Uploaded bydanhaley45372
DOCX, PDF54 views

PENETRATION TESTING METHODOLOGY PROJECT TEMPLATE .docx

This document outlines the methodology for conducting a penetration test project. It describes the three main phases: 1) Planning and Preparation which involves scoping the test and establishing agreements, 2) Assessment where information gathering, network mapping, vulnerability analysis, and penetration testing activities occur, and 3) Closing Activities including reporting findings, follow-on actions, and archiving information. The document provides templates and examples to guide planning and documenting each step of the penetration testing process.

Embed presentation

Download to read offline
PENETRATION TESTING METHODOLOGY PROJECT TEMPLATE 14 Penetration Testing Methodology Project Template ISTXXXX Your Name Running Head: Penetration Testing Methodology Project Template 1 Table of Contents Phase I: Planning and Preparation X Phase II: Assessment X Information Gathering X Network Mapping X Vulnerability Analysis X Penetration Testing X Phase III: Closing Activities X Reporting X Follow-on Actions X Archiving X Reference X Appendix X
Example: Test Outputs X Example: Vulnerability Scan Reports X Example: Analysis Metrics from Tools X Example: Presentations X Example: Screenshots of Systems X Example: Screenshots of Commands X Example: Contractual Agreement X Example: Service Level Agreement X Example: Invoice X Example: Non-disclosure Agreement X List of Tables and Figures Figure 1. Example: ScopeX Figure 2. Example: Deliverables X Give a brief summary, one page or less, of what you believe the purpose of this penetration test to be, what methodologies are appropriate, provide a statement of purpose. A virtual scenario has been provided for completion of this project. That said, Wilmington University is an institute of higher learning. As such, research is highly encouraged and rewarded. You have the option, with prior approval, to conduct penetration tests on personally owned systems such as Boxee Boxes, internet connected televisions/refrigerators, MySQL, etc. Phase I: Planning and Preparation This is arguably the most important part of a penetration testing project. The logistical work done during this phase makes it possible to execute a successful penetration test. The origins of all problems experienced during the other two phases can usually be tracked back to a lack of planning during this phase. This phase concludes with an assessment agreement.
Background Give the penetration test context. Provide answers to these questions such as: (a) What kind of company is this?, (b) What services are they requesting?, (c) Why is the company requesting the services?, and (d) Does the requestor have the authority to make the request? Assessment Agreement The assessment agreement will include: 1. Scope: a. Rules of Engagement i. Internal, external, or both approach. ii. White, gray, or black box approach. iii. Announced, unannounced. iv. Passive recon, active recon. b. What will be tested? (Telephony, network, database, wireless (keyboard, mouse, Bluetooth, Zigbee), applications, web server, email servers, VPN, data leakage protection, VoIP, physical, DMZ, IDS, firewall, router, switch.) c. What will it be tested with? (BackTrack, Metasploit, Canvas Immunity, personally developed code, low orbit internet cannon, etc.) d. How? (Trojan, social engineering, denial-of-service, stealing/breaking and entering, viruses, wardialing.) *Use the Scope tables provided below as an example for logically organizing your information. Penetration Testing Scope In Scope Out of Scope 1. 2. 3. 4. 5. 1. 2. 3.
4. 5. Figure 1. Penetration Tests Scope. Penetration Testing Tools Scope In Scope Out of Scope 1. 2. 3. 4. 5. 1. 2. 3. 4. 5. Figure 2. Penetration Testing Tools Scope. 2. Deliverables: Deliverable Description Acceptance Criteria Presentation Electronic Document As defined in scope, vetted by Team Lead, approved by Project Manager Report Electronic Document & Presentation As defined in scope, vetted by Team Lead, approved by Project Manager Etc. Etc. Etc. Figure 3. Deliverables.
3. Team Members: Penetration Team Project Members Role Responsibility Description Project Manager Harcourt, Thomas – Manage team, ultimately responsible for success of project. Project Sponsor Valasquez, Juan – Handles escalated personnel issues, represents project and team to third parties. Team Members Last name, First, etc, - All act in penetration test engineer capacities. Stakeholders Company name, CIO, Department Heads, IT employees, etc. Etc. Etc. Figure 4. Team Members. Penetration Testing Team Members Engineer Specialty Duty Email Phone Number Alternate Harcourt, Thomas Project Management, Wireless Penetration Project Manager [email protected]
1-800-943-2257 x142 Rivera, Jorge Smith, Andrew Database, Email, Web Server Penetration Engineer [email protected] 1-800-943-2257 x138 Mutton, Scott Etc. Etc. Etc Etc. Etc. Etc. Etc. Etc. Etc Etc. Etc. Etc. Etc. Etc. Etc Etc. Etc. Etc. Etc. Etc. Etc Etc. Etc. Etc. Etc. Etc. Etc Etc.
Etc. Etc. Etc. Etc. Etc Etc. Etc. Etc. Etc. Etc. Etc Etc. Etc. Etc. Figure 5. Penetration Testing Team Members. 4. What is the escalation path for problems? (For example: What will you do if the owner asks you break into his wife’s personal email because he believes she is cheating on him, you discover child pornography, etc?) 5. Each department needs a point of contact. (For example, Network Administration, Server Administration, Client Administration, Help Desk, Network Security, Quality Assurance, Development, etc.) 6. Date/Time of Test. (Perhaps only weekends are acceptable or only early morning hours, etc.) 7. Miscellaneous Points of Contact: a. Law Enforcement (City, State, County) b. Internet Service Provider c. Consultants d. Subject Matter Experts e. Lawyers 8. Retest Policy. 9. Working conditions. (For example: (a) Where will you work from?, (b) What will you work with?, and (c) What do you require? 10. Non-disclosure Agreement.
