Pentest+

Pre engagement

Pre-Engagement Phase:

• Key Steps:
  • NDA signing
  • Scoping questionnaire completion
  • Pre-engagement meeting
  • Kick-off meeting
  • Contract/Scope of Work (SoW) creation
  • Rules of Engagement (RoE) creation
  • Contractors Agreement (for physical assessments) creation

• Scoping Questionnaire:
  • Gathers detailed information about the client's requirements, including:
    • Assessment types (internal/external, web/mobile, etc.)
    • Target systems (IPs, domains, applications)
    • Testing methodologies (black box, grey box, white box)
    • Evasion techniques
    • Information disclosure preferences

• Pre-Engagement Meeting:
  • Discusses the client's requirements in detail.
  • Clarifies the scope of the engagement.
  • Addresses any questions or concerns.
  • Finalizes the contract and RoE.

• Kick-Off Meeting:
  • Reviews the overall penetration testing process.
  • Explains the testing methodologies and techniques.
  • Discusses potential risks and limitations.
  • Outlines the communication channels and reporting procedures.

Important Considerations:

• Legal and Ethical Implications: Adhere to legal and ethical guidelines, especially regarding data privacy and security.

• Client Communication: Maintain clear and effective communication with the client throughout the pre-engagement phase.

• Risk Assessment: Identify and mitigate potential risks associated with the penetration testing activities.

• Documentation: Thoroughly document all phases of the pre-engagement process.

Information Gathering Phase:

• Critical for Penetration Testing:
  • Foundation for vulnerability identification and exploitation.
  • Involves multiple stages throughout the testing process.

• Information Sources:
  • Open-Source Intelligence (OSINT)
  • Infrastructure Enumeration
  • Service Enumeration
  • Host Enumeration

• Open-Source Intelligence (OSINT):
  • Gathering publicly available information about the target organization.
  • Identifying potential vulnerabilities through social media, code repositories, and other online sources.
  • Potential risks:
    • Exposure of sensitive information like passwords, keys, and tokens.
    • Misconfigured code repositories.

• Infrastructure Enumeration:
  • Mapping the target organization's network infrastructure.
  • Identifying:
    • DNS servers
    • Mail servers
    • Web servers
    • Cloud instances
    • Firewalls and other security measures
  • Understanding network topology and security posture.

• Service Enumeration:
  • Identifying services running on hosts and servers.
  • Determining:
    • Service versions
    • Information exposure
    • Potential vulnerabilities

• Host Enumeration:
  • Identifying:
    • Operating systems
    • Services
    • Ports
    • Misconfigurations
  • Understanding the role of each host in the network.

• Pillaging:
  • Collecting sensitive information from compromised hosts.
  • Identifying potential targets for further exploitation.
  • Assessing the impact of a successful attack.

Key Points:

• Information gathering is an ongoing process throughout the penetration testing engagement.

• OSINT can be a powerful tool for identifying vulnerabilities, but it also carries risks.

• Understanding the target organization's infrastructure is crucial for effective penetration testing.

• Identifying and exploiting service vulnerabilities can provide access to sensitive information.

• Host enumeration helps identify potential attack vectors and targets.

• Pillaging can provide valuable insights into the organization's security posture and potential impact of a breach.

Post-Engagement Activities

Cleanup:

• Delete tools/scripts from target systems.

• Revert minor configuration changes.

• Document any cleanup issues that cannot be resolved.

Documentation and Reporting:

• Gather necessary documentation:
  • Command output
  • Screenshots
  • Affected hosts
  • Scan and log output

• Avoid collecting PII or sensitive data.

• Create a detailed report:
  • Attack chain
  • Executive summary
  • Detailed findings with risk ratings, impact, and remediation recommendations
  • Reproducible steps
  • Near-, medium-, and long-term recommendations
  • Appendices (scope, OSINT, password cracking, ports/services, compromised hosts/accounts, file transfers, AD analysis, scan data, etc.)

Report Review Meeting:

• Walk through findings and explanations.

• Answer questions and address clarifications.

• Discuss specific findings in detail.

Deliverable Acceptance:

• Deliver a draft report for review and comment.

• Issue a final report after feedback and remediation.

• Consider client-specific requirements for report formats.

Post-Remediation Testing:

• Review remediation documentation.

• Retest findings to verify remediation.

• Issue a post-remediation report comparing pre- and post-remediation states.

• Provide evidence of remediation or failed exploitation attempts.

Role of the Pentester:

• Maintain impartiality and avoid direct remediation.

• Provide general remediation advice and explanations.

• Avoid giving specific code or configuration changes.

Data Retention:

• Retain evidence for a reasonable period.

• Store data securely and encrypted.

• Wipe data from tester systems.

• Use separate virtual machines for post-remediation testing.

• Adhere to data retention policies and contractual obligations.

Close Out:

• Wipe or destroy systems used for the engagement.

• Securely store remaining artifacts.

• Invoice the client and collect payment.

• Conduct a client satisfaction survey.

• Discuss potential follow-on work.