Ch1-Ch3 PDF - CompTIA PenTest+ Pre-Assessment

Pre-Assessment T he following questions are designed to test you on areas of the CompTIA PenTest+ certification exam that you may need to focus on when reading through this book. Take time to review each question to come up with the best answer for each question. Be sure to verify your work with the pre-assessment answers that follow, and use the chapter reference given to learn more about the topic related to the question. Questions 1. You are performing a penetration test for a large customer. You are using Nmap to determine the ports that are open on the target systems. What phase of the penetration testing process are you currently on? (A) Reporting and communication (B) Attacks and exploits (C) Planning and scoping (D) Information gathering and vulnerability identification 2. You are preparing to perform a penetration test for a customer. What type of document does the customer typically have the penetration tester sign before the penetration test begins? (A) Authorization letter (B) Service-level agreement (C) Non-disclosure agreement (D) Master service agreement 3. Which of the following penetration tools are considered OSINT tools? (Choose two.) (A) Nmap (B) Recon-ng (C) Hydra (D) Metasploit (E) Maltego Pre-Assessment 7 4. You are in the discovery phase of a penetration test and would like to do a port scan on the network, but not perform a ping operation with the port scan. What Nmap switch would you use to disable pings with the port scan? (A) -Pn (B) -p (C) -sP (D) -sT 5. You are looking to discover vulnerabilities on a group of systems that are target systems for your penetration test. What tools would you use to identify vulnerabilities in the systems? (Choose two.) (A) OpenVAS (B) Nessus (C) Hydra (D) Metasploit (E) Nmap 6. During a penetration test you are looking to perform a MiTM attack. Which of the following tools would you use to perform the attack? (A) Hydra (B) Metasploit (C) arpspoof (D) John 7. You are performing a penetration test on a wireless network. You would like to deauthenti- cate the clients from the access point. What tool would you use? (A) Aircrack-ng (B) Aireplay-ng (C) Airodump-ng (D) Deauth-ng 8. While performing a penetration test on a wireless network, you decide to try to brute force the WPS pin on the wireless access point. What command would you use in Kali Linux? (A) aircrack-ng (B) mimikatz (C) reaver (D) wpscrack-ng 8 CompTIA Pentest+ Certification For Dummies 9. You are assessing the security of a web application running on a web server within the DMZ. Which of the following represents an example of a command injection attack? (A) http://site/showData.php?id=1;phpinfo() (B) http://site/purchase.aspx?redirect=confirmation.aspx (C) http://site/prodt.php?id=5;update%20products%20set%20price=.50 (D) http://site/showData.php?dir=%3Bcat%20/etc/passwd 10. You are performing a penetration test for a customer and have exploited a system and gained a meterpreter session. What post-exploitation command was used to obtain the following output? Admin:500:b45a8125648cbddf2c4272c:bddf2c4272cb45a8125648c Guest:501:b45a8125648cbddf2c4272c:bddf2c4272cb45a8125648c testUser:1024:b45a8125648cbddf2c4272c:bddf2c4272cb45a8125648c (A) hashdump (B) hydra (C) kill av (D) truncate 11. You are assessing the security of a web application. What tool would you use to identify vulnerabilities on a website? (A) SQLdict (B) Nmap (C) Nikto (D) Hydra 12. You have obtained the password hash for the administrator account on a system. What tool would you use to crack the password hash? (A) Hashdump (B) Nmap (C) Aircrack-ng (D) Hashcat Pre-Assessment 9 13. During an authorized penetration test, you have used Nmap to locate systems on the network running RDP. What command would you use to perform password cracking using RDP traffic to the system? (A) mimikatz (B) hashcat (C) hydra (D) hashdump 14. What language was used to write the following code? startTime = datetime.now() try: for port in range(1,1024): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) result = sock.connect_ex((remoteSystemIP, port)) if result == 0: print "Port {}: Open".format(port) sock.close() (A) PowerShell (B) Python (C) Ruby (D) Bash 15. While performing a penetration test for a customer, you notice there is evidence of a previous security compromise on the web server. What should you do? (A) Make a note of it and continue the pentest (B) Continue the pentest and add evidence to the report (C) Patch the system and continue the pentest (D) Halt the pentest and discuss the findings with the stakeholder 10 CompTIA Pentest+ Certification For Dummies Answers 1. D. The information gathering and vulnerability identification phase uses tools to discover systems, services running on those systems, and vulnerabilities that exist on those systems. See Chapter 1. 2. C. Customers should have penetration testers sign a non-disclosure agreement (NDA) before starting the penetration test. See Chapter 2. 3. B, E. Recon-ng and Maltego are examples of OSINT tools used to discover public information about a customer. See Chapter 3. 4. A. You can use the -Pn parameter on Nmap to disable ping operations when performing a port scan. See Chapter 3. 5. A, B. OpenVAS and Nessus are examples of vulnerability scanners that can be used to discover vulnerabilities on a system. See Chapter 4. 6. C. arpspoof is an example of a tool that can be used during a MiTM attack. arpspoof is used to poison the ARP cache of systems so that the attacker can place them- selves in the middle of the communication. See Chapter 5. 7. B. Aireplay-ng is a tool used to generate different types of wireless traffic, includ- ing a deauthentication packet that is used to instruct clients to disconnect. See Chapter 6. 8. C. Reaver is a command-line tool in Kali Linux that allows you to perform a brute force attack on the WPS pin. See Chapter 6. 9. D. When looking at the URL that is used in the attack, you want to identify what is being injected. Choice D is injecting the cat command from the operating system so it is considered a command injection attack. See Chapter 7. 10. A. The hashdump command is used during post-exploitation to retrieve a list of password hashes that can then be used in other attacks such as password cracking or a pass-the-hash attack. See Chapter 8. 