11. Liability Insurance or Approval in Writing (For example: (a) Why do you need it? (b) Where do you find it?) 12. Contractual Constraints (For example: (a) Don’t denial of service servers because we have customers who will sue us., (b) Don’t transfer data., and (c) Don’t route attack traffic out of the country and back.) 13. Legal Issues – If illegal activity is found such as child porn then we will do what? 14. Quality Assurance – How? (For example: Is there a senior rater? Are double tests performed?) Phase II: Assessment Provide a brief description of what will occur during this phase. For example: This is the phase where you will implement your plan. You will gather data about your intended target and infer enough information so you have the knowledge you need to pursue a penetration test. This phase has four sections: Information Gathering, Network Mapping, Vulnerability Analysis, Penetration Testing. 1. Information Gathering There are many methods of gathering information on your company, as discussed during the planning phase. You should have already identified the information gathering techniques in scope of your work during the planning phase. Now it’s time to execute your information gathering techniques. Explain the difference between active and passive gathering. Categorize your work into two sections, active or passive gathering. A block of words is provided below to jog your mind: DNS/WHOIS, search engines, website (wget), Chamber of Commerce, company reviews, Google Maps, Facebook/MySpace/Twitter/YouTube, Internet Archive, job postings, key people, web addresses, servers OSs, locations of servers, web links, web server directory tree, enumerate services running on server and list, encryption standards (SSL, TLS, etc), form fields, web code/language, variables, meta tag info. 2. Network Mapping
This section is where we compile a list of devices and their locations on the network, also known as foot printing the network. It can be broken down into two sections, internal and external. A list of devices should be provided with as much information as possible. Rack and stack the devices for targeting. A block of words is provided below to jog your mind: Live hosts, open/closed ports, services, perimeter devices, firewalls, routers, DMZs, operating systems, purpose of device, banner page, error pages, topological map, IP block, DNS registry information, ISP, tracert. 3. Vulnerability Analysis Specific targets have been identified. You’ve racked and stacked. It’s time to focus on your targets. List them here and explain why you’ve chosen them. Follow these steps below: a. Identify vulnerable services/OSs/coding language(s)/form input(s): b. Search for known vulnerabilities for each OS, service, etc, and list them: (CVE, CERT, NVD, etc.) c. Reprioritize rack and stack list. Classify list by likelihood of success. d. Create attack scenario. Tease out idea by drawing it on paper first. Provide a step-by-step with an accompanying descriptive paragraph detailing your thoughts. IMPORTANT: Verify your attack scenario is within scope. If it’s not, don’t do it. You could experience legal complications. 4. Penetration Testing This is the actual test. You are executing your attack scenario. Follow these steps: a. Find/develop your exploits for the vulnerabilities you identified, give a brief description of each, describe the dangers of using a second party exploit: (M1lW0rm, Metasploit, etc.) Vulnerability/Exploit Rack and Stack System Vulnerabilities
Exploits Exploit Description Exploit Source Ranking b. Use tool/code, verify success or failure to access. c. For each successful exploit list the system exploited, vulnerability, exploit used, paths, commands, impact on device. Provide screenshots, copies of file(s), intimate knowledge of system to prove claim. d. Hot wash. For each failure make a speculation of what the issues could be. For example, is the exploit being used against a slightly newer version of the system and, therefore, no longer effective? Phase III: Closing Activities The previous two phases were for your benefit as a penetration tester. There was an initial interface with the business in order to agree on the terms and then you planned and conducted a
penetration test. This is the phase where you communicate your findings to the business. 1. Reporting It is extremely important you reiterate in a clear and concise way that you’ve done what you said you would do. Provide a brief PowerPoint slide for each audience listed below. Use your judgment in determining what to include. Special note, this is also a pitch for further business. Market future services. a. Chief Information Officer/Director of Information Technology/Chief Security Officer/miscellaneous management: Example Management Summary: Scope, Tools, Exploits, Dates/Times, Verification, Residual Clean-up Actions Performed, Recommendations for Security Policy, Future Services (Post-Test Support, Countermeasures, Second Penetration Test, Training staff). b. IT Department Heads. Example: List systems found with accompanying specs and configurations, Vulnerabilities, Exploits, Dates/Times, Verification, Output of Tests, Post Clean-up Actions Performed, Recommendations, Post-testing. c. Technical Staff: server administrators, network administrators, client system administrators, etc. Example: Detail system exploited, date/time, output of tests, make specific recommendations that are actionable for the technicians such as fixing misconfigurations. 2. Follow-on Actions Describe what you’ve done in regards to follow-on actions. Follow-on actions include a discussion of cleaning up code, patching, wiping systems, notifying law enforcement and the ISP and stakeholders the penetration test is concluded, destroy network information gathering data and list of vulnerabilities and exploits and construct a lessons learned. The lessons learned should answer these, and other, questions: a. Were there any incidents, physical or cyber, with law enforcement, management, illegal activities found, pre-existing hacks already being exploited? b. How were they managed?
c. Could they have been managed differently? 3. Archiving List what information you will keep, why you will keep it, what the legal ramifications/risks of keeping it are, where you will keep it, and how long will you keep it? How will you secure the data you do keep? (Encryption level, software, cloud-based and accessible from your smart phone, locally stored, backup, in your email, data integrity checks with hashes, data leakage protection measures, knowledge database) Reference Appendix
PENETRATION TESTING METHODOLOGY PROJECT TEMPLATE .docx

