Hey there again, at this short interval between a long day and against the quick but elaborative posts which I had to take upon for the sake of our readers; here’s how you take up a penetration test, break it up depending on the scope and the test requirements and finally make your way through the hard part with easy and smart moves. To explain from the very basics, there is nowhere than the enumeration part I could start with, but then that isn’t too much of the basics drill, right? Enumeration could be the hardest and finest of all. Either way, I’d start from the types, procedures, what to engage, how to engage and what ways you could pentest any given application, network or a discrete target. As an old wise man has suggested ‘Win the war before it starts!’, I will bring you keys to smart pentesting and for sure this could be the only way I would take it up or eventually had been taking them up!
Not so far away in the distant future, penetration testing is going to be really hard for those who never have though on the core requirements and had understood the overall processes of such security testing. There are methodologies, policies, scopes, requirements, cooperation, teaming and many more initial deduction before the actual productive penetration testing starts. To begin with, let’s start how such an engagement would start from the scratch:
At this phase, there is no target, there is no requirement but only you and the testers who are eagerly waiting a client to hook them up with their application and get offensive into the application/network/end-points to produce better defensive strategies and hence fix the potential vulnerable points. But really that is a way-far phase from the current and requires an initial understanding. The pre-engagement phase is a very important phase wherein the executive business has to take place; something more practically less technical but more business and right expectations set.
The aforementioned could be summarized as below:
- Appointment Business Meeting.
- Talk with an Executive on the annual, quarterly or routine security policies.
- Talk with the technical team with what they had been facing and were any security previously intruded?
- If any security or part of the current security measures were intruded, were there any incident handling?
- Does the client pro-actively detect, analyze and fix the vulnerabilities or the loopholes or they have a vendor?
- What were the security measures which were taken or are currently at place, if the client would answer that!
- What are the business assets the client wants to be protected, and are there any routine checks on them?
- Are there any coordination team, or a security firm taking care of the aforementioned resources already?
- Given, what are the specific security aspects which needs an attention and business assets protected?
That’d be just the part one, where one is able to understand or semi-understand the specific goals from an executive point and if there is already a routine check, why would one need another vendor to take care of the resources which should be protected at the first place!? This is where the technical talk begins and exactly where the commercials would be fixed, all of these are summarized in the next part of this initial descriptive interaction.
Scope and Scope Limitations
Scoping is done in order to define a set boundaries for a penetration test, be it a web application penetration test, or a network penetration test. For an example, after having the business meet done and set on the target, the base necessary targets, our experts define a scope or expects a scope from the client in order for penetration testers start their exercises on the given worksheet of scope. The targets defined on the scope are studied, mapped, analyzed for weaknesses and then goes for active penetration testing. Everything before the penetration test would be a vulnerability assessment to identify potential weaknesses. The limitations or exclusions defined on the same scope, given any; are free from these vulnerability assessments and hence no penetration testing is conducted on these restricted area – which could be a production utility or a component serving the production unit.
The scoped entities are tested against comprehensive scanning methodology based on four kinds of tests:
1. Black box test
2. White box test
3. Grey box test
4. Glass box test
A black box test will be the one where the penetration tester would not have any prior information, design prints, or any information given by the client – it would just be the target and its scope boundaries along with an exclusion list. A white box test is opposite of the black box security assessments and there will be credentials provided by the client to access certain areas where intensive security testing is required in order for the client to ensure all protective and proactive security measures were in place and were working as it should. A grey box test is somewhere between a black and the white wherein the testers will be given some information on the target along with only required credentials as per the clients wish. A glass box test is where a client can monitor all the records of the security assessments performed on the machine, or a remote server in real time. The scope decides much of the factor in costing and pricing as well – the bigger the scope the more costly is the security assessments. At times, external IP security assessments would have many subnets and therefore many network divisions which would need security checks and the list could be massive. Defencely provides these services as well, but that’s for a later post. After having scoping done and defined, an estimation of time is delivered to the client which would be the deadline and a minimum extension period if the deadline is not met. This should ensure all the security assessments are covered within the time and as per the requirements of the client. If its penetration testing a post exploitation assessment is carried out or if it’s a vulnerability assessment – post exploitation isn’t covered since the goal of a vulnerability assessment is to determine the potential loopholes and not exploit these holes.
The Security Engagement
Routine security assessments which are in regular basis have been useful for enterprise network, web applications and end point devices where it becomes an important factor to keep a track record of what assets are covered and what is not. During an operational security assessments, penetration testers follow pa methodology and track the assets which are covered for them to access the progress of the security covered.
A penetration test methodology is something which is unique from one company t different company but there are some standards around the same, namely:
1. OWASP – Open Web Application Security Project
2. WASC – Web Application Security Consortium
3. OSSTMM – Open Source Security Testing Methodology Manual
All of the above were for web applications and there could be certain more methodologies for network security testing. The bottom line of every methodology remains the same, which is:
1. Threat Modeling
2. Vulnerability Analysis
3. Exploitation and Post Exploitation
In a nutshell, threat modeling refers to identifying and profiling assets of the company in concern. Relevant documentation is done in order to access all necessary information at the time of need and hence use this information during vulnerability analysis. The vulnerability analysis stages require multitude of techniques some of which are mentioned in OWASP (for web applications) and some other in NIST (for network). An entry point in-case of an application (web) is needed for the penetration tester to start with, look if certain access control mechanisms are in place and is working as it should, or if it’s in place, to bypass the security it already provides and hence intrude via an application (web). In case if this was bypassed and the security in placed were made tricked to work as originally never intended – this in itself could prove a security violation or a configuration flaw. In such cases, access control reviews are done. After the penetration tester has been able to identify a potential weakness in the web application, a network or for that matter an internal network device, it depends on his/her skill how shall he perform exploitation (given that exploitation were authorized by the client in paperwork during pre-engagement phases!). Exploitation is termed as a step wherein the penetration tester proves his ability to intrude via any of these three entry points and compromise current security:
1. Web applications
2. External network
3. Internal Network
Apart from all of the above entry points, there could be couple more entry points such as via a mobile application which is controlled via a centralized server, an internal network which could be accessed by the penetration tester or a wireless router which is exposed in the network infrastructure. Depending on the exploitation, a post exploitation is also carried out to see what information could be extracted and how much an attacker could had escalated into compromising different organizational assets given that the penetration testing exercise is a full-fledged stimulation of a real attack scenario. At the end of all these steps, the penetration tester will document all the actions he/she has carried out during the security assessment and provide a detailed executive cum technical report based on which further necessary actions should be taken by the organizational developers or the network administrators in order to patch the loopholes and hence protect their organization from being compromised by attackers.
I hope an overall approach into penetration testing and most interestingly its benefits have been delivered in this post and accordingly, I assume our readers are tuned for the next rounds. For now, I shall take a leave and bring our readers with more interesting knowledge on information security and its sciences. Should you feel a requirement for a vulnerability assessment or security services, do not hesitate to say hello to our comprehensive service, say ‘hi’ to firstname.lastname@example.org
Defencely Inc. Red Team and currently holds Technical Expertise at application threat reporting and coordination for Defencely Inc.’s global clients. At his belt of accomplishments, he has experience in identifying critical application vulnerabilities and add value to Defencely Inc. with his research work. The R&D sector towards application security is growing green at Defencely and is taken care by him. Professionally, he have had experiences with several other companies working on critical application penetration test engagement, leading the Red Team and also holds experience training curious students at his leisure time. The application security guy!is an application penetration tester professionally equipped with traditional as well as professional application penetration test experience adding value to