0 - Pre-Engagement
This section contains several topics that a pentester must know before any penetration test.
Defining the scope is the most crucial piece of a penetration test because it will prevent you from penalties, trials and unsatisfied customers. The scope must define explicitly what is going to be tested: a set of IPs, domains, subdomains, services, access points (BSSID & ESSID) and devices (any asset of the company).
Furthermore, a well-defined scope will save you time and money for the customer. For instance, machines inside the same network might differ in services, requiring more or less time to evaluate the whole device. Moreover, you have to consider that an IP could contain several services like web services, and each web service might contain several domains with subdomains. Hence, it would be malpractice to define the scope IP based only.
Dealing with Third Parties
Companies outsource services like hosting a web application to third parties. Hence, you need to know if the third party allows testing the customer services hosted on their system. Then, you should ask the company to contact the third parties to inform them about the execution of an imminent pentesting. Failing to obtain the proper permissions brings the possibility of breaking the law, resulting in a complaint by third parties for attacking their systems.
Finally, consider that the law might differ depending on which country the outsourced services are hosted. For instance, it might be the case that port scanning might be forbidden in that foreign country.
Depending on the available information provided by the customer and the starting point the customer wants to set, there are different approaches for pentesting.
Depending on the amount of knowledge known by the attacker, three types of tests can tackle.
Attackers know detailed information about the targeted system, including source code, configurations and system documentation. It allows attackers to find as many weaknesses as possible in the shortest period of time. Unlike internal testing, white box testing does not include any account credentials.
Attackers have some information, but not enough, so time and resources will be invested in finding new assets, identifying vulnerabilities and threats based on the amount of information the customer provided to them.
The analyst engages the target without prior knowledge of its defences, assets or channels. The target is not notified in advance of the audit scope, channels tested, or test vectors. This type of audit assesses the analyst's capabilities and the target's readiness against unknown attacks.
Depending on the starting point of the attack, the following tests can be considered.
An attack against an organisation's external servers or devices, such as their website and network servers. The objective is to determine whether and how far an attacker can penetrate the company's infrastructure remotely.
An authorised user with standard access rights performs attacks, allowing you to determine what damage can be caused by an employee who has personal accounts concerning administrative accounts.
Sometimes the customer will not be interested in performing a whole pentesting due to the lack of interest or money. However, you could offer a small set of sub-services. Here you have some examples.
Gather public data from the organisation located on the Internet looking for endpoints, vectors of attack and valuable information that can be helpful in the future like IP addresses, DNS information, operating systems, emails, phone numbers, employee information...
Analyse the company's internal and external services looking for security weaknesses.
Analyse web applications, APIs, or mobile web applications determined in the audit scope to find vulnerabilities like XSS, XXE, SQLi, Template injection...
Identify Wi-Fi vulnerabilities on the company's access points and connected devices like AP/Client misconfigurations, MAC spoofing, rogue access points and WPS Attacks. Then, identify the connected devices for a later traffic analysis (looking for credentials) or Man-In-The-Middle attacks.
The vulnerabilities found during the vulnerability assessment are exploited to compromise servers, endpoints, web applications, network devices... Furthermore, the test continues with subsequent vulnerability scanning and exploitations of other internal resources in order to determine the impact of the vulnerabilities and the risk to which the business was exposed.
Focuses on company employees, performing attacks like phishing, USB drops, and employee impersonation to gain access to the company's infrastructure or retrieve sensitive information.
A large-scale security assessment across the entire organization, being the scope everysingle asset of the business. This service involves every previous service and can include software analysis and physical security to obtain access and escalate privilege into the company's infrastructure.
Assess server, network or application performance against a Denial Of Service attack by overloading the system.
Rules of engagement
While the scope defines what will be tested, the rules of engagement define when, where and how that testing will occur.
A penetration test can not last indefinitely, resulting in a significant increase in the invoice and a waste of time for the auditor. For example, suppose you base your penetration test on finding an exploitable vulnerability for a certain amount of money. In that case, it may occur that you never discover a vulnerability in the system because it is fully patched, so you would be losing money.
Hence, it would help to estimate the time based on your experience. However, if you are new to this profession, a good approach would be to set ample padding that will be tuned in future tests based on your previous results. Furthermore, being more skilled will reduce your analysis time, getting the same results in less time.
There would be cases where the penetration tester will have to operate in the company locations, such as a set of buildings in one or several cities. Hence, the costs of travel, hotels, and diets should be stipulated.
The auditor should notify the client that any changes made to the scope's environment during the period of testing, may affect the results of the assessment. So, it is important to postpone changes until the end of the evaluation.
Finally, If objectives were changed during the course of the testing then all changes must be listed in the executive summary section of the report. Additionally, the letter of the amendment should be included in the appendix of the report and linked from the former section.
It might be the case that some customers require that all the testing or some parts are done outside business hours. This may mean working at night or at weekends, so the time of day requirements should be well established with the customer before testing begins.
Depending on how the engagement is performed and the amount of information shared with the testing team, there might be the case that some services are not necessary. For instance, public footprinting might not be essential if you perform an internal vulnerability assessment. Thus, the client should be noticed.
Despite taking all the necessary precautions when testing, testing can sometimes go wrong for various reasons, such as exploiting a vulnerability, turning into a denial of service, or blocking accounts due to brute force. Therefore, it is crucial to have the correct contact information so that the pentester can reach the staff in charge if a down service needs to be up and running or an account needs to be unblocked, as soon as possible, preventing the company from incurring financial losses due to these issues.
During test preparation and execution, the testing team will be provided with and may also find sensitive information about the company, the system, and/or its users. Consequently, sensitive data handling needs special attention. Here you have some security measures you should carry out:
- Full disk encryption.
- Sanitise your test machine between tests.
- Check the various data protection laws that apply to each client.
During the engagement, you will deal with or find sensitive information that might be worth communicating to the client as vulnerabilities and malware found, the location of clear-text credentials or the final report; thus, must be encrypted. Before the engagement, you need to agree on which measures of secure communications are to be established.
Good options would be:
- Face to Face meetings
- Password-protected compressed files, using a robust pre-shared key or OTP before the engagement.
Suppose you audit a company's external services or even internal services from external sources. In that case, an advertisement should be made containing the IP you are going to use to perform the attacks in order to distinguish you from an actual attacker.
One way to do it is by hiring a static IP from your ISP, informing your client all the attacks will come from that IP. Another option would be to use your client's VPN, so every attack comes from their public IP so that they can analyse the traffic in case of an incident.
One of the first steps in communication with the customer is sending questionnaires. Thanks to them, we can know the scope of the test and the estimated time required. In addition, the questions help the auditor understand what, how, when, where, and why the customer wants to evaluate their systems.
A first approach would be to send a general questionnaire to obtain information about the company's motivation, contact information, location, IT infrastructure, security measures and hiring services.
This file contains an example of a questionnaire you can use to copy the structure.