More Related Content

PPT
Pentesting hygt frde education of engi.ppt
byasranausheenasra
 
PDF
PENETRATION TESTING LECTURE SLIDES start
byDorcask3
 
PDF
Penetration testing using metasploit framework
byPawanKesharwani
 
PPTX
Penentration testing
bytahreemsaleem
 
PDF
Vulnerability Assessment and Penetration Testing Report
byRishabh Upadhyay
 
PDF
IRJET- A Study on Penetration Testing using Metasploit Framework
byIRJET Journal
 
PPTX
Web application Testing
byOWASP Foundation
 
PDF
What are the 3 Phases of Penetration Testing
byCyber security professional services- Detox techno
 
Pentesting hygt frde education of engi.ppt
byasranausheenasra
 
PENETRATION TESTING LECTURE SLIDES start
byDorcask3
 
Penetration testing using metasploit framework
byPawanKesharwani
 
Penentration testing
bytahreemsaleem
 
Vulnerability Assessment and Penetration Testing Report
byRishabh Upadhyay
 
IRJET- A Study on Penetration Testing using Metasploit Framework
byIRJET Journal
 
Web application Testing
byOWASP Foundation
 
What are the 3 Phases of Penetration Testing
byCyber security professional services- Detox techno
 

Similar to PENETRATION TESTING METHODOLOGY PROJECT TEMPLATE .docx

PPTX
Modul Analisa Test Penetrasi Keamanan TI.pptx
byMochEffendi3
 
PDF
What are the 3 Phases of Penetration Testing.pdf
byCyber security professional services- Detox techno
 
