The document discusses the nuances of penetration testing (PT) and its misinterpretations, contrasting it with vulnerability assessments (VA), and emphasizing the importance of standards in the field. The narrative outlines the penetration testing execution standard (PTES) and its goals for both businesses and service providers, highlighting stages such as intelligence gathering, threat modeling, exploitation, and reporting. It critiques common misconceptions and underscores the need for proper methodologies to reflect true security postures during testing.

1. @haydnjohnson
Penetration Testing
I don’t think it means,
what you think it
means

2. @haydnjohnson
Whoami
Haydn Johnson -
Twitter: @haydnjohnson
From: Australia, Lives in Toronto
Talks : http://www.slideshare.net/HaydnJohnson
Certs: OSCP | GXPN
Just shy of 4yrs Industry Experience

3. @haydnjohnson
Penetration Testing
- I don’t think it
means, what you
think it means

4. @haydnjohnson
Backstory
Multiple understandings of a VA
Multiple Understandings of a PT
Presented at BSidesLV - Automation of Pentesting

5. @haydnjohnson
Many definitions
Penetration Testing is a term
misused
abused
Exploited
To the point where it is taken out back in the rain and given a 12-gauge
to the head.

6. @haydnjohnson
Automation of Pentesting - The Trend
Commoditization

7. @haydnjohnson
Pentest Puppy Mills
Scan
Scan
Scan
Report
Make report look nice
Make report look nicer
Remove on clients request
Send

8. @haydnjohnson
The differences
Vulnerability Assessment
List Oriented
Penetration Testing
Goal Oriented
https://danielmiessler.com/study/vulnerability-assessment-penetration-test/
VULN A
VULN B
VULN C
Phishing
Local
Admin
Dump
Hashes
Domain
Admin

9. @haydnjohnson
Was I correct????
Let's delve deeper

10. @haydnjohnson
Penetration Testing - The term
Means many things, or does it?
Are you sure?

11. @haydnjohnson
But Burp is a penetration Test
It attempts sqli injection.. It penetrates…
It checks for XSS.. It penetrates
id=5 order by 1

12. @haydnjohnson
NOT a Penetration Test

13. @haydnjohnson
But Nessus / Nexpose is a Penetration Test
It checks if an exploit is there..
Some checks “do” exploit..
It penetrates

14. @haydnjohnson
NOT a Penetration Test

15. @haydnjohnson
Because the title says penetration test

16. @haydnjohnson
So what is a penetration
test

17. @haydnjohnson
But you still know it's a CAT err Penetration Test
Round Square

18. @haydnjohnson
Where does one start
In order to understand what a Penetration Test is, we must look at some
standards.
No really. A standard exists!

19. @haydnjohnson
There are multiple standards
Best practices - just google!

20. @haydnjohnson
Let us look at
The PTES standard What is in the standard Compare VA -> PT
first second third
Will explain the key points
Compare with vulnerability assessment
Show example

21. @haydnjohnson
Penetration Testing Execution Standard

22. @haydnjohnson
Penetration Testing Execution Standard
By REAL infosec people:
Chris Nickerson
Dave Kennedy
Carlos Perez
John Strand
Chris Gates
+ Many more
http://www.pentest-standard.org/index.php/FAQ

23. @haydnjohnson
The Penetration Testing Execution Standard
Main Section
Pre-engagement Interactions
Intelligence Gathering
Threat Modeling
Vulnerability Analysis
Exploitation
Post Exploitation
Reporting
http://www.pentest-standard.org/index.php/Main_Page

24. @haydnjohnson
Goals of the standard
Businesses
The goal is to enable them to demand a specific baseline of work as
part of a pentest.
Service Providers
The goal is to provide a baseline for the kinds of activities needed.

25. @haydnjohnson
“The standard is written for us….anyone and everyone who’s dealing with
penetration testing. It is not about a specific product, or even a specific
approach or methodology for testing.”
“It is designed so that when it is adhered to, the delivery will be well
above a “minimal standard”.
http://www.iamit.org/blog/2016/09/ptes-remaining-impartial-and-insisting-on-
high-standards/

26. Pre-engagement
Time Estimation
Tied to experience of tester.
20% for padding
Scoping Meeting
What will be tested
Customer owned?
Validate assumptions
General Questions
Network Pentest
Web Pentest
Physical Pentest
Scope Creep
Wanting more covered
How to deal with
Specific IP ranges and
Domains
IP blocks
Owned by client
Payment Terms
Up front
Half way
End

27. @haydnjohnson
Pre-engagement Interactions
Rules of engagement - what can and cannot be done
Scope
Testing Schedule
Escalation Procedures

28. @haydnjohnson
Pre-engagement Interactions - Example
Pentest Form
Name
Contacts
Dates
IP Address
https://aws.amazon.com/security/penetration-testing/

29. @haydnjohnson
Pre-engagement Interactions VA comparison
“I need the things scanned”
Overall security posture
What do I have out there?

