Penetration Testing Execution Standard

1. Pre Engagement Interaction

1.1. Scoping

1.1.1. How to scope

1.1.2. Metrics for time estimation

1.1.2.1. Estimating project as a whole

1.1.2.2. Additional support based on hourly rate

1.1.3. Questionaires

1.1.3.1. Questions for Business Unit Managers

1.1.3.2. Questions for Systems Administrators

1.1.3.3. Questions for Help Desk

1.1.3.4. General Employee Questions

1.1.4. Scope Creep

1.1.4.1. Specify Start and End Dates

1.1.4.2. Letter of Amendment (LOA)

1.1.4.2.1. LOA - Based on Scope Size, but not overall project direction

1.1.4.2.2. LOA - Based on vulnerabilities found during the engagement

1.1.4.2.3. LOA - Based on change in the direction of the overall project

1.1.4.3. Tie back to goals section

1.1.5. Specify IP ranges and Domains

1.1.5.1. Validate Ranges

1.1.6. Dealing with Third Parties

1.1.6.1. Cloud services

1.1.6.2. ISP

1.1.6.3. Web Hosting

1.1.6.4. MSSPs

1.1.6.5. Countries where servers are hosted

1.1.7. Define Acceptable Social Engineering Pretexts

1.1.8. DoS Testing

1.1.9. Payment Terms

1.1.9.1. Net 30

1.1.9.2. Half Upfront

1.1.9.3. Interest

1.1.9.4. Recurring

1.1.9.4.1. Monthly

1.1.9.4.2. Quarterly

1.1.9.4.3. Semi-Annual

1.1.10. Delphi Scoping

1.1.10.1. you actually work with the target in iterations... gotta break my noodle on how to get it in here

1.2. Goals

1.2.1. Identifying goals

1.2.1.1. primary

1.2.1.2. secondary

1.2.2. Business analysis

1.2.2.1. Defining a company's security maturity

1.2.3. Needs analysis

1.3. Testing terms and definitions

1.3.1. Pentesting Terms Glossary

1.4. Establish lines of communication

1.4.1. Emergency Contact information

1.4.2. Incident Reporting process

1.4.2.1. Incident Definiton

1.4.2.2. Incident Threshold

1.4.3. Status Report Frequency

1.4.4. Establish a Primary POC

1.4.5. PGP and other alternatives (Encryption is not an "option")

1.4.6. Define communication parameters with external 3rd parties (hosting, ...)

1.5. Rules of Engagement

1.5.1. Timeline

1.5.1.1. Defining Roadblocks and Gates

1.5.1.2. Work Breakdown Structure

1.5.1.3. Assign Responsibilities of the team

1.5.1.4. When things go wrong - or delayed, how to cope with scope creep, or the client has to pause the pentest

1.5.2. Locations

1.5.3. Exploitation Control (free-form, coordinated, formally monitored...)

1.5.4. Disclosure of Sensitive Information

1.5.4.1. PII

1.5.4.2. Credit Card Information

1.5.4.3. PHI

1.5.4.4. Other: We cannot contain Security to PII and PHI. Examples: BoA and Wikileaks, Dell, Intel and the Aurora attacks.