PPTX
Vapt pci dss methodology ppt v1.0
byNetwork Intelligence India
 
PDF
Ethical hacking
byKhairi Aiman
 
PPT
Pentesting tutorial slide bbvbbbbbbbbbbbbbb
byvijayc2021
 
DOCX
Cst 630Education Specialist / snaptutorial.com
byMcdonaldRyan79
 
DOC
Cst 630 Inspiring Innovation--tutorialrank.com
byPrescottLunt385
 
PDF
Cst 630 Believe Possibilities / snaptutorial.com
byDavis11a
 
DOCX
CST 630 RANK Inspiring Innovation--cst630rank.com
byKeatonJennings104
 
PDF
CST 630 RANK Introduction Education--cst630rank.com
byagathachristie266
 
DOCX
CST 630 RANK Educational Specialist--cst630rank.com
byVSNaipaul15
 
PDF
CST 630 RANK Become Exceptional--cst630rank.com
byagathachristie113
 
PDF
CST 630 RANK Remember Education--cst630rank.com
bychrysanthemu49
 
DOCX
CST 630 Exceptional Education - snaptutorial.com
byDavisMurphyA97
 
DOC
Cst 630 Enhance teaching / snaptutorial.com
byBaileyabw
 
DOCX
CST 630 RANK Achievement Education--cst630rank.com
bykopiko147
 
PDF
Cst 630 Education Organization-snaptutorial.com
byrobertlesew6
 
DOCX
CST 630 RANK Redefined Education--cst630rank.com
byclaric241
 
DOCX
Many companies and agencies conduct IT audits to test and assess the.docx
bytienboileau
 
PPTX
Assessing a pen tester: Making the right choice when choosing a third party P...
byJason Broz, CIPP/US
 
Modul Analisa Test Penetrasi Keamanan TI.pptx
byMochEffendi3
 
What are the 3 Phases of Penetration Testing.pdf
byCyber security professional services- Detox techno
 
Vapt pci dss methodology ppt v1.0
byNetwork Intelligence India
 
Ethical hacking
byKhairi Aiman
 
Pentesting tutorial slide bbvbbbbbbbbbbbbbb
byvijayc2021
 
Cst 630Education Specialist / snaptutorial.com
byMcdonaldRyan79
 
Cst 630 Inspiring Innovation--tutorialrank.com
byPrescottLunt385
 
Cst 630 Believe Possibilities / snaptutorial.com
byDavis11a
 
CST 630 RANK Inspiring Innovation--cst630rank.com
byKeatonJennings104
 
CST 630 RANK Introduction Education--cst630rank.com
byagathachristie266
 
CST 630 RANK Educational Specialist--cst630rank.com
byVSNaipaul15
 
CST 630 RANK Become Exceptional--cst630rank.com
byagathachristie113
 
CST 630 RANK Remember Education--cst630rank.com
bychrysanthemu49
 
CST 630 Exceptional Education - snaptutorial.com
byDavisMurphyA97
 
Cst 630 Enhance teaching / snaptutorial.com
byBaileyabw
 
CST 630 RANK Achievement Education--cst630rank.com
bykopiko147
 
Cst 630 Education Organization-snaptutorial.com
byrobertlesew6
 
CST 630 RANK Redefined Education--cst630rank.com
byclaric241
 
Many companies and agencies conduct IT audits to test and assess the.docx
bytienboileau
 
Assessing a pen tester: Making the right choice when choosing a third party P...
byJason Broz, CIPP/US
 

More from danhaley45372

DOCX
Your initial post is due by midnight (1159 PM) on Thursday. You mus.docx
bydanhaley45372
 
DOCX
Your goals as the IT architect and IT security specialist are to.docx
bydanhaley45372
 
DOCX
Your HR project to develop a centralized model of deliveri.docx
bydanhaley45372
 
DOCX
Your have been contracted by HealthFirst Hospital Foundation (HHF),.docx
bydanhaley45372
 
DOCX
Your initial post should be 2-3 paragraphs in length.Inclu.docx
bydanhaley45372
 
DOCX
Your group presentationWhat you need to do.docx
bydanhaley45372
 
DOCX
Your future financial needs will be based on the income you can reas.docx
bydanhaley45372
 
DOCX
Your essay should address the following.(a) How  is the biologic.docx
bydanhaley45372
 