11. C. Nikto is an example of a web application vulnerability scanner. See Chapter 9. 12. D. Hashcat is a command-line tool in Kali Linux that can be used to crack the password hash. See Chapter 9. Answers 11 13. C. Hydra is a tool used to crack passwords and can be used to crack passwords of a remote system using protocols such as RDP. See Chapter 9. 14. B. You can tell that the script was created in Python because of the comparison operator being used (==). PowerShell and Bash use -eq as the comparison operator. Also notice the use of the print statement (instead of echo) and the fact variables do not use $ in front of them. See Chapter 10. 15. D. If you notice evidence that a system has been hacked into already, you should halt the penetration test and discuss the finding with the stakeholders right away. See Chapter 11. 12 CompTIA Pentest+ Certification For Dummies 1 Planning and Information Gathering IN THIS PART... Learn the basics of penetration testing and penetration testing terminology. Explore the four major phases to CompTIA’s penetration testing process: planning and scoping; information gathering and vulnerability identification; attacks and exploits; and reporting and communication. Understand the importance of planning for the penetration test and how not planning properly can result in crashing the customer’s systems or network and triggering intrusion detection systems, and create legal problems. Learn how to scope the project, identify rules of engagement, define targets, and handle scope creep. Discover the tools you can use to uncover information about the organization or company for which you are conducting a pentest, such as email addresses and phone numbers of employees, public IP addresses, target systems, and open ports. Find out the difference between passive and active information gathering. Learn how to perform vulnerability scans to identify the weaknesses that exist within your target systems and how to exploit them. EXAM OBJECTIVES »» Understanding penetration testing »» Knowing penetration testing terminology »» Being familiar with CompTIA’s penetration testing phases Chapter 1 Introduction to Penetration Testing T he CompTIA PenTest+ certification exam is designed to test your knowledge of performing penetration tests either for third-party clients or for the company that employs you as a security professional. Although the fun part of penetration testing is diving in and trying to bypass the security controls put in place to help protect company assets, you have much work to do before that can happen. You have to make sure you take the time to prepare, which includes defining the goals and restrictions for the penetration test. In this chapter, you learn about the basics of penetration testing, starting with an overview of penetration testing and penetration testing terminology. You then learn the four major phases to CompTIA’s penetration testing process: planning and scoping; information gathering and vulnerability identification; attacks and exploits; and reporting and communication. Penetration Testing Overview Penetration testing, also known as ethical hacking, involves an information tech- nology (IT) professional using the techniques a hacker uses to bypass the security controls of a network and its system. A security control is a protection element, such as permissions or a firewall, that is designed to keep unauthorized CHAPTER 1 Introduction to Penetration Testing 15 individuals out of a system or network. The act the IT professionals are perform- ing is known as a penetration test, or pentest for short (which is where CompTIA’s term, PenTest+, came from). The penetration test follows the process the hacker would take, including the discovery of targets and the exploitation of targets. From a company’s point of view, the ultimate goal of a penetration test is to have an ethical person perform attacks on different assets to determine whether those assets could be penetrated, and if the attacks are successful, what remediation steps a company could take to prevent a real attack from being successful. For the PenTest+ certification exam, remember that remediation steps within the report are a must for any successful penetration test. A key point to remember is that the person performing the penetration test — the pentester — is taking the mindset of a hacker and following the process a hacker takes. This involves much planning, as only 10 to 15 percent of the penetration test is actually performing the attacks. Like hacking, penetration testing is 85 percent preparation so that by the time the attack is performed, the hacker or pentester is quite sure the attack will be successful. You can compare this process to robbing a bank. A bank robber will spend the most time planning the robbery. When it comes time to rob the bank, the actual act of robbing the bank is done in minutes (or so I hear). Reasons for a pentest Why would a company conduct a penetration test? The purpose of a penetration test is to obtain a real-world picture of the effectiveness of the security controls put in place to protect the company’s assets. Instead of taking the word of the security team that configured the security of the environment, you can put the security to the test by having someone take the steps a hacker would take and see if the security holds up. In performing such a test, the pentester can also obtain a list of steps the company could take to prevent real attacks from being successful. Another reason to perform penetration testing is to be in compliance with regula- tions. Depending on the industry a company services, organizations may be gov- erned by regulations that require penetration testing to be performed on a regular basis to ensure the security of the organization. For example, companies that col- lect and store sensitive payment card information are governed by the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS has strict require- ments for activities that must be performed to help keep sensitive payment card information secure. Check out “Best Practices for Maintaining PCI DSS Compli- ance” and “Penetration Testing Guidance” at www.pcisecuritystandards.org to learn more about PCI DSS compliance requirements. 