30. Intelligence Gathering
Level 1
Compliance
Automated Tools
Level 2
Best practice
Understanding of business
Physical location, org chart
Level 3
State Sponsored
Heavy analysis,
Social Networks etc
What is it
Information gathering to be utilized
to penetrate a target during
vulnerability and exploitation
phases.
More information, the better.
What it is not
Nothing found from on-premises
Footprinting
Scanning
IP blocks

31. @haydnjohnson
Intelligence Gathering - key points
Dig - axfr
Finding information
Help identify systems
Used as base for further steps

32. @haydnjohnson
Intelligence Gathering - Relationships
Business Partners
Customers
Manual Analysis to vet
level 1
Shared office spaces
Shared infrastructure
Rented / Leased
Equipment
1 2 3
Amazon
Reseller A
Shop B
Shop C

33. @haydnjohnson
Intelligence Gathering - Example
DNS Servers

34. @haydnjohnson
Intelligence Gathering VA comparison
Find hosts that are up and in scope…
Scan

35. Threat Modelling
High Level Process
Gather relevant documentation
Identify & Categorize Assets
Identify & Categorize threats
Map threats against assets
Business Asset Analysis
Asset centric view
Assets most likely to be targeted
Value of assets and impact of loss
Business Process Analysis
How it makes money
Critical vs noncritical processes
How they can be made to lose money
Threat Agents
Internal / External
Community within location
Capabilities / Motivation
Motivation Modelling
Constantly changing
Increase decrease
Threat Capability
Probability of success
Technical and opportunity

36. @haydnjohnson
Threat Modelling - High Level
Gather relevant documentation
Identify and categorize primary and secondary assets
Identify and categorize threats and threat communities
Map threat communities against primary and secondary assets
Threat Modelling - High Level

37. @haydnjohnson
Threat Modelling - Business Asset Analysis
Identify assets that are most likely to be targeted
Organisational Data - how the organization does business
Trade secrets
Infrastructure design
**Can feed other areas - intel?

38. @haydnjohnson
Threat Modelling - Business Process Analysis
How the company makes money
Value chains - assets and processes

39. @haydnjohnson
Threat Modelling - Threat Agents / Community Analysis
Relevant threats - internal & external
Internal employees motivated by outsiders??

40. @haydnjohnson
Threat Modelling - Threat Capability analysis
What skills do they have
How many
Technical & Opportunity analysis
Exploits / Payloads

41. @haydnjohnson

42. @haydnjohnson
Threat Modelling - Motivation
$$$$ Bored Activism

43. @haydnjohnson
Threat Modeling - Key Points
Enables the tester to focus on delivering an engagement that closely
emulates the tools, techniques, capabilities, accessibility and general
profile of the attacker….
Tools | Techniques | Capabilities | Access

44. @haydnjohnson
Threat Modelling - Example
Tofsee Malware
Javascript Downloader
PE32 executable into the %USERPROFILE% directory.
Spam
Delivered via RIG Exploit Kit
http://blog.talosintel.com/2016/09/tofsee-spam.html
https://www.recordedfuture.com/threat-actor-types/

45. @haydnjohnson
Threat modeling VA comparison
Internal or External

46. Vulnerability Analysis
Discovering Flaws /Testing
Leveraged by attackers
Host & service
Insecure design
Relevant
Correct level of depth
Expectations
Goals
Passive
How it makes money
Meta Data Analysis
Active
Direct Interaction
Automated
Manual
Research
Constantly changing
Increase decrease
Validation
Probability of success
Technical and opportunity

47. @haydnjohnson
Vulnerability Analysis - can include
Services | Banners
Multiple exit nodes
IDS evasion
Need to get to the target

48. @haydnjohnson
Vulnerability Analysis - Example

49. @haydnjohnson
Vulnerability Analysis VA comparison
Primarily focused on KNOWN vulnerabilities.
Network / Business Logic Not assessed.
Whitelisted | Trusted
No Evasion Needed

