pentesting Terms Glossary

1.4. Establish lines of communication

1.4.1. Emergency Contact information

1.4.2. Incident Reporting process Incident Definiton Incident Threshold

1.4.3. Status Report Frequency

1.4.4. Establish a Primary POC

1.4.5. PGP and other alternatives (Encryption is not an "option")

1.4.6. Define communication parameters with external 3rd parties (hosting, ...)

1.5. Rules of Engagement

1.5.1. Timeline Defining Roadblocks and Gates Work Breakdown Structure Assign Responsibilities of the team When things go wrong - or delayed, how to cope with scope creep, or the client has to pause the pentest

1.5.2. Locations

1.5.3. Exploitation Control (free-form, coordinated, formally monitored...)

1.5.4. Disclosure of Sensitive Information PII Credit Card Information PHI Other: We cannot contain Security to PII and PHI. Examples: BoA and Wikileaks, Dell, Intel and the Aurora attacks.

1.5.5. Evidence Handling

1.5.6. Regular Status Meetings Plans Progress Problems

1.5.7. Time of the day to test

1.5.8. Dealing with shunning

1.5.9. Permission to Attack

1.6. Capabilities and Technology in Place

1.6.1. Incident response and monitoring Ability to detect and respond to information gathering Ability to detect and respond to footprinting Ability to detect and respond to scanning and vuln analysis Ability to detect and respond to infiltration (attacks) Ability to detect and respond to data aggregation Ability to detect and respond to data exfiltration

1.7. Protect yourself

1.7.1. Preparing your Testing System Encryption Validate Firewall Rules Results Scrubbed From Previous Tests

1.7.2. Pre Engagement Checklist

1.7.3. Packet capture

1.7.4. Post Engagement Checklist

2. Intelligence Gathering

2.1. Target selection

2.1.1. Admin

2.1.2. High Level Employee

2.1.3. Random Employee

2.1.4. Employee w/ specific access Engineer Secretary Developer Network Engineer Accounting Human Resources Procurement Sales

2.2. OSINT

2.2.1. Corporate Physical Locations Pervasiveness Relationhips Logical Business Partners Competetiors touchgraph Hoovers profile Product line Market Verticle Marketing accounts Meetings signifigant company dates job openings Charity affiliations Org chart Position identification Tansactions Affiliates Electronic Document/metadata leakage marketing communications Assets Financial Reporting market analysis trade capital value history

2.2.2. Individual Employee History SocNet Profile Internet Footprint Bloggosphere Active updates Physical location Mobile footprint For Pay Information

2.3. Covert gathering

2.3.1. on-location gathering Physical security inspections wireless scanning / RF frequency scanning Employee behavior training inspection accessible/adjacent facilities (shared spaces) dumpster diving types of equipment in use

2.3.2. offsite gathering Datacenter locations Network provisioning/provider

2.4. HUMINT (if applicable)

2.4.1. Key employees

2.4.2. Partners/Suppliers

2.4.3. Social Engineering

2.5. Footprinting

2.5.1. External Footprinting Identifying Customer Ranges whois lookup bgp looking glasses subsidiaries third party identification and right to audit Verification with customer Newsgroup Headers Mailing List Headers Robtex Passive Reconnaissance Search Engine Hacking Manual browsing shodan Active Footprinting Port Scanning Banner Grabbing Zone Transfers SMTP Bounce Back Web Application Language Mapping Banner Grabbing SNMP Sweeps Forward/Reverse DNS DNS Bruting Website Mirroring Robots.txt Harvesting Establish target list Mapping versions Identifying patch levels Looking for weak web applications Identify lockout threshold Error Based Identify weak ports for attack Outdated Systems Virtualization platforms vs VMs Storage infrastructure

2.5.2. Internal Footprinting Active Footprinting Port Scanning SNMP Sweeps Zone Transfers SMTP Bounce Back Forward/Reverse DNS Banner Grabbing VoIP mapping Arp Discovery DNS discovery Passive Reconnaissance Packet Sniffing Establish target list Mapping versions Identifying patch levels Looking for weak web applications Identify lockout threshold Error Based Identify weak ports for attack Outdated Systems Virtualization platforms vs VMs Storage infrastructure

2.6. Identify protection mechanisms

2.6.1. Network protections "simple" packet filters Traffic shaping devices DLP systems Encryption/tunneling

2.6.2. Host based protections stack/heap protections whitelisting AV/Filtering/Behavioral analysis DLP systems

2.6.3. Application level protections Identify application protections Encoding options Potential Bypass Avenues Whitelisted pages

2.6.4. Storage Protection HBA - Host Level LUN Masking Storage Controller iSCSI CHAP Secret

3. Exploitation

3.1. Precision strike

3.1.1. Well researched attack vector

3.2. Ensure countermeasure bypass

3.2.1. AV Encoding Packing Whitelist Bypass Process Injection Purely Memory Resident

3.2.2. Human

3.2.3. HIPS

3.2.4. DEP

3.2.5. ASLR

3.2.6. VA + NX (Linux)

3.2.7. w^x (OpenBSD)