16 PART 1 Planning and Information Gathering Table 1-1 summarizes two key requirements from the best practices document published by the PCI Security Standards Council. These requirements specify that organizations must perform an annual penetration test and implement any reme- diation actions identified by the test. Organizations must also perform a network segmentation penetration test every six months to maintain compliance. TABLE 1-1 PCI DSS Best Practices Requirements Requirement Title Description 11.3 Penetration testing Perform annual penetration testing against preordinated use cases/attack scenarios and perform remediation actions to address any identified vulnerabilities 11.3.4.1 Six-month penetration Bi-annual penetration testing conducted for network segmen- testing for segmentation tation controls Source: PCI Security Standards Council. Best Practices for Maintaining PCI DSS Compliance. January 2019: pp 46-47. Available at www.pcisecuritystandards.org. The PCI Security Standards Council’s “Penetration Testing Guidance” document gives more detail on compliance requirements such as the fact that you must also perform a penetration test any time major changes are made to the network infra- structure or to applications within the organization (on top of doing annual pen- etration testing). The key point here is that compliance requirements could drive the need to per- form penetration tests on a regular basis. For the PenTest+ certification exam, remember the two main reasons to perform a penetration test: (1) to get an accurate picture of the results of an attack, and (2) to be in compliance with industry regulations. Who should perform a pentest Now that you know what a penetration test is, the next logical question is who should perform the penetration test? You have two choices when it comes to who performs the penetration test: internal staff or an external third-party company. Internal staff Many organizations opt to have their internal security staff perform penetration testing. This is a good idea as it will save money, but you must make sure there is no conflict of interest with the group performing the pentest. You must also make sure the people performing the pentest are qualified to conduct a pentest. CHAPTER 1 Introduction to Penetration Testing 17 (I discuss the qualifications needed by pentesters in “Qualified pentesters” later in this chapter.) The members of the internal team performing the penetration test should not be part of the team who installed, configured, or manages the systems or networks being assessed. They should also not be the persons responsible for implementing the security of the systems, as that is a direct conflict of interest. A separate team should be dedicated to assessing security within the organization and performing the penetration tests. Companies may also create separate internal teams — a red team and a blue team — to help assess the security of assets within the organization. The red team is an internal security group that performs attacks on company assets, such as a penetration test and social engineering attacks to validate whether there is enough protection on the company assets. The blue team is the internal security group within the company that is focused on protecting the assets. This includes moni- toring the security controls, the intrusion detection systems, and the logs to pro- tect the asset and identify when a security breach occurs. It is important to note that the red team’s job is to stay up-to-date on any new attack methods, while the blue team must be current on any new technologies used to protect assets from attacks. The red team and blue team should also meet regularly to update the other team on lessons learned so that both teams are fully aware of current attacks and mitigation strategies. Penetration testing can be a costly affair, so having an internal team can save the company lots of money and allow for more regular pentests. External third party Going with a third-party company to perform the penetration test also has its benefits. For example, the third-party company is most likely not familiar with the organization’s environment (as a hacker would not be), so it can provide an even better picture of an attack because the third party would have to discover all the systems (depending on the type of pentest, which I talk about later in this chapter). Using third-party external testers is also beneficial because you have a fresh set of eyes looking at your network and systems. Internal staff have designed the defensive posture based on the attack vectors they are aware of, while external testers may have knowledge of different attack vectors and may take a totally dif- ferent approach to exploiting systems. However, using a third-party company also raises some concerns. For example, what are the qualifications of the consultants doing the pentest? And how will the details and results of the pentest be kept confidential? With a third-party com- pany involved, confidentiality can be a bit more challenging than if a company used internal testers. 18 PART 1 Planning and Information Gathering A final concern is cost. Going with a third-party company can be very costly, as penetration testing is a time-consuming process and requires a specialized skill. Qualified pentesters Whether you choose to use internal staff or an external third-party company to perform the penetration test, it is critical you validate the qualifications of the individuals performing the penetration test prior to the engagement. The first qualification to look for in a pentester is whether or not that person holds industry-standard certifications that prove the individual’s penetration testing knowledge. For example, you may require that all individuals performing a pene- tration test have their CompTIA PenTest+ certification. However, certification is not enough. The pentester should also have prior experi- ence performing penetration testing. Following are some questions to ask when hiring a third-party company to perform a penetration test: »» Does the penetration testing team have experience with prior penetra- tion tests? »» Has the penetration testing team performed a penetration test against a similarly sized organization before? »» Does the penetration testing team have experience with the types of systems and platforms being used by the company? »» Does the penetration testing team have experience with network-layer testing (networking systems and configuration)? »» Does