50. Exploitation
Countermeasures
Encoding
Process Injection
DEP | ASLR
Evasion
Prevent detection
Physical
Network
Precision Strike
Not hail mary
Based on previous steps
Tailored Exploits
Customize known exploit
Zero Day Angle
Last resort
Fuzzing
Code Analysis

51. @haydnjohnson
Exploitation - Objective
Least path of resistance
Undetected
Most impact
Circumventing security controls

52. @haydnjohnson
EASY ROAD

53. @haydnjohnson
Hard Road

54. @haydnjohnson
Biggest Impact

55. @haydnjohnson
Exploitation - Countermeasures
Anti-virus needs to be evaded
Encoding data to hide what is being done
Hiding information through process injection
Memory protection such as DEP and ASLR

56. @haydnjohnson
Exploitation - Precision
Previous steps used
Best vulnerabilities analyzed for exploitation
Minimal disruptions
Method to the madness

57. @haydnjohnson
Exploitation - Zero Days
Fuzzing
Buffer OverFlows
SEH Overwrites
Ret2Libc

58. @haydnjohnson
Exploitation - IS NOT THE DIFFERENCE BETWEEN A VA & PT
Exploitation can be used in a VA or a PT.
Clients may want a high risk vulnerability proven.
Exploitation is highly used in a Penetration Test - but not the definition
https://danielmiessler.com/study/vulnerability-assessment-pen
etration-test/

59. @haydnjohnson
Exploitation - Vulnerability Assessment
Validate a Vulnerability
REMOTE CODE EXECUTION A

60. @haydnjohnson
Exploitation - Penetration Test
Part of the Job
Network
Web
Credentials

61. @haydnjohnson
Exploitation - Example
https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-yo
ur-application-have-in-common-this-vulnerability/#jboss

62. @haydnjohnson
Exploitation - VA comparison
Specific
Limited
Proof
No post exploitation

63. Post Exploitation
Rules of engagement
Protecting Client
Protecting yourself
Infrastructure Analysis
Routing
Network Services
Neighbors
Pillaging
Installed Programs | services
File/Printer Shares
Host configuration
Monitoring
Deep in target
Identification of impact
Affect 1 system
Affect infrastructure
Persistence & Pivoting
Backdoors
Lateral Movement
Data Exfiltration
Testing
Measure controls and detection

64. @haydnjohnson
Post Exploitation - think like the attacker
What is in the network
Where is the Data - customer - financial - health - Credit Card
Where is the domain admin

65. @haydnjohnson
Post Exploitation - think like the attacker
Backdoors
Persistence
Data Exfiltration

66. @haydnjohnson
Post Exploitation VA comparison
Exploitation proves the vulnerability can be exploited
This does not show the business impact.
Not “how deep, real impact”

67. @haydnjohnson
Post Exploitation - Example
http://www.slideshare.net/HaydnJohnson/power-sploit-persistence-walkthrough

68. Reporting
Exec Summary
Goals of Pentest
High Level Findings
Background
Overall posture
C-Level | management
Systemic issues
Technical Report
Introduction
Information Gathering
Vulnerability Assessment
Exploitation / Vuln Confirmation
Post Exploitation
Risk Exposure
Conclusion

69. @haydnjohnson
Reporting - Exec Summary
High level Background
Key points
Key impact and ratings
Recommendations
Strategic Road map
Similar to VA - But shows real impact not just Vulns

70. @haydnjohnson
Reporting - Technical Report
Deep Explanation of each stage
Step by step of process / exploitation
Step by step of Post exploitation
Similar to VA - But shows much more than a list of vulns

71. @haydnjohnson
Reporting - Vulnerability Analysis
Exec Summary
List of VULNERABILITIES
Ratings & Prioritization
Attack COULD exploit

72. @haydnjohnson
Reporting - Example
https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf

73. @haydnjohnson
In Summary - VA

74. @haydnjohnson
In Summary - Exploitation

75. @haydnjohnson
In Summary - Penetration test

76. @haydnjohnson
Thank you!
Questions?
Debate?

77. @haydnjohnson
Further Reading
Pentesting in detail
http://www.isaca.org/chapters3/Atlanta/AboutOurChapter/Documents
/GW2015/081115-10AM-Pentesting.pdf
PTES and high Standards
http://www.iamit.org/blog/2016/09/ptes-remaining-impartial-and-insi
sting-on-high-standards/
Post Exploitation Blogs with Empire:
https://www.powershellempire.com/?page_id=561