3.2.8. WAF

3.2.9. Stack Canaries

3.3. Customized exploitation avenue

3.3.1. Best attack for the organization: Possibly move to Precision Strike

3.3.2. Zero day angle Fuzzing Dumb Fuzzing "intelligent" Fuzzing Code Coverage Reversing Deadlisting Live Reversing Dealing with Symbol Striping Traffic Analysis Protocol Analysis Protocol Reversing

3.3.3. Public exploit customization Changing Memory locations in Existing Exploits Important for Foreign Pentests Altering payload Rewriting shellcode Add protection bypasses (DEP, ASLR, etc.)

3.3.4. Physical access Human angle, our pretext PC access (custom boot CD/USB) USB Autorun Teensy Firewire RFID sniffing Brute-Force Replay Attacks MITM SSL Strip Print jobs Extracting of cleartext protocols Downgrading attacks ... Routing protocols CDP HSRP VSRP DTP STP OSPF RIP ... VLAN Hopping Other hardware (keystroke loggers, etc)

3.3.5. Proximity access (WiFi) Attacking the Access Point Crypto Implementation Attacks Vulnerabilties in Access Points: Summon Paul Asadorian Cracking Passwords 802.1x WPA-PSK WPA2-PSK WPA2-Enterprise WPA-Enterprise Ham Radio Surveillance LEAP EAP-Fast WEP Attacking the User Karmetasploit Attacks Attacking DNS Requests Bluetooth Personalized Rogue AP Attacking Ad-Hoc Networks RFID/Prox Card Spectrum Analysis FCC Business Frequency Search 802.11 UHF/VHF/etc. Microwave Satellite Guard Radio Frequencies Wireless Headset Frequencies

3.3.6. DoS / Blackmail angle

3.3.7. Web SQLi XSS CSRF Information Leakage Rest of OWASP top 10

3.3.8. Non-Traditional Exploitation Business Process Flaws Configuration / Implementation Errors Trust Relationships AirGap Hopping Ethernet Over Powerline Hardware Implants Signaling Channels Physics

3.4. Detection bypass

3.4.1. FW/WAF/IDS/IPS Evasion

3.4.2. Human Evasion

3.4.3. DLP Evasion

3.5. Derive control resistance to attacks

3.6. Exploit Testing

3.6.1. Reproduce Environment for exploit testing/developement

3.7. Type of Attack

3.7.1. Client Side Phishing (w/pretext)

3.7.2. Service Side

3.7.3. Out of band

4. Post-Exploitation

4.1. Infrastructure analysis

4.1.1. netstat etc to see who connections to and from

4.1.2. ipconfig etc to find all interfaces

4.1.3. VPN detection

4.1.4. route detection, including static routes

4.1.5. neighbourhood network/OS X browser (mdns? or bonjour)

4.1.6. Network Protocols in use

4.1.7. Proxies in use Network Level Application Level

4.1.8. network layout (net view /domain)

4.2. High value/profile targets

4.3. Pillaging

4.3.1. Video Cameras

4.3.2. Data exfiltration through available channels identify web servers identify ftp servers DNS and ICMP tunnels VoIP channels Physical channels (printing, garbage disposal, courier) Fax (on multifunction printers)

4.3.3. Locating Shares

4.3.4. Audio Capture VoIP Microphone

4.3.5. High Value Files

4.3.6. Database enumeration Checking for PPI card data passwords/user accounts

4.3.7. Wifi Steal wifi keys Add new Wifi entries with higher preference then setup AP to force connection Check ESSIDs to identify places visited

4.3.8. Source Code Repos SVN Git CVS MS Sourcesafe WebDAV

4.3.9. Identify custom apps

4.3.10. Backups Locally stored backup files Central backup server Remote backup solutions Tape storage

4.4. Business impact attacks

4.4.1. What makes the biz money

4.4.2. Steal It

4.4.3. Sabotage / Modification Change Pricing Change Scientific Process Results Modify Engineering Designs

4.5. Further penetration into infrastructure

4.5.1. Botnets Mapping connectivity in/out of every segment Lateral connectivity

4.5.2. Pivoting inside Linux Commands Windows Commands Token Stealing and Reuse Password Cracking Wifi connections to other devices Password Reuse Keyloggers User enumeration From Windows DC or from individual machines Linux passwd file MSSQL Windows Auth users Application-specific users

4.5.3. Check History/Logs Linux Check ssh known hosts file Log files to see who connects to the server .bash_history and other shell history files MySQL History syslog Windows Event Logs Recent opened files Browsers favourites stored passwords stored cookies browsing history browser cache files