the penetration testing team have experience with performing applica- tion layer testing, and is it familiar with Open Web Application Security Project (OWASP) Top 10 validation techniques? (OWASP Top 10 is the top ten meth- ods hackers are using to exploit web applications.) How often a pentest should be performed There is no concrete answer to how frequently you should perform a penetration test; however, it’s best to perform a pentest annually and after any major change to the infrastructure. Standards such as the PCI DSS state that in order to be compliant, organizations should perform external testing once a year, plus after making any major changes to the network infrastructure or application environments. The PCI DSS also states that you should perform internal testing once a year and after any major changes. CHAPTER 1 Introduction to Penetration Testing 19 Regular schedule If your organization is not governed by regulations that dictate when you need to perform a penetration test, you can create your own schedule that works for you. Hiring an external team of penetration testers can be expensive, so one option may be to create a schedule that uses internal staff to test internal and external assets more frequently than an external company. For example, a schedule could look like this: »» Every 12 months: Penetration testing of internal assets is performed by internal staff. »» Every 12 months: Penetration testing of external assets is performed by internal staff. »» Every 24 months: Penetration testing of internal and external assets is performed by a third-party company. Using internal staff for penetration testing can help you reduce costs of penetra- tion testing while still performing them on a regular basis. However, you should have a third-party company perform a penetration test at some point because it is a great way to get a real-world picture of your assets’ vulnerabilities. After major changes You should also perform a penetration test after making any major changes to the network infrastructure or application environments, such as upgrades to soft- ware. Some examples of infrastructure changes could be adding a new server to the network, replacing a server with a new server, or adding a new network seg- ment. These changes could introduce new ways for hackers to get into the net- work, so you want to make sure you perform a penetration test to verify all is secure. In addition, any changes to the software configuration, such as a piece of software being upgraded, should result in a penetration test of that component so that you can verify there are no vulnerabilities in the new software. For the PenTest+ certification exam, remember that a penetration test should be performed annually and after any major change to the infrastructure. Other considerations A few additional considerations should be taken into account when discussing when a penetration test should occur. For example, one of the risks of a penetra- tion test is that you could end up crashing a system or network. So to ensure your 20 PART 1 Planning and Information Gathering pentests are successful in providing you with the information you want, you want to make sure you follow these recommendations when possible: »» Perform pentests in a mockup environment. When performing penetra- tion testing, you run the risk of crashing systems or networks due to the nature of the attacks. If possible, create copies of systems inside a test environment and perform the penetration test on the test system. It is critical that the test systems are an exact copy so that the penetration test accurately reflects the test of the real system. »» Perform pentests before deploying the system or application into production. If possible, before a system or application is put into production, perform a penetration test on that component before it goes live. This will help reduce the cost of maintaining the system, as it is more costly to fix security issues once the system or application is in production. »» Perform pentests on a regular basis. Penetration testing is not a one-time thing. It is something that should be performed on a regular basis and after any major changes are made to the environment. For example, if you perform a security test on a web server before it is put in production and you find it is ready for production because all simulated attacks were unsuccessful, it does not mean you do not need to test this system again. You will test the system again during the next annual penetration test. Defining Penetration Testing Terminology In addition to understanding what a penetration test is, who should perform the test, and how frequently the tests should be performed, let’s take a look at some other penetration testing terminology you need to be familiar with for the Comp- TIA PenTest+ certification exam. Types of assessments The CompTIA PenTest+ certification objectives reference some key terms in regard to the different types of assessments that can be performed. The following are some common types of pentest assessments: »» Goals-based/objectives-based: This type of assessment is focused on a specific purpose. For example, you may have installed a new server or piece of software and want to test that specific asset for security flaws. Some examples of goals for goal-based assessments is the company may want to assess the security of only the wireless network, or maybe only perform social CHAPTER 1 Introduction to Penetration Testing 21 engineering attacks to test the effectiveness of the security education program with the employees. Another common goal may be simply to test the security of a public web site or web application. »» Compliance-based: A compliance-based assessment is an assessment that is driven by standards and regulations. With compliance-based assessments, you must follow a standard assessment methodology such as the National Institute of Standards and Technology’s (NIST’s) SP800-15 series of guidelines or the PCI DSS from the PCI Security Standards Council. »» Red team/blue team: The term red team refers to the internal team of professionals performing a penetration test acting as hackers. With a red team test you are not as focused on reporting and remediation steps after the fact; you are more focused on trying to bypass security controls and determin- ing how your security