DOCX
Your good friends have just adopted a four-year-old child. At this p.docx
bydanhaley45372
 
DOCX
Your Immersion Project for this course is essentially ethnographic r.docx
bydanhaley45372
 
DOCX
Your contribution(s) must add significant information to the dis.docx
bydanhaley45372
 
DOCX
Your good friends have just adopted a four-year-old child. At th.docx
bydanhaley45372
 
DOCX
Your initial post should be made during Unit 2,  January 21st at 4.docx
bydanhaley45372
 
DOCX
Your initial post should be made during Unit 2, january 21st at 4.docx
bydanhaley45372
 
DOCX
Your individual sub-topic written (MIN of 1, MAX 3 pages)You.docx
bydanhaley45372
 
DOCX
Your essay should address the following problem.(a) What is .docx
bydanhaley45372
 
DOCX
Your friend Lydia is having difficulty taking in the informati.docx
bydanhaley45372
 
DOCX
Your initial post should be at least 450+ words and in APA forma.docx
bydanhaley45372
 
DOCX
Your country just overthrew its dictator, and you are the newly .docx
bydanhaley45372
 
DOCX
Your initial post should be made during, Submissions after this time.docx
bydanhaley45372
 
Your initial post is due by midnight (1159 PM) on Thursday. You mus.docx
bydanhaley45372
 
Your goals as the IT architect and IT security specialist are to.docx
bydanhaley45372
 
Your HR project to develop a centralized model of deliveri.docx
bydanhaley45372
 
Your have been contracted by HealthFirst Hospital Foundation (HHF),.docx
bydanhaley45372
 
Your initial post should be 2-3 paragraphs in length.Inclu.docx
bydanhaley45372
 
Your group presentationWhat you need to do.docx
bydanhaley45372
 
Your future financial needs will be based on the income you can reas.docx
bydanhaley45372
 
Your essay should address the following.(a) How  is the biologic.docx
bydanhaley45372
 
Your good friends have just adopted a four-year-old child. At this p.docx
bydanhaley45372
 
Your Immersion Project for this course is essentially ethnographic r.docx
bydanhaley45372
 
Your contribution(s) must add significant information to the dis.docx
bydanhaley45372
 
Your good friends have just adopted a four-year-old child. At th.docx
bydanhaley45372
 
Your initial post should be made during Unit 2,  January 21st at 4.docx
bydanhaley45372
 
Your initial post should be made during Unit 2, january 21st at 4.docx
bydanhaley45372
 
Your individual sub-topic written (MIN of 1, MAX 3 pages)You.docx
bydanhaley45372
 
Your essay should address the following problem.(a) What is .docx
bydanhaley45372
 
Your friend Lydia is having difficulty taking in the informati.docx
bydanhaley45372
 
Your initial post should be at least 450+ words and in APA forma.docx
bydanhaley45372
 
Your country just overthrew its dictator, and you are the newly .docx
bydanhaley45372
 
Your initial post should be made during, Submissions after this time.docx
bydanhaley45372
 

Recently uploaded

PPTX
Kochi MuleSoftMeetup_UnlockingMCPServer.pptx
bysandeepmenon62
 
PPTX
Limpitlaw "Licensing: From Mindset to Milestones"
byNational Information Standards Organization (NISO)
 
PDF
Toward Massive, Ultrareliable, and Low-Latency Wireless Communication With Sh...
byMan_Ebook
 
PDF
The voice of the rain poem class 11th.pdf
byReeta Baral
 
PPTX
AI_in_Daily_Life_Presentation and more.pptx
bybantydansena
 
PPTX
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
PDF
NAVIGATE PHARMACY CAREER OPPORTUNITIES.pdf
byMd. Zakaria Faruki
 
PDF
APM Wessex Network: DEIB Policy into Practice
byAssociation for Project Management
 
PDF
1ST APPLICATION FOR ANNULMENT (4)8787666.pdf
bykonstantinantountoum1
 
PDF
Analyzing the data of your initial survey
byThelma Villaflores
 
PPTX
Filipino 11-Tekstong Prosidyural-Final.pptx
byMargieBAlmoza
 
PDF
BỘ TEST KIỂM TRA CUỐI HỌC KÌ 1 - TIẾNG ANH 6-7-8-9 GLOBAL SUCCESS - PHIÊN BẢN...
byNguyen Thanh Tu Collection
 
