0 - Pre-Engagement
Introduction
This section contains several topics that a pentester must know before any penetration test.
The Scope
Defining the scope is the most crucial piece of a penetration test because it will prevent you from penalties, trials and unsatisfied customers. The scope must define explicitly what is going to be tested: a set of IPs, domains, subdomains, services, access points (BSSID & ESSID) and devices (any asset of the company).
Furthermore, a well-defined scope will save you time and money for the customer. For instance, machines inside the same network might differ in services, requiring more or less time to evaluate the whole device. Moreover, you have to consider that an IP could contain several services like web services, and each web service might contain several domains with subdomains. Hence, it would be malpractice to define the scope IP based only.
Dealing with Third Parties
Companies outsource services like hosting a web application to third parties. Hence, you need to know if the third party allows testing the customer services hosted on their system. Then, you should ask the company to contact the third parties to inform them about the execution of an imminent pentesting. Failing to obtain the proper permissions brings the possibility of breaking the law, resulting in a complaint by third parties for attacking their systems.
Finally, consider that the law might differ depending on which country the outsourced services are hosted. For instance, it might be the case that port scanning might be forbidden in that foreign country.
Attack strategy
Depending on the available information provided by the customer and the starting point the customer wants to set, there are different approaches for pentesting.
Categories
Depending on the amount of knowledge known by the attacker, three types of tests can tackle.
White Box
Attackers know detailed information about the targeted system, including source code, configurations and system documentation. It allows attackers to find as many weaknesses as possible in the shortest period of time. Unlike internal testing, white box testing does not include any account credentials.
Gray Box
Attackers have some information, but not enough, so time and resources will be invested in finding new assets, identifying vulnerabilities and threats based on the amount of information the customer provided to them.
Black Box
The analyst engages the target without prior knowledge of its defences, assets or channels. The target is not notified in advance of the audit scope, channels tested, or test vectors. This type of audit assesses the analyst's capabilities and the target's readiness against unknown attacks.
Starting point
Depending on the starting point of the attack, the following tests can be considered.
External pentesting
An attack against an organisation's external servers or devices, such as their website and network servers. The objective is to determine whether and how far an attacker can penetrate the company's infrastructure remotely.
Internal pentesting
An authorised user with standard access rights performs attacks, allowing you to determine what damage can be caused by an employee who has personal accounts concerning administrative accounts.
Services
Sometimes the customer will not be interested in performing a whole pentesting due to the lack of interest or money. However, you could offer a small set of sub-services. Here you have some examples.
Public Footprinting
Gather public data from the organisation located on the Internet looking for endpoints, vectors of attack and valuable information that can be helpful in the future like IP addresses, DNS information, operating systems, emails, phone numbers, employee information...
Vulnerability Assessment
Analyse the company's internal and external services looking for security weaknesses.
Web Vulnerability Assessment
Analyse web applications, APIs, or mobile web applications determined in the audit scope to find vulnerabilities like XSS, XXE, SQLi, Template injection...
Wireless Network Assessment
Identify Wi-Fi vulnerabilities on the company's access points and connected devices like AP/Client misconfigurations, MAC spoofing, rogue access points and WPS Attacks. Then, identify the connected devices for a later traffic analysis (looking for credentials) or Man-In-The-Middle attacks.
Pentesting
The vulnerabilities found during the vulnerability assessment are exploited to compromise servers, endpoints, web applications, network devices... Furthermore, the test continues with subsequent vulnerability scanning and exploitations of other internal resources in order to determine the impact of the vulnerabilities and the risk to which the business was exposed.
Social Engineering
Focuses on company employees, performing attacks like phishing, USB drops, and employee impersonation to gain access to the company's infrastructure or retrieve sensitive information.
Red Teaming
A large-scale security assessment across the entire organization, being the scope everysingle asset of the business. This service involves every previous service and can include software analysis and physical security to obtain access and escalate privilege into the company's infrastructure.
Denial Of Service
Assess server, network or application performance against a Denial Of Service attack by overloading the system.
Rules of engagement
While the scope defines what will be tested, the rules of engagement define when, where and how that testing will occur.
Time Estimation
A penetration test can not last indefinitely, resulting in a significant increase in the invoice and a waste of time for the auditor. For example, suppose you base your penetration test on finding an exploitable vulnerability for a certain amount of money. In that case, it may occur that you never discover a vulnerability in the system because it is fully patched, so you would be losing money.
Hence, it would help to estimate the time based on your experience. However, if you are new to this profession, a good approach would be to set ample padding that will be tuned in future tests based on your previous results. Furthermore, being more skilled will reduce your analysis time, getting the same results in less time.
Locations
There would be cases where the penetration tester will have to operate in the company locations, such as a set of buildings in one or several cities. Hence, the costs of travel, hotels, and diets should be stipulated.
Changes during the pentesting
The auditor should notify the client that any changes made to the scope's environment during the period of testing, may affect the results of the assessment. So, it is important to postpone changes until the end of the evaluation.
Finally, If objectives were changed during the course of the testing then all changes must be listed in the executive summary section of the report. Additionally, the letter of the amendment should be included in the appendix of the report and linked from the former section.
Pentest schedule
It might be the case that some customers require that all the testing or some parts are done outside business hours. This may mean working at night or at weekends, so the time of day requirements should be well established with the customer before testing begins.
Attack strategy
Depending on how the engagement is performed and the amount of information shared with the testing team, there might be the case that some services are not necessary. For instance, public footprinting might not be essential if you perform an internal vulnerability assessment. Thus, the client should be noticed.
Client contact details
Despite taking all the necessary precautions when testing, testing can sometimes go wrong for various reasons, such as exploiting a vulnerability, turning into a denial of service, or blocking accounts due to brute force. Therefore, it is crucial to have the correct contact information so that the pentester can reach the staff in charge if a down service needs to be up and running or an account needs to be unblocked, as soon as possible, preventing the company from incurring financial losses due to these issues.
Sensitive data handling
During test preparation and execution, the testing team will be provided with and may also find sensitive information about the company, the system, and/or its users. Consequently, sensitive data handling needs special attention. Here you have some security measures you should carry out:
Full disk encryption.
Sanitise your test machine between tests.
Check the various data protection laws that apply to each client.
Secure communications
During the engagement, you will deal with or find sensitive information that might be worth communicating to the client as vulnerabilities and malware found, the location of clear-text credentials or the final report; thus, must be encrypted. Before the engagement, you need to agree on which measures of secure communications are to be established.
Good options would be:
Telephone
Face to Face meetings
Password-protected compressed files, using a robust pre-shared key or OTP before the engagement.
Identifying the pentester
Suppose you audit a company's external services or even internal services from external sources. In that case, an advertisement should be made containing the IP you are going to use to perform the attacks in order to distinguish you from an actual attacker.
One way to do it is by hiring a static IP from your ISP, informing your client all the attacks will come from that IP. Another option would be to use your client's VPN, so every attack comes from their public IP so that they can analyse the traffic in case of an incident.
Questionnaire
One of the first steps in communication with the customer is sending questionnaires. Thanks to them, we can know the scope of the test and the estimated time required. In addition, the questions help the auditor understand what, how, when, where, and why the customer wants to evaluate their systems.
A first approach would be to send a general questionnaire to obtain information about the company's motivation, contact information, location, IT infrastructure, security measures and hiring services.
This file contains an example of a questionnaire you can use to copy the structure.
Last updated