team will respond to the attack. The security team responsible for defending against attacks is known as the blue team. Pentest strategy You can follow several different strategies when performing a penetration test. You can go with an unknown-environment test, a known-environment test, or a partially known-environment test. »» Unknown-environment: This test was formerly known as a black box test. In an unknown-environment penetration test, the penetration testers are given zero information about the environment and the targets. The goal of the unknown-environment test is to treat the pentesters as if they are hackers — they have to discover the environment before they can attack the environ- ment. In an unknown-environment test, you would not share Internet Protocol (IP) address information, network infrastructure details, or public services on the Internet such as web sites, domain name system (DNS), or file transfer protocol (FTP) servers. It is up to the penetration testers to discover all assets and then try to exploit those assets. »» Known-environment: This test was formerly known as a white box test. In a known-environment penetration test, the penetration testers are given all of the details of your network environment, including server configurations and the services they run, a network diagram showing different network segments and applications, and IP address information. »» Partially known-environment: This test was formerly known as a gray box test. In a partially known-environment penetration test, a limited amount of information is given to the penetration testers, such as the IP ranges used by the company or addresses of your public Internet servers. With this informa- tion, the pentesters will discover what services are running on each system and then try to exploit those systems. 22 PART 1 Planning and Information Gathering For the PenTest+ certification exam, remember the different pentest strategies. Unknown-environment testing is when no details about the target are given; known-environment testing is when all known information about the targets is given to testers; and partially known-environment testing is when limited infor- mation, such as IP addresses or server names, is provided to keep the pentest focused on those targets. Threat actors and threat models The purpose of penetration testing is to simulate attacks that could occur in real life. A big part of information security — and something all security professionals should be aware of — is who are you protecting against? Who would attack your network or website? Capabilities and intent Before we look at the types of hackers and threat models, it is important to under- stand the different levels of hacking capabilities for each type of hacker, or threat actor, and the different reasons or intent for hacking. The capabilities of a hacker will vary depending on the type of threat actor the hacker is and the types of attacks being performed. Some attacks are basic in nature, so you may find that all types of hackers can perform these attacks, while more sophisticated attacks are performed by hackers with more detailed knowl- edge of the underlining technologies being hacked, their vulnerabilities, and how to exploit those vulnerabilities. A hacker may be motivated to hack for many reasons, such as for financial gain (for example, hacking into bank accounts or selling sensitive data obtained in the hack) or for the fame or notoriety earned by hacking into a big-name company. A hacker may also be motivated by a personal cause or a group cause, as is the case with terrorists or activists. Threat actor A threat actor is a person or entity that causes the threat against your assets. When it comes to hacking, you should be aware of some common threat actors: »» Script kiddies: A script kiddie is a person who does not necessarily have much background on how attacks work; they simply run some automated tools to try to exploit systems. Their intent is typically for the challenge, and also bragging rights. CHAPTER 1 Introduction to Penetration Testing 23 »» Hacktivist: A hacktivist is a person who hacks for a cause, such as for political purposes or for social change. The capabilities of the hacktivist can range from basic to advanced hacking knowledge, such as is the case with the infamous hacking group called “Anonymous.” »» Insider threat: Insider threats are threats from inside your organization or inside your network. These can be very serious threats of malicious destruc- tion from a disgruntled employee or even innocent mistakes made by other employees. »» APT: An Advanced Persistent Threat (APT) is an advanced hacking process such as one found in a nation-state–sponsored group or person that gains unauthorized access to a network for political or economic reasons. The attack typically happens to gain unauthorized access for a long period of time, such as many months, by planting malicious software on the system that will monitor activity, collect sensitive data, or damage the system. APT also includes advanced hacks on financial institutions, defense contractors, and software companies such as Twitter or Facebook, which would contain a wealth of sensitive information the hacker would like to collect. Adversary tier Threat actors are typically identified in an adversary tier that ranks the threat actors by their capabilities and the damage they can perform. The threat actors discussed earlier are ranked based on their threat level and capabilities as follows (1=low, 4=high): 1. Script kiddie 2. Insider threat 3. Hacktivist 4. APT Figure 1-1 summarizes the adversary tier with script kiddies at the bottom of the skillset and APT at the top. Threat modeling Penetration testing typically involves an exercise known as threat modeling. Threat modeling refers to the act of documenting company assets and then defin- ing the types of attacks or threats against those assets. The threats are then assigned a likelihood (the chances the attack will happen) and impact (how seri- ous the result of the attack if successful) so that the threats can be prioritized. Based on the priority of the threats, security professionals put security controls in place to prevent those threats from occurring or to minimize the impact. 