b1e67cbf11cd1c7ec043f4c93423d08b.png

  1. Pre-Engagement The process where essential documents, scope, tasks, limitations and agreements are documented IN WRITING. Contracts + essential information needed for pentesters and the client are drawn up. Stuff like: 1. Non-Disclosure Agreement 2. Goals 3. Scope 4. Time Estimation 5. Rules of Engagement

    Before any of the vital information can be discussed / meetings be held, an NDA has to signed by all parties.

Keep a track of WHO’s authorized to contract us for a penetration test. Usually, it’s either the CEO, CSO, CISO or VP of Internal Audit, etc. Also, keep a track of primary/secondary points of contact for escalating any issues.

Pre-Engagement Process - Stages Involved

Now, let’s talk about the stages involved in the Pre-Engagement Process : | Pre-Engagement Stages | | – | |1. Scoping questionnaire| |2. Pre-engagement meeting| |3. Kick-off meeting|

Before we begin, here is a list of the documents that are to be prepared as a part of the pre-engagement process: | Document | Timing for Creation | | — | — | | 1. Non-Disclosure Agreement (NDA) | After Initial Contact | | 2. Scoping Questionnaire | Before the Pre-Engagement Meeting | | 3. Scoping Document | During the Pre-Engagement Meeting | | 4. Penetration Testing Proposal (or Contract/Scope of Work (SoW)) | During the Pre-engagement Meeting | | 5. Rules of Engagement (RoE) | Before the Kick-Off Meeting | | 6. Contractors Agreement (Physical Assessments) | Before the Kick-Off Meeting | | 7. Reports | During and after the conducted Penetration Test |

  1. Information Gathering – Idenitfying targets (can be a list of IP addresses/network ranges or nothing else except for a domain name). Using the information collected to look for any weaknesses. Using automated scanning tools like nmap, nessus, etc. tof ind known vulnerbailitie and manual analysis. Before attempting to exploit anything, we should have completed thorough information gathering. Organization and patience are vital while being as thorough as possible. This stage can be divided into 5 categories : | Category | Description | | – | – | | Open-Source Intelligence | Finding the target company’s publicly available sensitive information. Can be API keys accidentally published on github, questions asked by developers on stackoverflow (that have info about the proprietary code being used), passwords, hashes, keys, tokens, etc.| | Infrastructure Enumeration | trying to gain an overview of the infrastructure from the outside (external) or examining the infrastructure from the inside (internal) of the network.. Use services such as DNS to create a map of the client’s servers and hosts and develop an understanding of how their infrastructure is structured. This includes name servers, mail servers, web servers, cloud instances, and more. We make an accurate list of hosts and their IP addresses and compare them to our scope to see if they are included and listed. Helps in Evasive Testing | | Service Enumeration | identify services that allow us to interact with the host or server over the network (or locally, from an internal perspective) -> find security vulnerabilities that remain with older versions | | Host Enumeration | identify which operating system is running on the host or server, which services it uses, which versions of the services, and much more. Administrators often mistakenly assume internal services are secure just because they aren’t internet-facing. This false sense of security leads to careless configurations and creates hidden vulnerabilities. | | Pillaging | Once you’re in a system (post-exploitation), “pillaging” is basically grabbing any sensitive info stored there, like employee or customer data. You can only do this after you’ve already broken in. |
  1. Vulnerability Assessment – Divided into two stages :
    1. scan for known vulnerabilities
    2. analyzing found vulnerabilities using the info found – finding opportunities to escalate privileges / manipulating workflow of an application.

There are 4 types of vulnerability analysis : | Analysis Type | Description| | – | – | | Descriptive | This is your starting point. It summarizes a dataset’s key features, helping spot errors or oddball data. | | Diagnostic | This digs into why things happened. It looks back to find the causes and connections behind events. | | Predictive | Using past and current data, this type forecasts future probabilities, spotting trends and likely outcomes. | | Prescriptive | This goes a step further, recommending specific actions to prevent future issues or achieve desired results. |

Understanding with an example

Suppose we found an open TCP port 2121 on a host during the information-gathering phase.

Other than the fact that this port is open, Nmap did not show us anything else. We must now ask ourselves what conclusions can be drawn from this result. Therefore, it does not matter which question we start with to make our conclusions. However, it is essential to ask precise questions and remember what we know and do not know. At this point, we must first ask ourselves what we see and what we actually have, because what we see is not the same as what we have:

Websites that publish CVEs and PoCs : 1. CVEdetails 2. Exploit DB 3. Vulners 4. Packet Storm Security 5. NIST

It is important to note that these two stages (Information Gathering and Vulnerability Assessment) often overlap, resulting in regular back and forth movement between them.

