You can use identified security vulnerabilities to do the following: Gain further information about the host and its data. Obtain a remote command prompt. Start or stop certain services or applications. Access other systems. Disable logging or other security controls. Capture screenshots. Access sensitive files. Send an e-mail as the administrator. Perform SQL injection. Launch … Read more
Kickoff Meeting Unless a black box test is called for, it is important to schedule and attend a kickoff meeting, prior to engaging with the client. This is your opportunity not only to confirm your understanding of the client’s needs and requirements but also to get off on the right foot with the client. It … Read more
When performing penetration tests, the signed agreements you have in place may be your best friend or worst enemy. The following documents apply. Statement of Work Most organizations use a Statement of Work (SOW) when contracting outside work. The format of the SOW is not as important as its content. Normally, the contractor (in this … Read more
There are several well-known penetration testing methodologies and standards. OWASP The Open Web Application Security Project (OWASP) has developed a widely used set of standards, resources, training material, and the famous OWASP Top 10 list, which provides the top ten web vulnerabilities and the methods to detect and prevent them. OSSTMM The Open Source Security … Read more
The organization of the penetration testing team varies from job to job, but the following key positions should be filled (one person may fill more than one position): • Team leader • Physical security expert • Social engineering expert • Wireless security expert • Network security expert • Operating System expert
Determining the locations in scope is critical to establishing the amount of travel and the level of effort involved for physical security testing, wireless war driving, and social engineering attacks. In some situations, it will not be practical to evaluate all sites, but you need to target the key locations. For example, where are the … Read more
Scope is probably the most important issue when planning a penetration test. The test may vary greatly depending on whether the client wants all of their systems covered or only a portion of them. It is important to get a feel for the types of systems within scope to properly price out the effort. The … Read more
Types of Penetration Tests There are basically three types of penetration testing: white box, black box, and gray box. White Box Testing White box testing is when the testing team has access to network diagrams, asset records, and other useful information. This method is used when time is of the essence and when budgets are … Read more
Network penetration testing is the first penetration testing that we are going to cover in this section. Most of the systems and computers are connected to a network. If a device is connected to the internet, that means the device is connected to the network because the internet is a really big network. Therefore, we … Read more
Develop a penetration test plan Establishing the test ground rules is a particularly important part of penetration analysis. The rules are captured in the penetration test plan, which defines the test objective, the product configuration, the test environment, test resources, and schedule. It is important that penetration testing use ethical evaluators who are no antagonistic … Read more