Pentesting Fundamentals

Ethics and methodologies behind a pentest.

Last updated 4 months ago

Pentesting Fundamentals

Ethics and methodologies behind a pentest.

What is Penetration Testing?

Cybersecurity is relevant to all people in the modern world. A penetration test (pentest) is an ethically driven attempt to test and analyse security defences to protect assets and information. A pentest involves using the same tools, techniques and methodologies that someone with malicious intent would use and is similar to an audit.

Penetration Testing Ethics

Labels like "hacking" and "hacker" tend to hold negative connotations, the idea of legally gaining access to a computer system is a challenging concept to grasp. A penetration test is an authorised audit of a computer system's security and defences, the legality of a pentest is very clear in this sense. Anything outside of the defined agreement/scope is unauthorised.

Before a pentest, a formal discussion is held between the tester and system owner. They agree on tools, techniques and systems to be tested. This discussion forms the scope of the test.

Companies that provide penetration testing services are held to legal frameworks and industry accreditation. An example of this is the National Cyber Security Centre (NCSC) which has the CHECK accreditation scheme in the UK. This means that only "[CHECK] approved companies can conduct authorised penetration tests of public sector and CNI systems and networks."

Pentesters are often faced with morally questionable decisions during a test, for example, if they are presented with sensitive database info or performing a phishing attack. As long as this action is agreed upon, it is legal - albeit ethically questionable. Hackers are typically sorted into three hats:

Hat

Description

Example

White Hat

"Good guys" - act within the law and use skills to benefit others.

A pentester performing an authorised engagement.

Grey Hat

Use skills to benefit others, however, do not always follow the law or ethical standards.

Someone taking down a scamming website.

Black Hat

Criminals seeking to cause damage or gain financial benefit.

Ransomware authors.

The Rules of Engagement (ROE) is a document which is created in the initial stages of a pentest engagement. An example ROE can be seen . The document consists of three main stages:

Permission: gives explicit permission for the engagement to be carried out. This permission is essential to protect individuals and organisations for activities they carry out.
Test Scope: annotates specific targets which the engagement should apply to. For example, it may only apply to certain servers or applications.
Rules: define the techniques permitted during the engagement. For example, it may say that phishing attacks are prohibited, but MITM (Man-in-the-Middle) attacks are ok.

Penetration Testing Methodologies

No pentest is the same as another, and there is no one-size-fits-all for how a pentest should be approached. The steps taken during an engagement are the methodology. A practical methodology is a smart one, where steps taken are relevant to the situation. For example, a web app methodology is not practical in a network security pentest. The general theme of a methodology is:

Information Gathering: collect as much publicly accessible information as possible via OSINT and other research. This does not involve system scans.
Enumeration/Scanning: discover apps and services running on systems, for example, finding a vulnerable web server.
Exploitation: leverage vulnerabilities found on a system or application, this can involve use of public exploits or exploiting application logic.
Privilege Escalation: once a foothold is made, attempt to expand access horizontally or vertically.
Post-Exploitation: what other hosts can be targeted? What info can be gathered as a privileged user? Attempt to cover your tracks and report back.

Black Box, White Box and Grey Box Penetration Testing

Black Box Testing: the tester is given no information about the inner workings of an application or service. The tester acts like a normal user testing the functionality and interaction of the application or piece of software. No knowledge of programming or understanding of the program is required for this. This has a large amount of time spent on enumeration and information gathering to understand the targets attack surface.
Grey Box Testing: this is most popular for pentests. The tester has limited knowledge of the application or software, interaction will be like black box testing except time is saved on the enumeration stages. This is most often used against well-hardened targets.
White Box Testing: a low-level process normally done by a developer who knows programming and application logic. Tester has full knowledge of the app and expected behaviour and is much more time consuming than black box testing. The full knowledge guarantees that the entire attack surface can be validated.

Last updated 4 months ago

What is Penetration Testing?

Penetration Testing Ethics

Before a pentest, a formal discussion is held between the tester and system owner. They agree on tools, techniques and systems to be tested. This discussion forms the scope of the test.

Hat

Description

Example

White Hat

"Good guys" - act within the law and use skills to benefit others.

A pentester performing an authorised engagement.

Grey Hat

Use skills to benefit others, however, do not always follow the law or ethical standards.

Someone taking down a scamming website.

Black Hat

Criminals seeking to cause damage or gain financial benefit.

Ransomware authors.

The Rules of Engagement (ROE) is a document which is created in the initial stages of a pentest engagement. An example ROE can be seen . The document consists of three main stages:

Permission: gives explicit permission for the engagement to be carried out. This permission is essential to protect individuals and organisations for activities they carry out.
Test Scope: annotates specific targets which the engagement should apply to. For example, it may only apply to certain servers or applications.
Rules: define the techniques permitted during the engagement. For example, it may say that phishing attacks are prohibited, but MITM (Man-in-the-Middle) attacks are ok.

Penetration Testing Methodologies

Information Gathering: collect as much publicly accessible information as possible via OSINT and other research. This does not involve system scans.
Enumeration/Scanning: discover apps and services running on systems, for example, finding a vulnerable web server.
Exploitation: leverage vulnerabilities found on a system or application, this can involve use of public exploits or exploiting application logic.
Privilege Escalation: once a foothold is made, attempt to expand access horizontally or vertically.
Post-Exploitation: what other hosts can be targeted? What info can be gathered as a privileged user? Attempt to cover your tracks and report back.

is a detailed framework of testing strategies for systems, software, apps, communications and human cybersecurity. This includes methodologies for: telecommunications, wired networks and wireless communications. The main disadvantage to OSSTMM is that it is hard to understand, very detailed, and uses unique definitions.

framework is community driven and frequently updated, it is used solely to test the security of web applications and frameworks. The primary disadvantages to this are: it may be unclear what type of vulnerability a web app has, OWASP does not make suggestions to any specific software development life cycles and the framework holds no accreditations like CHECK.

is a popular framework which provides guidelines on security controls and benchmarks for success for organisations from critical infrastructure to commercial. The primary disadvantages to this framework are: NIST has many different iterations of the framework, so it might be hard to decide which to use, the NIST framework has weak auditing policies and the framework does not consider cloud computing.

is an extensive framework of 14 principles used to assess various cyber threats and an organisations defences against them. This applies to organisations considered to be performing "vitally important services and activities". The main disadvantages to CAF are that it is still relatively new, meaning organisations haven't had time to change to suit it and the framework itself is based on principles and ideas - it isn't as direct as other frameworks.

Black Box, White Box and Grey Box Penetration Testing

Black Box Testing: the tester is given no information about the inner workings of an application or service. The tester acts like a normal user testing the functionality and interaction of the application or piece of software. No knowledge of programming or understanding of the program is required for this. This has a large amount of time spent on enumeration and information gathering to understand the targets attack surface.
Grey Box Testing: this is most popular for pentests. The tester has limited knowledge of the application or software, interaction will be like black box testing except time is saved on the enumeration stages. This is most often used against well-hardened targets.
White Box Testing: a low-level process normally done by a developer who knows programming and application logic. Tester has full knowledge of the app and expected behaviour and is much more time consuming than black box testing. The full knowledge guarantees that the entire attack surface can be validated.