1.5.5. Evidence Handling

1.5.6. Regular Status Meetings

1.5.6.1. Plans

1.5.6.2. Progress

1.5.6.3. Problems

1.5.7. Time of the day to test

1.5.8. Dealing with shunning

1.5.9. Permission to Attack

1.6. Capabilities and Technology in Place

1.6.1. Incident response and monitoring

1.6.1.1. Ability to detect and respond to information gathering

1.6.1.2. Ability to detect and respond to footprinting

1.6.1.3. Ability to detect and respond to scanning and vuln analysis

1.6.1.4. Ability to detect and respond to infiltration (attacks)

1.6.1.5. Ability to detect and respond to data aggregation

1.6.1.6. Ability to detect and respond to data exfiltration

1.7. Protect yourself

1.7.1. Preparing your Testing System

1.7.1.1. Encryption

1.7.1.2. Validate Firewall Rules

1.7.1.3. Results Scrubbed From Previous Tests

1.7.2. Pre Engagement Checklist

1.7.3. Packet capture

1.7.4. Post Engagement Checklist

2. Intelligence Gathering

2.1. Target selection

2.1.1. Admin

2.1.2. High Level Employee

2.1.3. Random Employee

2.1.4. Employee w/ specific access

2.1.4.1. Engineer

2.1.4.2. Secretary

2.1.4.3. Developer

2.1.4.4. Network Engineer

2.1.4.5. Accounting

2.1.4.6. Human Resources

2.1.4.7. Procurement

2.1.4.8. Sales

2.2. OSINT

2.2.1. Corporate

2.2.1.1. Physical

2.2.1.1.1. Locations

2.2.1.1.2. Pervasiveness

2.2.1.1.3. Relationhips

2.2.1.2. Logical

2.2.1.2.1. Business Partners

2.2.1.2.2. Competetiors

2.2.1.2.3. touchgraph

2.2.1.2.4. Hoovers profile

2.2.1.2.5. Product line

2.2.1.2.6. Market Verticle

2.2.1.2.7. Marketing accounts

2.2.1.2.8. Meetings

2.2.1.2.9. signifigant company dates

2.2.1.2.10. job openings

2.2.1.2.11. Charity affiliations

2.2.1.3. Org chart

2.2.1.3.1. Position identification

2.2.1.3.2. Tansactions

2.2.1.3.3. Affiliates

2.2.1.4. Electronic

2.2.1.4.1. Document/metadata leakage

2.2.1.4.2. marketing communications

2.2.1.4.3. Assets

2.2.1.5. Financial

2.2.1.5.1. Reporting

2.2.1.5.2. market analysis

2.2.1.5.3. trade capital

2.2.1.5.4. value history

2.2.2. Individual

2.2.2.1. Employee

2.2.2.1.1. History

2.2.2.1.2. SocNet Profile

2.2.2.1.3. Internet Footprint

2.2.2.1.4. Bloggosphere

2.2.2.1.5. Active updates

2.2.2.1.6. Physical location

2.2.2.1.7. Mobile footprint

2.2.2.1.8. For Pay Information

2.3. Covert gathering

2.3.1. on-location gathering

2.3.1.1. Physical security inspections

2.3.1.2. wireless scanning / RF frequency scanning

2.3.1.3. Employee behavior training inspection

2.3.1.4. accessible/adjacent facilities (shared spaces)