24 PART 1 Planning and Information Gathering FIGURE 1-1: The adversary tier. Graphic designed and created by Brendon Clarke. Looking at CompTIA’s Penetration Testing Phases The CompTIA penetration testing process involves four major phases: 1. Planning and scoping 2. Information gathering and vulnerability identification 3. Attacks and exploits 4. Reporting and communication Over the course of this book, I go into detail about each of these penetration test- ing phases. Here, I provide a high-level overview of each one. Planning and scoping The first phase of the penetration testing process is planning and scoping. This phase is important as it is when you identify the goals of the penetration test, the timeframe, and the rules of engagement (the types of attacks you are allowed and not allowed to perform during the pentest). CHAPTER 1 Introduction to Penetration Testing 25 The planning and scoping phase should start with a pre-engagement meeting that determines the extent of the penetration test, such as whether the testing will include internal and external assets. In this phase, you will also determine what systems need to be tested, the best time for testing, and the types of attacks that are allowed and not allowed. An important part of the planning and scoping phase is to create a statement of work that specifies exactly what is to be tested and to get written authorization from a person of authority for the business that gives you permission to perform the penetration test. Remember that attacking and exploiting systems without prior authorization is illegal. For the PenTest+ certification exam, remember to get written authorization from an authorized party such as the company owner or an upper-level manager before moving on to phase two of the penetration testing process. Chapter 2 covers planning and scoping. Information gathering and vulnerability identification The second phase of the penetration testing process is the information gathering and vulnerability identification phase, which is also known in other pentest mod- els as the “reconnaissance phase.” This phase can be broken into two subphases: information gathering as the first subphase, and vulnerability identification as the second subphase. Information gathering The information gathering part of the penetration test is a time-consuming part of the penetration test. It involves both passive and active information gathering. With passive information gathering, you use public Internet resources to collect information about the target such as public IP addresses used, names and email addresses of persons that could be targets to a social engineer attack, DNS records, and information about products being used. This is called passive information gathering because you are not actually communicating with the company’s live systems (unless you surf its website); instead, you are collecting public informa- tion that anyone can access and it will not look suspicious. Note that passive information gathering is also known as passive reconnaissance. 26 PART 1 Planning and Information Gathering Active information gathering involves using tools to communicate with the compa- ny’s network and systems to discover information about its systems. For example, doing a port scan to find out what ports are open on the company’s systems is considered active because in order to know what ports are open on each system, you have to communicate with those systems. Once you start communicating with the company’s network, you risk detection, which is why these techniques are categorized differently than passive information gathering techniques. Note that active information gathering is also known as active reconnaissance. Vulnerability identification Once the information gathering subphase is complete, you should now have a list- ing of the ports open on the system and potentially a list of the software being used to open those ports. In the vulnerability identification subphase, you research the vulnerabilities that exist with each piece of software being used by the target. Vulnerability identification also involves using a vulnerability scanner to auto- mate the discovery of vulnerabilities that exist on the target networks and systems. Chapters 3 and 4 cover information gathering and vulnerability identification. Attacks and exploits The third phase of the penetration testing process is to perform the attacks and exploit systems. In this phase, with knowledge of the vulnerabilities that exist on the targets, you can then break out the penetration tools to attack and exploit the systems. This involves social engineering attacks, network attacks, software attacks such as SQL injection, and wireless attacks against wireless networks. Once a system is compromised, you can then perform post-exploitation tasks, which involve collecting more information about the system or planting a back- door to ensure you can gain access at a later time. Chapters 5 through 10 cover attacks and exploits. Reporting and communication The fourth and final phase of the penetration testing process is reporting and communication. These tasks are the reason the penetration test was performed in the first place: to report on the findings and specify remediation steps the cus- tomer can take to reduce or eliminate the threats discovered. During this phase, you will write a report of the actions you performed during the penetration test and the results of the testing. You will also include recommenda- tions on how to better secure the systems in the report. The report will be CHAPTER 1 Introduction to Penetration Testing 27 delivered to the customer in the sign-off meeting, and the customer will sign-off on the completion of the penetration test. Chapter 11 covers reporting and communication. Knowing the phases to the CompTIA penetration testing process is critical on the job and for the exam. Refer to Figure 1-2 for a summary of what occurs at each phase. FIGURE 1-2: The CompTIA penetration testing process. Graphic designed and created by Brendon Clarke. Identifying Testing Standards and Methodologies Over the years a number of security assessment and penetration testing method- ologies have been developed. In this section, you learn about some of the common security assessment methodologies. Keep in mind that you should be familiar with these for the exam, but you do not need to know the detailed steps performed by each methodology. 