Pentesting is an attack on a computer system, done to evaluate the security of the system/network. This test is performed to identify vulnerabilities and the risks they possess.
The 1960's marked the true beginning of the age of computer security. In this chapter, we will cover the methodology of pentesting that is widely used, as well as the red-teaming approach, which is now being adopted across different corporations.
In this chapter, we will cover the following topics:
- Pentesting 101
- A different approach
As we all know, penetration testing follows a standard. There are various standards, such as the Open Web Application Security Project (OWASP), the Open Source Security Testing Methodology Manual (OSSTMM), the Information Systems Security Assessment Framework (ISSAF), and so on. Most of them follow the same methodology, but the phases have been named differently. We will take a look at each of them in the following sections and cover the Penetration Testing Execution Standards (PTES) in detail.
OWASP is a worldwide not-for-profit charitable organization that focuses on improving the security of software.
It's a community of like-minded professionals who release software and knowledge-based documentation on application security, covering such subjects as:
- Information gathering
- Configuration and deployment management testing
- Identity management testing
- Authentication testing
- Authorization testing
- Session management testing
- Input validation testing
- Error handling
- Business logic testing
- Client-side testing
As mentioned on their official website, this is a peer-reviewed manual of security testing and analysis, providing verified facts. These facts provide actionable information that can measurably improve your operational security.
The OSSTMM includes the following key sections:
- Operational security metrics
- Trust analysis
- Work flow
- Human security testing
- Physical security testing
- Wireless security testing
- Telecommunications security testing
- Data networks security testing
- Compliance regulations
- Reporting with the Security Test Audit Report (STAR)
ISSAF is not very active, but the guide it has provided is quite comprehensive. It aims to evaluate the information security policy and process of an organization with regard to its compliance with IT industry standards, along with laws and regulatory requirements. The current version of ISSAF is 0.2.
The stages that it covers can be found at https://www.owasp.org/index.php/Penetration_testing_methodologies.
This standard is the most widely used standard and covers almost everything related to pentesting.
PTES is divided into the following seven phases:
- Pre-engagement interactions
- Intelligence gathering
- Threat modeling
- Vulnerability analysis
Let's take a brief look at what each of these phases involves.
These actions involve multiple processes to be carried out before an activity kicks off, such as defining the scope of the activity, which usually involves mapping the network IPs, web applications, wireless networks, and so on.
Once the scoping is done, lines of communication are established across both the vendors and the incident reporting process is finalized. These interactions also include status updates, calls, legal processes, and the start and end dates of the project.
This is a process that is used to gather as much as information as possible about the target. This is the most critical part of pentesting, as the more information we have, the more attack vectors we can plan to perform the activity. In case of a whitebox activity, all this information is already provided to the testing team.
Threat modeling model depends on the amount of information gathered. Depending on that, the activity can be divided and then performed using automated tools, logical attacks, and so on. The following diagram illustrates an example of a mindmap of a threat model:
This is a process of discovering flaws that can be used by an attacker. These flaws can be anything ranging from open ports/service misconfiguration to an SQL injection. There are lots of tools available that can help in performing a vulnerability analysis.
These include Nmap, Acunetix, and Burp Suite. We can also see new tools being released every few weeks.
This is a process of gaining access to the system by evading the protection mechanism on the system based on the vulnerability assessment. Exploits can be public, or a zero day.
This is a process where the goal is to determine the criticality of the compromise and then maintain access for future use. This phase must always follow the rules of the engagement that is protecting the client and protecting ourselves (covering the tracks as per the activity's requirements).
This is one of the most important phases, as the patching of all the issues totally depends on the details presented in the report. The report must contain three key elements:
- Criticality of the bug
- Steps of reproduction of the bug
- Patch suggestions
In summary, the pentest life cycle phases are presented in the following diagram:
Let's discuss a different approach: red-teaming. The main objective of red-teaming is to assess and obtain the real level of risk a company has at that moment in time. In this activity, networks, applications, physical, and people (social engineering) are tested against weaknesses.
Red-teaming can also be considered as a simulation of a real-world hack.
Red-teaming is based on the PTES standard as the foundation. However, there's much more to it. It can be said that the penetration testing activity is performed with the aim of finding as many vulnerabilities in the given amount of time as possible. However, red-teaming is performed with only one goal and by staying discreet.
The methodology used in a red-team activity involves the following:
- Command and control
- Privilege escalation
- Reporting and cleanup
The following cycle basically repeats for every new piece of information that is found about the client until the goal is met:
Let's look at it with a different perspective to get a clearer picture:
Looking at the preceding diagram, we can see that red-teaming involves using every means to achieve the goals. We can summarize the major difference between red-teaming and pentesting as follows:
- Red-teaming involves finding and exploiting only those vulnerabilities that help to achieve our goal, whereas pentesting involves finding and exploiting vulnerabilities in the given scope, which is limited to digital assets
- Red-teaming has an extremely flexible methodology, whereas pentesting has fixed static methods
- During red-teaming, the security teams of the organizations have no information about it, whereas during pentesting, security teams are notified
- Red-teaming attacks can happen 24/7, while pentesting activities are mostly limited to office hours
- Red-teaming is more about measuring the business impact of the vulnerabilities, whereas pentesting is about finding and exploiting vulnerabilities.
Wrapping up the chapter, we learned about different standards of pentesting followed across the industry, and we went through the seven phases of the PTES standard in detail. We also looked at red-teaming and how it is different from pentesting.
In the next chapter, we will look at a few of the latest post-exploitation tools and examine in detail how they work.
- What are the different pentesting standards?
- What are the different phases of PTES?
- What is the difference between red-teaming and pentesting?
- What are the key elements of a report?
- What is the main objective of a red-team activity?
For more information on the topics discussed in this chapter, please visit the following links:
- High Level Organization of the Standard: http://www.pentest-standard.org/index.php/Main_Page
- OSSTMM: http://www.isecom.org/mirror/OSSTMM.3.pdf
- Web Application Penetration Testing: https://www.owasp.org/index.php/Web_Application_Penetration_Testing
- Information Systems Security Assessment Framework (ISSAF): http://www.oissg.org/issaf02/issaf0.1-5.pdf
- InfoSec Resources: https://resources.infosecinstitute.com/the-history-of-penetration-testing/#gref