2.3.1.5. dumpster diving

2.3.1.6. types of equipment in use

2.3.2. offsite gathering

2.3.2.1. Datacenter locations

2.3.2.2. Network provisioning/provider

2.4. HUMINT (if applicable)

2.4.1. Key employees

2.4.2. Partners/Suppliers

2.4.3. Social Engineering

2.5. Footprinting

2.5.1. External Footprinting

2.5.1.1. Identifying Customer Ranges

2.5.1.1.1. whois lookup

2.5.1.1.2. bgp looking glasses

2.5.1.1.3. subsidiaries

2.5.1.1.4. third party identification and right to audit

2.5.1.1.5. Verification with customer

2.5.1.1.6. Newsgroup Headers

2.5.1.1.7. Mailing List Headers

2.5.1.1.8. Robtex

2.5.1.2. Passive Reconnaissance

2.5.1.2.1. Search Engine Hacking

2.5.1.2.2. Manual browsing

2.5.1.2.3. shodan

2.5.1.3. Active Footprinting

2.5.1.3.1. Port Scanning

2.5.1.3.2. Banner Grabbing

2.5.1.3.3. Zone Transfers

2.5.1.3.4. SMTP Bounce Back

2.5.1.3.5. Web Application Language Mapping

2.5.1.3.6. Banner Grabbing

2.5.1.3.7. SNMP Sweeps

2.5.1.3.8. Forward/Reverse DNS

2.5.1.3.9. DNS Bruting

2.5.1.3.10. Website Mirroring

2.5.1.3.11. Robots.txt Harvesting

2.5.1.4. Establish target list

2.5.1.4.1. Mapping versions

2.5.1.4.2. Identifying patch levels

2.5.1.4.3. Looking for weak web applications

2.5.1.4.4. Identify lockout threshold

2.5.1.4.5. Error Based

2.5.1.4.6. Identify weak ports for attack

2.5.1.4.7. Outdated Systems

2.5.1.4.8. Virtualization platforms vs VMs

2.5.1.4.9. Storage infrastructure

2.5.2. Internal Footprinting

2.5.2.1. Active Footprinting

2.5.2.1.1. Port Scanning

2.5.2.1.2. SNMP Sweeps

2.5.2.1.3. Zone Transfers

2.5.2.1.4. SMTP Bounce Back

2.5.2.1.5. Forward/Reverse DNS

2.5.2.1.6. Banner Grabbing

2.5.2.1.7. VoIP mapping

2.5.2.1.8. Arp Discovery

2.5.2.1.9. DNS discovery

2.5.2.2. Passive Reconnaissance

2.5.2.2.1. Packet Sniffing

2.5.2.3. Establish target list

2.5.2.3.1. Mapping versions

2.5.2.3.2. Identifying patch levels

2.5.2.3.3. Looking for weak web applications

2.5.2.3.4. Identify lockout threshold

2.5.2.3.5. Error Based

2.5.2.3.6. Identify weak ports for attack

2.5.2.3.7. Outdated Systems

2.5.2.3.8. Virtualization platforms vs VMs

2.5.2.3.9. Storage infrastructure

2.6. Identify protection mechanisms

2.6.1. Network protections

2.6.1.1. "simple" packet filters

2.6.1.2. Traffic shaping devices

2.6.1.3. DLP systems

2.6.1.4. Encryption/tunneling

2.6.2. Host based protections

2.6.2.1. stack/heap protections

2.6.2.2. whitelisting

2.6.2.3. AV/Filtering/Behavioral analysis

2.6.2.4. DLP systems

2.6.3. Application level protections

2.6.3.1. Identify application protections

2.6.3.2. Encoding options

2.6.3.3. Potential Bypass Avenues

2.6.3.4. Whitelisted pages

2.6.4. Storage Protection

2.6.4.1. HBA - Host Level

2.6.4.1.1. LUN Masking

2.6.4.2. Storage Controller

2.6.4.2.1. iSCSI CHAP Secret

3. Exploitation

3.1. Precision strike

3.1.1. Well researched attack vector

3.2. Ensure countermeasure bypass

3.2.1. AV

3.2.1.1. Encoding

3.2.1.2. Packing

3.2.1.3. Whitelist Bypass

3.2.1.4. Process Injection

3.2.1.5. Purely Memory Resident

3.2.2. Human

3.2.3. HIPS

3.2.4. DEP

3.2.5. ASLR

3.2.6. VA + NX (Linux)

3.2.7. w^x (OpenBSD)