28 PART 1 Planning and Information Gathering MITRE ATT&CK MITRE ATT&CK is a recognized knowledge base of tactics and techniques used by attackers to compromise systems. The goal of MITRE ATT&CK is to use the infor- mation collected and presented in the standard as a basis for threat modeling and analysis. At the MITRE ATT&CK website you can choose a threat and read the details about the threat, including how the threat can be detected and mitigated. To learn more about MITRE ATT&CK, visit https://attack.mitre.org. Open Web Application Security Project (OWASP) The OWASP Foundation is a nonprofit foundation focused on improving the secu- rity of software. OWASP released the very popular OWASP Top 10 document that lists the ten most common security flaws in web applications that may put your organization at risk. The OWASP Foundation has other projects as well, including its OWASP Mobile Security Testing Guide. Following are the URLs for each of these projects: »» OWASP Top 10: https://owasp.org/www-project-top-ten »» OWASP Mobile Security Testing Guide: https://owasp.org/projects,/ mstg/2021/07/29/MSTG-Release.html OWASP Top 10 (2017) Following is a summary of the 2017 version of the OWASP Top 10 Web Application Security Risks that you should be familiar with for the PenTest+ exam: »» A1:2017-Injection: The number one flaw found in web applications is injection flaws. Injection flaws occur when data is input into an application but the input is not sanitized or validated by the developer of the application. »» A2:2017-Broken Authentication: The second most common flaw in web application is flaws in authentication or session management. This may allow attackers to access passwords, keys, or session tokens. »» A3:2017-Sensitive Data Exposure: The third most common flaw in web applications is sensitive data exposure flaws that involve web applications or APIs not protecting sensitive data within the application. This could be financial data, healthcare data, or Personally Identifiable Information (PII) data. This could be due to a lack of encryption at rest and in transit, or other missing access control methods. CHAPTER 1 Introduction to Penetration Testing 29 »» A4:2017-XML External Entities (XXE): Poorly configured XML processors can use external entities to disclose internal files or internal file shares, and possibly perform remote code execution or denial of service (DoS) attacks. »» A5:2017-Broken Access Control: Many web applications do not enforce restrictions on what an authenticated user can do within the application. An attacker that exploits this flaw can gain access to sensitive information or perform undesired actions. »» A6:2017-Security Misconfiguration: Applications should have their default settings altered and security configuration settings reviewed as security misconfigurations is a common flaw in web applications. »» A7:2017-Cross-Site Scripting (XSS): XSS flaws occur when an application processes and displays untrusted data in a web application without validating the information. XSS flaws enable attackers to execute malicious code in a victim’s browser and possibly hijack the session. »» A8:2017-Insecure Deserialization: Insecure deserialization flaws may result in an attacker being able to perform remote code execution, replay attacks, injection attacks, and privilege escalation attacks. »» A9:2017-Using Components with Known Vulnerabilities: Components are libraries of code that an application may use. Your application may be following secure coding best practices, but once you call a third-party library, that component may be developed in an unsecure manner that exposes your application to security flaws. »» A10:2017-Insufficient Logging and Monitoring: Lack of logging and monitoring means that an application or system does not have the capabili- ties to detect and log breaches in security. Adequate logging and monitoring should be configured within an application or system to help determine the extent of a security breach during incident response. For the PenTest+ exam, know the different categories of vulnerabilities listed in the 2017 Top 10 Web Application Security Risks document. OWASP Top 10 (2021) The OWASP Top 10 flaws were updated in 2021. Many of the flaws were relabeled and regrouped, with a few changes to the order of the most common flaws: »» A01:2021-Broken Access Control: Broken access control moved up from the fifth most common flaw in 2017 to the most common flaw in 2021. 30 PART 1 Planning and Information Gathering »» A02:2021-Cryptographic Failures: Previously known as Sensitive Data Exposure in 2017, this common flaw was renamed Cryptographic Failures and was also moved to the second most common web application flaw in 2021. »» A03:2021-Injection: Injection attacks have moved down to the third most common flaw in 2021. This flaw also encompasses the cross-site scripting (XSS) category from 2017. »» A04:2021-Insecure Design: Insecure design is a new category in 2021 and covers risk-related design flaws in applications. This new category looks to improve on the use of threat modeling and secure design patterns and principles during the development of the application. »» A05:2021-Security Misconfiguration: Secure misconfiguration includes the Secure Misconfiguration and XML External Entities (XXE) flaws from the 2017 Top 10 list. »» A06:2021-Vulnerable and Outdated Components: This Top 10 category for 2021 is a relabeled version of the Using Components with Known Vulnerabilities flaw in 2017. Note that this flaw has moved up three spots in 2021! »» A07:2021-Identification and Authentication Failures: This category was known as Broken Authentication in the 2017 Top 10 listing. Note that it has been renamed and also fell to the seventh position in 2021. »» A08:2021-Software and Data Integrity Failures: Another new category for the 2021 Top 10 security flaws list, this flaw pertains to failures when verifying the integrity of components when applying software updates or updates to critical data. Note that Insecure Deserialization from 2017 is included in this category. »» A09:2021-Security Logging and Monitoring Failures: Logging and Monitoring has moved up one position in 2021. »» A10:2021-Server-Side Request Forgery: A new category for the 2021 Top 10 list is Server-Side Request Forgery. This security flaw enables attackers to invoke requests from a vulnerable web