PDF
Projecte de la porta de la classe de primer A: Mar i cel.
byeduardrubio1
 
PPTX
York "Collaboration for Research Support at U-M Library"
byNational Information Standards Organization (NISO)
 
PPTX
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
PPTX
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
PDF
Projecte de la porta d'i5B: Els animals marins
byeduardrubio1
 
PDF
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
PDF
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
PPTX
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
Kochi MuleSoftMeetup_UnlockingMCPServer.pptx
bysandeepmenon62
 
Limpitlaw "Licensing: From Mindset to Milestones"
byNational Information Standards Organization (NISO)
 
Toward Massive, Ultrareliable, and Low-Latency Wireless Communication With Sh...
byMan_Ebook
 
The voice of the rain poem class 11th.pdf
byReeta Baral
 
AI_in_Daily_Life_Presentation and more.pptx
bybantydansena
 
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
NAVIGATE PHARMACY CAREER OPPORTUNITIES.pdf
byMd. Zakaria Faruki
 
APM Wessex Network: DEIB Policy into Practice
byAssociation for Project Management
 
1ST APPLICATION FOR ANNULMENT (4)8787666.pdf
bykonstantinantountoum1
 
Analyzing the data of your initial survey
byThelma Villaflores
 
Filipino 11-Tekstong Prosidyural-Final.pptx
byMargieBAlmoza
 
BỘ TEST KIỂM TRA CUỐI HỌC KÌ 1 - TIẾNG ANH 6-7-8-9 GLOBAL SUCCESS - PHIÊN BẢN...
byNguyen Thanh Tu Collection
 
Projecte de la porta de la classe de primer A: Mar i cel.
byeduardrubio1
 
York "Collaboration for Research Support at U-M Library"
byNational Information Standards Organization (NISO)
 
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
Projecte de la porta d'i5B: Els animals marins
byeduardrubio1
 