3.2.8. WAF

3.2.9. Stack Canaries

3.3. Customized exploitation avenue

3.3.1. Best attack for the organization: Possibly move to Precision Strike

3.3.2. Zero day angle

3.3.2.1. Fuzzing

3.3.2.1.1. Dumb Fuzzing

3.3.2.1.2. "intelligent" Fuzzing

3.3.2.1.3. Code Coverage

3.3.2.2. Reversing

3.3.2.2.1. Deadlisting

3.3.2.2.2. Live Reversing

3.3.2.2.3. Dealing with Symbol Striping

3.3.2.3. Traffic Analysis

3.3.2.3.1. Protocol Analysis

3.3.2.3.2. Protocol Reversing

3.3.3. Public exploit customization

3.3.3.1. Changing Memory locations in Existing Exploits

3.3.3.2. Important for Foreign Pentests

3.3.3.3. Altering payload

3.3.3.4. Rewriting shellcode

3.3.3.5. Add protection bypasses (DEP, ASLR, etc.)

3.3.4. Physical access

3.3.4.1. Human angle, our pretext

3.3.4.2. PC access (custom boot CD/USB)

3.3.4.3. USB

3.3.4.3.1. Autorun

3.3.4.3.2. Teensy

3.3.4.4. Firewire

3.3.4.5. RFID

3.3.4.5.1. sniffing

3.3.4.5.2. Brute-Force

3.3.4.5.3. Replay Attacks

3.3.4.6. MITM

3.3.4.6.1. SSL Strip

3.3.4.6.2. Print jobs

3.3.4.6.3. Extracting of cleartext protocols

3.3.4.6.4. Downgrading attacks

3.3.4.6.5. ...

3.3.4.7. Routing protocols

3.3.4.7.1. CDP

3.3.4.7.2. HSRP

3.3.4.7.3. VSRP

3.3.4.7.4. DTP

3.3.4.7.5. STP

3.3.4.7.6. OSPF

3.3.4.7.7. RIP

3.3.4.7.8. ...

3.3.4.8. VLAN Hopping

3.3.4.9. Other hardware (keystroke loggers, etc)

3.3.5. Proximity access (WiFi)

3.3.5.1. Attacking the Access Point

3.3.5.1.1. Crypto Implementation Attacks

3.3.5.1.2. Vulnerabilties in Access Points: Summon Paul Asadorian

3.3.5.1.3. Cracking Passwords

3.3.5.1.4. 802.1x

3.3.5.1.5. WPA-PSK

3.3.5.1.6. WPA2-PSK

3.3.5.1.7. WPA2-Enterprise

3.3.5.1.8. WPA-Enterprise

3.3.5.1.9. Ham Radio Surveillance

3.3.5.1.10. LEAP

3.3.5.1.11. EAP-Fast

3.3.5.1.12. WEP

3.3.5.2. Attacking the User

3.3.5.2.1. Karmetasploit Attacks

3.3.5.2.2. Attacking DNS Requests

3.3.5.2.3. Bluetooth

3.3.5.2.4. Personalized Rogue AP

3.3.5.2.5. Attacking Ad-Hoc Networks

3.3.5.2.6. RFID/Prox Card

3.3.5.3. Spectrum Analysis

3.3.5.3.1. FCC Business Frequency Search

3.3.5.3.2. 802.11

3.3.5.3.3. UHF/VHF/etc.

3.3.5.3.4. Microwave

3.3.5.3.5. Satellite

3.3.5.3.6. Guard Radio Frequencies

3.3.5.3.7. Wireless Headset Frequencies

3.3.6. DoS / Blackmail angle

3.3.7. Web

3.3.7.1. SQLi

3.3.7.2. XSS

3.3.7.3. CSRF

3.3.7.4. Information Leakage

3.3.7.5. Rest of OWASP top 10

3.3.8. Non-Traditional Exploitation

3.3.8.1. Business Process Flaws

3.3.8.2. Configuration / Implementation Errors

3.3.8.3. Trust Relationships

3.3.8.4. AirGap Hopping

3.3.8.4.1. Ethernet Over Powerline

3.3.8.4.2. Hardware Implants

3.3.8.4.3. Signaling Channels

3.3.8.4.4. Physics

3.4. Detection bypass

3.4.1. FW/WAF/IDS/IPS Evasion

3.4.2. Human Evasion

3.4.3. DLP Evasion

3.5. Derive control resistance to attacks

3.6. Exploit Testing

3.6.1. Reproduce Environment for exploit testing/developement

3.7. Type of Attack

3.7.1. Client Side

3.7.1.1. Phishing (w/pretext)

3.7.2. Service Side

3.7.3. Out of band

4. Post-Exploitation

4.1. Infrastructure analysis

4.1.1. netstat etc to see who connections to and from

4.1.2. ipconfig etc to find all interfaces

4.1.3. VPN detection

4.1.4. route detection, including static routes

4.1.5. neighbourhood network/OS X browser (mdns? or bonjour)

