Penetration Testing: Rules of Engagement

Questions and Answers

How would a reduced budget most likely impact a penetration test?

• The penetration test would utilize more advanced tools.
• The penetration test would cover a broader range of systems.
• The penetration test would have more limitations on scope and resources. (correct)
• The penetration test would proceed with a longer timeframe.

Which element is typically included as part of the Rules of Engagement?

• The precise exploits to be used
• The tester's personal preferences
• The legal disclaimers of the testing company
• The timeline for the test (correct)

What aspect of a penetration test does the timeline primarily define?

• The duration and scheduling of testing activities (correct)
• The individuals responsible for each stage of testing
• The specific vulnerabilities to be exploited
• The cost of the penetration test

What does a time restriction within the Rules of Engagement determine?

Periods when testing activities are not permitted (D)

Test boundaries define which of the following?

What can be tested during the penetration test (C)

Which scenario is most closely associated with a white hat hacker?

Conducting penetration tests with prior permission from the organization (C)

When an organization uses a cloud provider, which parties' consent is required before a penetration test commences?

Both the organization and the cloud provider are required. (D)

What type of document outlines the scope of work, deliverables, and timelines between a penetration testing company and its client?

Statement of Work (SOW) (A)

A penetration tester is hired to simulate an attack from an external threat actor with no prior knowledge of the target network. Which testing method is being used?

Black box testing (B)

Which type of cyber threat actor possesses advanced skills, significant resources, and a high intent to persistently compromise specific targets over extended periods?

Advanced Persistent Threat (APT) (A)

What term describes the systematic gathering of information about a target system to identify potential vulnerabilities?

Reconnaissance (C)

During a penetration test, you need to crack password hashes. Which tool would be most appropriate for this task?

John the Ripper (B)

What process involves actively connecting to a target system to identify open ports and services?

Scanning (B)

During a penetration test, which of the following activities involves analyzing captured network packets to manually gather information about a system?

Packet inspection (B)

Which process reveals encryption details during information gathering?

Cyptographic inspection (C)

Flashcards

Rules of Engagement?

Rules of Engagement include the timeline, location, test boundaries and other rules that must be followed during the penetration test.

Test Boundaries

Test boundaries are used to create the scope of what will and will not be tested during the penetration test.

White hat hacker

White hat hackers, also known as ethical hackers or penetration testers, will always get permission from the appropriate authority within a company prior to beginning a penetration test on the organization's network.

Statement of Work (SOW)

A Statement of Work (SOW) is a document routinely employed to define project-specific activities, deliverables, and timelines that a penetration testing company will provide to their client during an assessment.

Black box testing

Black-box testing is a method of penetration testing that examines the network and systems without any prior knowledge as to its internal design or structure.

Advanced Persistent Threat (APT)

An advanced persistent threat (APT) is a prolonged and targeted cyber attack in which an intruder gains access to a network and remains undetected for an extended period of time.

Reconnaissance

Reconnaissance is a set of processes and techniques used to covertly discover and collect information about a target system.

Network traffic sniffing

Network traffic sniffing is used to intercept and log network traffic that can be seen via the wired or wireless network interface device.

Decompiling

Decompiling is the process of reverse engineering software using a decompiler.

Debugging

Debugging is the process of identifying and removing errors from hardware, software, or systems.

Credentialed scans

Credentialed scans require an authorized username and password to be provided to the scanning engine.

Phishing

Phishing is a social engineering attack that attempts to trick a user into provided sensitive details by deceiving them with a well-crafted email.

DNS Cache Poisoning

DNS Cache Poisoning occurs on the local computer or server instead of the DNS server itself.

Denial of Service

A Denial of Service (DOS) attack is conducted by exhausting all the available resources available on a service or server to prevent authorized users from gaining access or use of the resources.

Normalization

Normalization is the process of combining data from multiple sources and formats into a common and consistent event format.

Study Notes

Domain 1

• Smaller penetration testing budgets result in increased constraints.
• Rules of Engagement include the timeline, location, and test boundaries.
• The timeline determines how long the penetration test is conducted and when it can start and when it can start.
• Time restrictions determine when testing is not authorized and are in the Rules of Engagement.
• Test boundaries define what will be tested during the penetration test.
• White hat hackers always get permission before penetration testing.
• Permission from both the organization and the cloud provider is needed before penetration testing if services/servers are cloud-based
• A Statement of Work (SOW) documents the work to be performed during a penetration test.
• Black-box testing simulates an outside attack by examining the network and systems without prior knowledge of its internal design or structure.
• Advanced Persistent Threats (APTs) have the best capability and intent to hack a network and remain undetected for extended periods and are organized and well-funded.

Domain 2

• Reconnaissance is a systematic attempt to locate, gather, identify, and record information about a target
• Ping, Google, and Maltego are used during the reconnaissance phase.
• John the Ripper is used for password cracking and is an exploitation tool.
• Scanning actively connects to a target to identify open ports and services.
• Packet inspection manually enumerates a system by analyzing the captured packets.
• Cryptographic inspection determines the encryption being used by a system.
• Network traffic sniffing intercepts and logs network traffic.
• Decompiling is reverse engineering software, while debugging identifies and removes errors

Domain 3

• Phishing lures people to provide sensitive data, often using email.
• SMS Phishing uses SMS/text messages to trick users into providing personal information.
• Impersonation is the act of pretending to be gain access or gather information
• Authority, urgency, and social proof are used to get an employee to comply during an attempt to get assistance or information.
• Tailgating is when a pentester follows an authorized individual to a secure location.
• Dumpster diving is a reconnaissance technique involving searching an organization's trash.
• Simple Mail Transfer Protocol (SMTP) is the internet standard for sending and operates on port 25
• DNS Cache Poisoning allows DNS poisoning on the local computer/server.
• SSL Stripping is a type of downgrade attack that forces a browser into an insecure HTTP connection instead of a secure HTTPS connection.
• Denial of Service (DOS) attacks exhaust resources to prevent authorized users from gaining access.

Domain 4

• Nmap is a command line tool to sends packets to a target and discovers hosts/services based on responses.
• Nmap -sV command detects the version of applications
• Nmap -T sets the timing for the scan
• Reconnaissance collects information before attacking a system.
• Configuration compliance ensures a system meets a security baseline or policy.
• IDA is a commonly used decompiler.
• Nmap isn't commonly used for debugging software. GDB, IDA Pro, and Ollydbg are.
• OpenVAS is a vulnerability scanner.
• Immunity Debugger analyzes malware and reverse engineers binary files
• Aircrack-NG contains a scanner, packet sniffer, and password cracker and is used in wireless hacking

Domain 5

• Normalization combines data from multiple sources into a consistent format.
• Deconfliction determines if activity was performed by a hacker or authorized tester.
• Findings and recommendations should be treated as confidential.
• Final reports should include a prioritized list of recommendations
• Authentication factors are what you know, what you have, what you are, where you are, and what you do
• Footprinting is not part of Post-Report activities
• Client Acceptance is signed at the end to signify that the client agrees you have fulfilled the requirements.
• Data collected needs to be in an encrypted format, be handled with due diligence and care, and must be aggregated, normalized, and correlated
• Indicator of compromise is an artifact that indicates a network has been exploited.
• Communication is important to have before, during, and after a penetration test.