  1. Exploitation – stage where we look for ways to achieve our goal (escalated privileges, reverse shell, etc.) using the vulnerabilities found. Exploitation is divided into two AREAS :
    1. Network exploitation – creating an overview of the existing network + finding open ports and common services running on these ports (looking for misconfigurations and publicly known vulnerabilities that can be leveraged)
    2. Web Exploitation – Web applications present a vast attack surface and are often the main accessible targets during external penetration testing engagements – which includes stuff like differing syntax for different kinds of databases being used.

Attack preparation :

CVSS Scoring - https://nvd.nist.gov/vuln-metrics/cvss – for assessing the severity of a security vulnerability | Severity | Severity Score Range | | – | – | | None* | 0.0 | None* | 0.0 | | Low | 0.0-3.9 | Low | 0.1-3.9 | Low | 0.1-3.9 | | Medium | 4.0-6.9 | Medium | 4.0-6.9 | Medium | 4.0-6.9 | | High | 7.0-10.0 | High | 7.0-8.9 | High | 7.0-8.9 | | Critical | 9.0-10.0 | Critical | 9.0-10.0 |

NVD Calculator - https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

  1. Post-Exploitation – In most cases, when we exploit certain services for our purposes to gain access to the system, we usually do not obtain the highest possible privileges. This stage is to bypass restrictions and gain privileges. With the gained privileges, we can repeat the information gathering step. Or, we can move laterally / exploit other services running on the CURRENT EXPLOITED system to execute commands that require the gained higher privileges. During post-exploitation, we also have to make the choice of whether or not to utilize evasive techniques (depending on how “loud” the client wants us to be – can be totally stealthy or louder in order to test their current security measures in place). Some other components involved in this stage :
    • Evasive Testing – (commands such as net user or whoami that is often monitored by EDR systems and flagged as anomalous activity). Three types : Evasive, Hybrid Evasive, Non-Evasive
    • Information Gathering
    • Pillaging (examine the role of the host in the corporate network)
    • Vulnerability Assessment
    • Privilege Escalation
    • Persistance
    • Data Exfiltration : When testing data exfiltration (transferring data from the target to your system), remember that defenses like Data Loss Prevention (DLP), Endpoint Detection and Response (EDR), and encryption are common. CRITICAL: Always get client and manager approval before exfiltrating any actual sensitive data. Safer Bet: Use bogus data (fake credit cards, etc.) to test detection mechanisms without handling live data. While awareness of regulations (PCI, HIPAA, etc.) and frameworks (NIST, ISO, etc.) is good, your main focus is testing the effectiveness of security controls around the data. If using fake data, confirm with the client if their systems should detect that specific type. Evidence is Key: Use screen recordings and screenshots for vital steps. If terminal-only: capture hostname, IP, user, and file path to prove origin and access. If you exfiltrate sensitive data: Notify the client immediately. This might change the pentest’s direction (pause, end, shift focus), but it’s the client’s call. Many will want testing to continue.

Pillaging involves attempting to extract as much information about the target system as possible, when the system has been succesfully compromised. This stage is about getting to know how the system interacts with others in the network, and is completely different from Data Exfiltration which refers to the unauthorized copying or transfer of data from the compromised system

  1. Lateral Movement – —
  2. Proof-of-Concept – —

  3. Post-Engagement –

    Summary : https://academy.hackthebox.com/module/90/section/936 Gather info ↓ assess vulnerability and gain access to target system -> if access is not the highest, get highest access first ↓

ALWAYS REMEMBER : do your due diligence BEFORE asking for help. try to come up with a partial solution first. Before asking a question, list out what you already know and what things you have already tried. In doing this, you may find the answer is right in front of you.

A pentest is not monitoring the IT infrastructure or systems but a momentary snapshot of the security status

Penetration Testing Methods :

  1. External – performed from an external perspective or as an anonymous user on the Internet. We can perform testing from our own host (hopefully using a VPN connection to avoid our ISP blocking us) or from a VPS. Some clients don’t care about stealth, while others request that we proceed as quietly as possible, approaching the target systems in a way that avoids firewall bans, IDS/IPS detection, and alarm triggers. They may ask for a stealthy or “hybrid” approach where we gradually become “noisier” to test their detection capabilities. Goal : access external-facing hosts, obtain sensitive data, or gain access to the internal network.
  2. Internal – perform testing from within the corporate network -> can start from an assumed breach scenario or by penetrating the network from via an external pentest.
Type Information Provided
Blackbox Minimal. Only the essential information, such as IP addresses and domains, is provided.
Greybox Extended. In this case, we are provided with additional information, such as specific URLs, hostnames, subnets, and similar.
Whitebox Maximum. Here everything is disclosed to us. This gives us an internal view of the entire structure, which allows us to prepare an attack using internal information. We may be given detailed configurations, admin credentials, web application source code, etc.
Red-Teaming May include physical testing and social engineering, among other things. Can be combined with any of the above types.
Purple-Teaming It can be combined with any of the above types. However, it focuses on working closely with the defenders.