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 

PENETRATION TESTING METHODOLOGY PROJECT TEMPLATE .docx

  • 1.
    PENETRATION TESTING METHODOLOGYPROJECT TEMPLATE 14 Penetration Testing Methodology Project Template ISTXXXX Your Name Running Head: Penetration Testing Methodology Project Template 1 Table of Contents Phase I: Planning and Preparation X Phase II: Assessment X Information Gathering X Network Mapping X Vulnerability Analysis X Penetration Testing X Phase III: Closing Activities X Reporting X Follow-on Actions X Archiving X Reference X Appendix X
  • 2.
    Example: Test OutputsX Example: Vulnerability Scan Reports X Example: Analysis Metrics from Tools X Example: Presentations X Example: Screenshots of Systems X Example: Screenshots of Commands X Example: Contractual Agreement X Example: Service Level Agreement X Example: Invoice X Example: Non-disclosure Agreement X List of Tables and Figures Figure 1. Example: ScopeX Figure 2. Example: Deliverables X Give a brief summary, one page or less, of what you believe the purpose of this penetration test to be, what methodologies are appropriate, provide a statement of purpose. A virtual scenario has been provided for completion of this project. That said, Wilmington University is an institute of higher learning. As such, research is highly encouraged and rewarded. You have the option, with prior approval, to conduct penetration tests on personally owned systems such as Boxee Boxes, internet connected televisions/refrigerators, MySQL, etc. Phase I: Planning and Preparation This is arguably the most important part of a penetration testing project. The logistical work done during this phase makes it possible to execute a successful penetration test. The origins of all problems experienced during the other two phases can usually be tracked back to a lack of planning during this phase. This phase concludes with an assessment agreement.
  • 3.
    Background Give the penetrationtest context. Provide answers to these questions such as: (a) What kind of company is this?, (b) What services are they requesting?, (c) Why is the company requesting the services?, and (d) Does the requestor have the authority to make the request? Assessment Agreement The assessment agreement will include: 1. Scope: a. Rules of Engagement i. Internal, external, or both approach. ii. White, gray, or black box approach. iii. Announced, unannounced. iv. Passive recon, active recon. b. What will be tested? (Telephony, network, database, wireless (keyboard, mouse, Bluetooth, Zigbee), applications, web server, email servers, VPN, data leakage protection, VoIP, physical, DMZ, IDS, firewall, router, switch.) c. What will it be tested with? (BackTrack, Metasploit, Canvas Immunity, personally developed code, low orbit internet cannon, etc.) d. How? (Trojan, social engineering, denial-of-service, stealing/breaking and entering, viruses, wardialing.) *Use the Scope tables provided below as an example for logically organizing your information. Penetration Testing Scope In Scope Out of Scope 1. 2. 3. 4. 5. 1. 2. 3.
  • 4.
    4. 5. Figure 1. PenetrationTests Scope. Penetration Testing Tools Scope In Scope Out of Scope 1. 2. 3. 4. 5. 1. 2. 3. 4. 5. Figure 2. Penetration Testing Tools Scope. 2. Deliverables: Deliverable Description Acceptance Criteria Presentation Electronic Document As defined in scope, vetted by Team Lead, approved by Project Manager Report Electronic Document & Presentation As defined in scope, vetted by Team Lead, approved by Project Manager Etc. Etc. Etc. Figure 3. Deliverables.
  • 5.
    3. Team Members: PenetrationTeam Project Members Role Responsibility Description Project Manager Harcourt, Thomas – Manage team, ultimately responsible for success of project. Project Sponsor Valasquez, Juan – Handles escalated personnel issues, represents project and team to third parties. Team Members Last name, First, etc, - All act in penetration test engineer capacities. Stakeholders Company name, CIO, Department Heads, IT employees, etc. Etc. Etc. Figure 4. Team Members. Penetration Testing Team Members Engineer Specialty Duty Email Phone Number Alternate Harcourt, Thomas Project Management, Wireless Penetration Project Manager [email protected]
  • 6.
    1-800-943-2257 x142 Rivera, Jorge Smith,Andrew Database, Email, Web Server Penetration Engineer [email protected] 1-800-943-2257 x138 Mutton, Scott Etc. Etc. Etc Etc. Etc. Etc. Etc. Etc. Etc Etc. Etc. Etc. Etc. Etc. Etc Etc. Etc. Etc. Etc. Etc. Etc Etc. Etc. Etc. Etc. Etc. Etc Etc.
  • 7.
    Etc. Etc. Etc. Etc. Etc Etc. Etc. Etc. Etc. Etc. Etc Etc. Etc. Etc. Figure 5. PenetrationTesting Team Members. 4. What is the escalation path for problems? (For example: What will you do if the owner asks you break into his wife’s personal email because he believes she is cheating on him, you discover child pornography, etc?) 5. Each department needs a point of contact. (For example, Network Administration, Server Administration, Client Administration, Help Desk, Network Security, Quality Assurance, Development, etc.) 6. Date/Time of Test. (Perhaps only weekends are acceptable or only early morning hours, etc.) 7. Miscellaneous Points of Contact: a. Law Enforcement (City, State, County) b. Internet Service Provider c. Consultants d. Subject Matter Experts e. Lawyers 8. Retest Policy. 9. Working conditions. (For example: (a) Where will you work from?, (b) What will you work with?, and (c) What do you require? 10. Non-disclosure Agreement.
  • 8.