4.6. Cleanup

4.6.1. Ensure documented steps of exploitation

4.6.2. Ensure proper cleanup

4.6.3. Remove Test Data

4.6.4. Leave no trace

4.6.5. Proper archiving and encryption of evidence to be handed back to customer

4.6.6. Restore database from backup where necessary

4.7. Persistance

4.7.1. Autostart Malware

4.7.2. Reverse Connections

4.7.3. Rootkits User Mode Kernel Based

4.7.4. C&C medium (http, dns, tcp, icmp)

4.7.5. Backdoors

4.7.6. Implants

4.7.7. VPN with creds

4.7.8. Introduction of Vulnerabilities Web App Source Modification Remove Input Validation Add Extra functionality Downgrade application version Reintroduce default account/pwd Re-enable disabled accounts

5. Reporting

5.1. Executive-Level Reporting

5.1.1. Business Impact

5.1.2. Customization

5.1.3. Talking to the business

5.1.4. Affect bottom line

5.1.5. Strategic Roadmap

5.1.6. Maturity model

5.1.7. Appendix with terms for risk rating

5.1.8. Timeline of attack / Gant chart of timeline

5.1.9. Quantifying the risk Evaluate incident frequency probable event frequency estimate threat capability (from 3 - threat modeling) Estimate controls strength (6) Compound vulnerability (5) Level of skill required Level of access required Estimate loss magnitude per incident Primary loss Secondary loss Identify risk root cause analysis Derive Risk Threat Vulnerability Overlap

5.2. Technical Reporting

5.2.1. Identify systemic issues and technical root cause analysis

5.2.2. Pentest metrics # of systems in scope # of scenarios in scope # of processes in scope # of times detected # of vulns/host % of scope systems exploited % of succesful scenarios % of time / phase (to be expanded)

5.2.3. Technical Findings Description Screen shots Ensure all PII is correctly redacted Request/Response captures PoC examples Ensure PoC code provides benign validation of the flaw

5.2.4. Reproducible Results Test Cases Fault triggers

5.2.5. Incident response and monitoring capabilities Intelligence gathering Reverse IDS Pentest Metrics Vuln. Analysis Exploitation Post-exploitation Residual effects (notifications to 3rd parties, internally, LE, etc...)

5.2.6. Common elements Methodology Objective(s) Scope Summary of findings Appendix with terms for risk rating

5.3. Deliverable

5.3.1. Preliminary results

5.3.2. Review of the report with the customer

5.3.3. Adjustments to the report

5.3.4. Final report

5.3.5. Versioning of Draft and Final Reports

5.3.6. Presentation Technical Management Level

5.3.7. Workshop / Training Gap Analysis (skills/training)

5.3.8. Exfiltarted evidence, and any other raw (non-proprietary) data gathered.

5.3.9. Remediation Roadmap Triage Maturity Model Progression Roadmap Long-term Solutions Defining constraints

5.3.10. Custom tools developed

6. Threat modelling

6.1. Business asset analysis

6.1.1. This goes beyond PII, PHI and Credit Cards

6.1.2. Define and bound Organizational Intelectual Property

6.1.3. Keys To Kingdom Trade Secrets Research & Development Marketing Plans Corporate Banking/Credit Accounts Customer Data PII PHI Credit Card Numbers Supplier Data Critical Employees Executives Middle Managers Admins Engineers Technicians HR Executive Assistants

6.2. Business process analysis

6.2.1. Technical infrastructure used

6.2.2. Human infrastructure

6.2.3. 3rd party usage

6.3. Threat agents/community analysis

6.3.1. Internal Users Executives Middle Management Administrators Network Admins System Admins Server Admins Developers Engineers Technicians

6.3.2. Competitors

6.3.3. Nation States

6.3.4. Organized Crime

6.3.5. Weekend Warriors

6.4. Threat capability analysis

6.4.1. Analysis of tools in use

6.4.2. Availability to relevant exploits/payloads

6.4.3. Communication mechanisms (encryption, dropsites, C&C, bulletproof hosting)

6.5. Finding relevant news of comparable Organizations being compromised

7. Vulnerability Analysis

7.1. Testing

7.1.1. Active Automated Network/General Vuln Scanners Web Application Scanners network vulnerability scanners Voice Network scanners Manual Direct Connection obfucsacted Multiple Exit Nodes Ids Evasion Variable Speed Variable scope

7.1.2. Passive Automated Metadata analysis from Intel phase Traffic monitoring (p0f etc) Manual direct connections

7.2. Validation

7.2.1. Correlation between scanners

7.2.2. Manual testing/protocol specific VPN Fingerprinting Citrix Enumeration DNS Web Mail

7.2.3. Attack avenues Creation of attack trees

7.2.4. Isolated lab testing

7.2.5. Visual confirmation Manual connection w/review

7.3. Research

7.3.1. Public Research exploit-db Google Hacking Exploit sites Common/default passwords Vendor specific advisories

7.3.2. Private Research Setting up a replica environment Testing configurations Identifying potential avenues Disassembly and code analysis