4.1.6. Network Protocols in use

4.1.7. Proxies in use

4.1.7.1. Network Level

4.1.7.2. Application Level

4.1.8. network layout (net view /domain)

4.2. High value/profile targets

4.3. Pillaging

4.3.1. Video Cameras

4.3.2. Data exfiltration through available channels

4.3.2.1. identify web servers

4.3.2.2. identify ftp servers

4.3.2.3. DNS and ICMP tunnels

4.3.2.4. VoIP channels

4.3.2.5. Physical channels (printing, garbage disposal, courier)

4.3.2.6. Fax (on multifunction printers)

4.3.3. Locating Shares

4.3.4. Audio Capture

4.3.4.1. VoIP

4.3.4.2. Microphone

4.3.5. High Value Files

4.3.6. Database enumeration

4.3.6.1. Checking for PPI

4.3.6.2. card data

4.3.6.3. passwords/user accounts

4.3.7. Wifi

4.3.7.1. Steal wifi keys

4.3.7.2. Add new Wifi entries with higher preference then setup AP to force connection

4.3.7.3. Check ESSIDs to identify places visited

4.3.8. Source Code Repos

4.3.8.1. SVN

4.3.8.2. Git

4.3.8.3. CVS

4.3.8.4. MS Sourcesafe

4.3.8.5. WebDAV

4.3.9. Identify custom apps

4.3.10. Backups

4.3.10.1. Locally stored backup files

4.3.10.2. Central backup server

4.3.10.3. Remote backup solutions

4.3.10.4. Tape storage

4.4. Business impact attacks

4.4.1. What makes the biz money

4.4.2. Steal It

4.4.3. Sabotage / Modification

4.4.3.1. Change Pricing

4.4.3.2. Change Scientific Process Results

4.4.3.3. Modify Engineering Designs

4.5. Further penetration into infrastructure

4.5.1. Botnets

4.5.1.1. Mapping connectivity in/out of every segment

4.5.1.2. Lateral connectivity

4.5.2. Pivoting inside

4.5.2.1. Linux Commands

4.5.2.2. Windows Commands

4.5.2.3. Token Stealing and Reuse

4.5.2.4. Password Cracking

4.5.2.5. Wifi connections to other devices

4.5.2.6. Password Reuse

4.5.2.7. Keyloggers

4.5.2.8. User enumeration

4.5.2.8.1. From Windows DC or from individual machines

4.5.2.8.2. Linux passwd file

4.5.2.8.3. MSSQL Windows Auth users

4.5.2.8.4. Application-specific users

4.5.3. Check History/Logs

4.5.3.1. Linux

4.5.3.1.1. Check ssh known hosts file

4.5.3.1.2. Log files to see who connects to the server

4.5.3.1.3. .bash_history and other shell history files

4.5.3.1.4. MySQL History

4.5.3.1.5. syslog

4.5.3.2. Windows

4.5.3.2.1. Event Logs

