This article is part of the series called How does the pen testing world do penetration testing. If you haven’t read the Part-1 please check the below link.
There are different suggested methodologies for penetration testing, some of the main ones are
- PTES Methodology
- OWASP Methodology
- OSSTMM Methodology
- ISSAF Methodology
PTES is a newer standard designed to provide both businesses and security service providers with a common language and scope for performing penetration. The industry has used the term Penetration Test in a variety of ways in the past. This has driven a large amount of confusion to what a Penetration Test is or isn’t. PTES’s aim is to create a clear standard to measure Penetration Testing and provide customers/consultants a guideline to how testing needs to be conducted.
The goal of this project is to collect all the possible testing techniques, explain these techniques, and keep the guide updated. The OWASP Web Application Security Testing method is based on the black box approach where the tester knows nothing or has very little information about the application to be tested.
OSSTMM is a methodology to test the operational security of physical locations, workflow, human security testing, physical security testing, wireless security testing, telecommunication security testing, data networks security testing and compliance. OSSTMM can be supporting reference of IOS 27001 instead of a hands-on penetration testing guide.
The methodology defined by ISSAF covers all the aspects related to security assessments: from a high-level perspective (e.g. business impact and organisational models) to practical techniques (e.g. security testing of passwords, systems, network, etc.). The framework is divided in four main phases structured in several working packages (named “activities”). The four phases are respectively: Planning, Assessment, Treatment, and Accreditation.
There are multiple resources required while conducting a penetration testing engagement. These include software resources such as tools, scripts, network requirements like the IP network range through you are going to test and collaboration tools to make the team effective when more than one person is conducting penetration testing. The most important thing is documentation and reporting, this is the result or output of the entire penetration testing process which includes the way you approached it, the methodologies used and the tools and techniques you used. This will help both technical and non-technical users to understand what has been done.
There are multiple frameworks and tools out there to do penetration testing. Which ones are used will depend on the which application or infrastructure is being tested. For example, if you are testing IoT devices then you might need a different toolset to testing a server environment. Penetration testers often use a pre-complied set of tools known as a ‘distro’ (distribution in an operating system which helps them to do things more quickly. One of the more popular distros was created by Offensive Security called “ Kali Linux ” (and formerly called as “Back Track”).
The Kali Linux distro for penetration testing includes tools for
- Information Gathering
- Vulnerability Analysis
- Exploitation Tools
- Wireless Attacks
- Forensics Tools
- Web Applications
- Stress Testing
- Sniffing & Spoofing
- Password Attacks
- Maintaining Access
- Hardware Hacking
- Reverse Engineering
- Reporting Tools
More details about the tool-set can be found at http://tools.kali.org/tools-listing
Some of the network requirements while performing penetration testing in terms of organisational and pen tester perspective are key part.
Penetration testing may also need to be carried out internally or externally; internal penetration test is like having a malicious intruder inside the network and trying to get into the system by exploiting.
While conducting penetration testing it’s also important that you are aware about the boundaries and critical systems.
Another good practice is to test from specific IP’s to help organisations make sure that pen testers are performing the attack and not real attackers.
Before starting a penetration testing engagement it’s good to consider a few things
The one of the main things to agree is the scope of the penetration tests which helps both the organisation and individual to decide what to test and what not to test. Scopes may vary differently for each engagement. For example, some organisations will want to do complete exploitation of their systems but they won’t want to include social engineering attacks. It’s also possible that in some cases they may want to do only external penetration testing which means only conducting tests on public facing environments like websites and external infrastructure.
It is very important to select a proper organisation or well experienced penetration tester, so they have the skills and experience to properly understand the system before doing penetration testing; in some cases there might be critical infrastructure (or) legacy systems you have to test and the amount of scanning should not be aggressive while doing that.
These methodologies and techniques are helpful from both individual and the organisational perspective. Penetration testing simulates attacks like a real world hacker test security controls. By conducting penetration testing it helps an organisation to create a baseline for security and compliance for their infrastructure and to understand existing vulnerabilities.
The sample penetration test report below is one produced by the Offensive Security team.