    11. Liability Insuranceor Approval in Writing (For example: (a) Why do you need it? (b) Where do you find it?) 12. Contractual Constraints (For example: (a) Don’t denial of service servers because we have customers who will sue us., (b) Don’t transfer data., and (c) Don’t route attack traffic out of the country and back.) 13. Legal Issues – If illegal activity is found such as child porn then we will do what? 14. Quality Assurance – How? (For example: Is there a senior rater? Are double tests performed?) Phase II: Assessment Provide a brief description of what will occur during this phase. For example: This is the phase where you will implement your plan. You will gather data about your intended target and infer enough information so you have the knowledge you need to pursue a penetration test. This phase has four sections: Information Gathering, Network Mapping, Vulnerability Analysis, Penetration Testing. 1. Information Gathering There are many methods of gathering information on your company, as discussed during the planning phase. You should have already identified the information gathering techniques in scope of your work during the planning phase. Now it’s time to execute your information gathering techniques. Explain the difference between active and passive gathering. Categorize your work into two sections, active or passive gathering. A block of words is provided below to jog your mind: DNS/WHOIS, search engines, website (wget), Chamber of Commerce, company reviews, Google Maps, Facebook/MySpace/Twitter/YouTube, Internet Archive, job postings, key people, web addresses, servers OSs, locations of servers, web links, web server directory tree, enumerate services running on server and list, encryption standards (SSL, TLS, etc), form fields, web code/language, variables, meta tag info. 2. Network Mapping
  • 9.
    This section iswhere we compile a list of devices and their locations on the network, also known as foot printing the network. It can be broken down into two sections, internal and external. A list of devices should be provided with as much information as possible. Rack and stack the devices for targeting. A block of words is provided below to jog your mind: Live hosts, open/closed ports, services, perimeter devices, firewalls, routers, DMZs, operating systems, purpose of device, banner page, error pages, topological map, IP block, DNS registry information, ISP, tracert. 3. Vulnerability Analysis Specific targets have been identified. You’ve racked and stacked. It’s time to focus on your targets. List them here and explain why you’ve chosen them. Follow these steps below: a. Identify vulnerable services/OSs/coding language(s)/form input(s): b. Search for known vulnerabilities for each OS, service, etc, and list them: (CVE, CERT, NVD, etc.) c. Reprioritize rack and stack list. Classify list by likelihood of success. d. Create attack scenario. Tease out idea by drawing it on paper first. Provide a step-by-step with an accompanying descriptive paragraph detailing your thoughts. IMPORTANT: Verify your attack scenario is within scope. If it’s not, don’t do it. You could experience legal complications. 4. Penetration Testing This is the actual test. You are executing your attack scenario. Follow these steps: a. Find/develop your exploits for the vulnerabilities you identified, give a brief description of each, describe the dangers of using a second party exploit: (M1lW0rm, Metasploit, etc.) Vulnerability/Exploit Rack and Stack System Vulnerabilities
  • 10.
    Exploits Exploit Description Exploit Source Ranking b.Use tool/code, verify success or failure to access. c. For each successful exploit list the system exploited, vulnerability, exploit used, paths, commands, impact on device. Provide screenshots, copies of file(s), intimate knowledge of system to prove claim. d. Hot wash. For each failure make a speculation of what the issues could be. For example, is the exploit being used against a slightly newer version of the system and, therefore, no longer effective? Phase III: Closing Activities The previous two phases were for your benefit as a penetration tester. There was an initial interface with the business in order to agree on the terms and then you planned and conducted a
  • 11.
    penetration test. Thisis the phase where you communicate your findings to the business. 1. Reporting It is extremely important you reiterate in a clear and concise way that you’ve done what you said you would do. Provide a brief PowerPoint slide for each audience listed below. Use your judgment in determining what to include. Special note, this is also a pitch for further business. Market future services. a. Chief Information Officer/Director of Information Technology/Chief Security Officer/miscellaneous management: Example Management Summary: Scope, Tools, Exploits, Dates/Times, Verification, Residual Clean-up Actions Performed, Recommendations for Security Policy, Future Services (Post-Test Support, Countermeasures, Second Penetration Test, Training staff). b. IT Department Heads. Example: List systems found with accompanying specs and configurations, Vulnerabilities, Exploits, Dates/Times, Verification, Output of Tests, Post Clean-up Actions Performed, Recommendations, Post-testing. c. Technical Staff: server administrators, network administrators, client system administrators, etc. Example: Detail system exploited, date/time, output of tests, make specific recommendations that are actionable for the technicians such as fixing misconfigurations. 2. Follow-on Actions Describe what you’ve done in regards to follow-on actions. Follow-on actions include a discussion of cleaning up code, patching, wiping systems, notifying law enforcement and the ISP and stakeholders the penetration test is concluded, destroy network information gathering data and list of vulnerabilities and exploits and construct a lessons learned. The lessons learned should answer these, and other, questions: a. Were there any incidents, physical or cyber, with law enforcement, management, illegal activities found, pre-existing hacks already being exploited? b. How were they managed?
  • 12.
    c. Could theyhave been managed differently? 3. Archiving List what information you will keep, why you will keep it, what the legal ramifications/risks of keeping it are, where you will keep it, and how long will you keep it? How will you secure the data you do keep? (Encryption level, software, cloud-based and accessible from your smart phone, locally stored, backup, in your email, data integrity checks with hashes, data leakage protection measures, knowledge database) Reference Appendix