4.5.3.2.2. Recent opened files

4.5.3.3. Browsers

4.5.3.3.1. favourites

4.5.3.3.2. stored passwords

4.5.3.3.3. stored cookies

4.5.3.3.4. browsing history

4.5.3.3.5. browser cache files

4.6. Cleanup

4.6.1. Ensure documented steps of exploitation

4.6.2. Ensure proper cleanup

4.6.3. Remove Test Data

4.6.4. Leave no trace

4.6.5. Proper archiving and encryption of evidence to be handed back to customer

4.6.6. Restore database from backup where necessary

4.7. Persistance

4.7.1. Autostart Malware

4.7.2. Reverse Connections

4.7.3. Rootkits

4.7.3.1. User Mode

4.7.3.2. Kernel Based

4.7.4. C&C medium (http, dns, tcp, icmp)

4.7.5. Backdoors

4.7.6. Implants

4.7.7. VPN with creds

4.7.8. Introduction of Vulnerabilities

4.7.8.1. Web App Source Modification

4.7.8.1.1. Remove Input Validation

4.7.8.1.2. Add Extra functionality

4.7.8.2. Downgrade application version

4.7.8.3. Reintroduce default account/pwd

4.7.8.4. Re-enable disabled accounts

5. Reporting

5.1. Executive-Level Reporting

5.1.1. Business Impact

5.1.2. Customization

5.1.3. Talking to the business

5.1.4. Affect bottom line

5.1.5. Strategic Roadmap

5.1.6. Maturity model

5.1.7. Appendix with terms for risk rating

5.1.8. Timeline of attack / Gant chart of timeline

5.1.9. Quantifying the risk

5.1.9.1. Evaluate incident frequency

5.1.9.1.1. probable event frequency

5.1.9.1.2. estimate threat capability (from 3 - threat modeling)

5.1.9.1.3. Estimate controls strength (6)

5.1.9.1.4. Compound vulnerability (5)

5.1.9.1.5. Level of skill required

5.1.9.1.6. Level of access required

5.1.9.2. Estimate loss magnitude per incident

5.1.9.2.1. Primary loss

5.1.9.2.2. Secondary loss

5.1.9.2.3. Identify risk root cause analysis

5.1.9.3. Derive Risk

5.1.9.3.1. Threat

5.1.9.3.2. Vulnerability

5.1.9.3.3. Overlap

5.2. Technical Reporting

5.2.1. Identify systemic issues and technical root cause analysis

5.2.2. Pentest metrics

5.2.2.1. # of systems in scope

5.2.2.2. # of scenarios in scope

5.2.2.3. # of processes in scope

5.2.2.4. # of times detected

5.2.2.5. # of vulns/host

5.2.2.6. % of scope systems exploited

5.2.2.7. % of succesful scenarios

5.2.2.8. % of time / phase

5.2.2.9. (to be expanded)

5.2.3. Technical Findings

5.2.3.1. Description

5.2.3.2. Screen shots

5.2.3.2.1. Ensure all PII is correctly redacted

5.2.3.3. Request/Response captures

5.2.3.4. PoC examples

5.2.3.4.1. Ensure PoC code provides benign validation of the flaw

5.2.4. Reproducible Results

5.2.4.1. Test Cases

5.2.4.2. Fault triggers

5.2.5. Incident response and monitoring capabilities

5.2.5.1. Intelligence gathering

5.2.5.1.1. Reverse IDS

5.2.5.1.2. Pentest Metrics

5.2.5.2. Vuln. Analysis

5.2.5.3. Exploitation

5.2.5.4. Post-exploitation

5.2.5.5. Residual effects (notifications to 3rd parties, internally, LE, etc...)

5.2.6. Common elements

5.2.6.1. Methodology

5.2.6.2. Objective(s)

5.2.6.3. Scope

5.2.6.4. Summary of findings

5.2.6.5. Appendix with terms for risk rating

5.3. Deliverable

5.3.1. Preliminary results

5.3.2. Review of the report with the customer

5.3.3. Adjustments to the report

5.3.4. Final report

5.3.5. Versioning of Draft and Final Reports

5.3.6. Presentation

5.3.6.1. Technical

5.3.6.2. Management Level

5.3.7. Workshop / Training

5.3.7.1. Gap Analysis (skills/training)

5.3.8. Exfiltarted evidence, and any other raw (non-proprietary) data gathered.

5.3.9. Remediation Roadmap

5.3.9.1. Triage

5.3.9.2. Maturity Model

5.3.9.3. Progression Roadmap

5.3.9.4. Long-term Solutions

5.3.9.5. Defining constraints

5.3.10. Custom tools developed

6. Threat modelling

6.1. Business asset analysis

6.1.1. This goes beyond PII, PHI and Credit Cards

6.1.2. Define and bound Organizational Intelectual Property

6.1.3. Keys To Kingdom

6.1.3.1. Trade Secrets

6.1.3.2. Research & Development

6.1.3.3. Marketing Plans

6.1.3.4. Corporate Banking/Credit Accounts

6.1.3.5. Customer Data

6.1.3.5.1. PII

6.1.3.5.2. PHI

6.1.3.5.3. Credit Card Numbers

6.1.3.6. Supplier Data

6.1.3.7. Critical Employees

6.1.3.7.1. Executives

6.1.3.7.2. Middle Managers

6.1.3.7.3. Admins

6.1.3.7.4. Engineers

6.1.3.7.5. Technicians

6.1.3.7.6. HR

6.1.3.7.7. Executive Assistants

6.2. Business process analysis

6.2.1. Technical infrastructure used

6.2.2. Human infrastructure

6.2.3. 3rd party usage

6.3. Threat agents/community analysis

6.3.1. Internal Users

6.3.1.1. Executives

6.3.1.2. Middle Management

6.3.1.3. Administrators

6.3.1.3.1. Network Admins

6.3.1.3.2. System Admins

6.3.1.3.3. Server Admins

6.3.1.4. Developers

6.3.1.5. Engineers

6.3.1.6. Technicians

6.3.2. Competitors

6.3.3. Nation States

6.3.4. Organized Crime

6.3.5. Weekend Warriors

6.4. Threat capability analysis

6.4.1. Analysis of tools in use

6.4.2. Availability to relevant exploits/payloads

6.4.3. Communication mechanisms (encryption, dropsites, C&C, bulletproof hosting)

6.5. Finding relevant news of comparable Organizations being compromised

7. Vulnerability Analysis

7.1. Testing

7.1.1. Active

7.1.1.1. Automated

7.1.1.1.1. Network/General Vuln Scanners

7.1.1.1.2. Web Application Scanners

7.1.1.1.3. network vulnerability scanners

7.1.1.1.4. Voice Network scanners

7.1.1.2. Manual Direct Connection

7.1.1.3. obfucsacted

7.1.1.3.1. Multiple Exit Nodes

7.1.1.3.2. Ids Evasion

7.1.1.3.3. Variable Speed

7.1.1.3.4. Variable scope

7.1.2. Passive

7.1.2.1. Automated

7.1.2.1.1. Metadata analysis from Intel phase

7.1.2.1.2. Traffic monitoring (p0f etc)

7.1.2.2. Manual

7.1.2.2.1. direct connections

7.2. Validation

7.2.1. Correlation between scanners

7.2.2. Manual testing/protocol specific

7.2.2.1. VPN

7.2.2.1.1. Fingerprinting

7.2.2.2. Citrix

7.2.2.2.1. Enumeration

7.2.2.3. DNS

7.2.2.4. Web

7.2.2.5. Mail

7.2.3. Attack avenues

7.2.3.1. Creation of attack trees

7.2.4. Isolated lab testing

7.2.5. Visual confirmation

7.2.5.1. Manual connection w/review

7.3. Research

7.3.1. Public Research

7.3.1.1. exploit-db

7.3.1.2. Google Hacking

7.3.1.3. Exploit sites

7.3.1.4. Common/default passwords

7.3.1.5. Vendor specific advisories

7.3.2. Private Research

7.3.2.1. Setting up a replica environment

7.3.2.2. Testing configurations

7.3.2.3. Identifying potential avenues

7.3.2.4. Disassembly and code analysis