application to another system. National Institute of Standards and Technology (NIST) The National Institute of Standards and Technology (NIST) is a federal agency designed to improve science, standards, and technology. Over the years, NIST has created many publications related to information security and recommendations on how to secure different types of systems. In recent years, the NIST has created CHAPTER 1 Introduction to Penetration Testing 31 Special Publication (SP) documents that relate to many aspects of security, security controls, penetration testing, and cybersecurity. Following are some key special publications to be aware of: »» NIST SP 800-30: This special publication provides guidance related to risk assessment. »» NIST SP 800-53: This special publication provides guidance related to security and privacy controls. »» NIST SP 800-39: This special publication provides guidance on risk manage- ment strategies. There are a number of other standards and recommendations published by NIST that are designed to help organizations improve security: »» NIST Cybersecurity Framework (CSF): The NIST CSF is designed to help organizations create a solid cybersecurity program. The framework is organized into five functions to help identify assets within the business and reduce the risk against those assets. The five functions are identify, protect, detect, respond, and recover. »» NIST SP 800-115: In this special publication the NIST makes recommendations on steps to take when performing information security testing and assessments. OSSTMM, PTES, and ISSAF The Open-Source Security Testing Methodology Manual (OSSTMM) is a methodology for security testing that is maintained by the Institute for Security and Open Methodologies (ISECOM). You can download the OSSTMM document from www. isecom.org/OSSTMM.3.pdf. The Penetration Testing Execution Standard (PTES) is a methodology for performing penetration tests. PTES breaks the penetration test down into seven phases: pre- engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. You can learn more about PTES and the technical guidelines to performing a pentest at www.pentest-stan- dard.org/index.php/Main_Page. The Information Systems Security Assessment Framework (ISSAF) is a methodology that provides technical guidance related to performing a penetration test. There are a number of ISSAF technical documents that discuss a wide range of security assessment categories such as wireless LAN security assessment, Windows 32 PART 1 Planning and Information Gathering security assessments, VPN security assessments, and so on. To see a list of these documents check out the following URL: https://sourceforge.net/projects/isstf/files/issaf%20document/ issaf0.1 Be sure to understand the general purpose of each of the security testing method- ologies mentioned here. Specifically note MITRE ATT&CK, OWASP Top 10, and PTES. Reviewing Key Concepts This chapter highlights a number of concepts and terminology related to penetra- tion testing that you should be familiar with when preparing for the CompTIA PenTest+ certification exam. Following is a quick review of some of the key points to remember from this chapter: »» Two reasons to conduct a penetration test are to better secure the company assets, or to be compliant with regulations governing your organization. »» You can have a penetration test performed by internal staff or an external third party. If internal staff is used, be sure those conducting the penetration test are not members of the team responsible for managing or configuring the systems being tested. »» You should perform a penetration test annually and be sure to test external and internal assets. »» You can follow several different strategies when performing a penetration test. You can do an unknown-environment test (black box test), for which the pentester is given no information about the target environment. You can do a known-environment test (white box test), for which the pentester is given all of the information about the environment being tested. Or you can do a partially known-environment test (gray box test), for which limited information is given to the pentester to ensure the test is focused and timely. »» A threat actor is someone or something that may perform an attack on your systems or environment. »» The OWASP Top 10 document is a listing of the ten most common security flaws found in web applications and is a great resource for pentesters. »» The four phases to the CompTIA penetration testing process are: planning and scoping, information gathering and vulnerability identification, attacks and exploits, and reporting and communication. CHAPTER 1 Introduction to Penetration Testing 33 Prep Test 1. Bob is using nmap to discover ports that are open on the systems. What form of information gathering is Bob performing? (A) Vulnerability identification (B) Active information gathering (C) Vulnerability scanning (D) Passive information gathering 2. What type of penetration test involves the tester being given no information about the target environment? (A) Unknown-environment test (B) Known-environment test (C) Partially known-environment test (D) All knowledge test 3. What type of reconnaissance involves the tester querying the DNS to discover the DNS names and IP addresses used by the customer? (A) Vulnerability identification (B) Active information gathering (C) Vulnerability scanning (D) Passive information gathering 4. Which of the following represents a reason to perform a penetration test annually? (A) Cost (B) Time (C) Compliance (D) Know-how 5. Lisa performed a penetration test on your organization and is creating the report. What should Lisa be sure to communicate within the report? (A) How good Lisa is at hacking (B) Remediation steps (C) Signed authorization (D) Resources used 34 PART 1 Planning and Information Gathering 6. Which of the following is critical to perform during the planning and scoping phase of the penetration test? (A) Port scan (B) Vulnerability scan (C) Summary of remediation steps (D) Obtain written authorization 7. What type of penetration test involves giving the tester only the IP addresses of the servers that you wish to be tested? (A) Unknown-environment test (B) Known-environment test (C) Partially known-environment test (D) All knowledge test 8. What is the third phase of the CompTIA penetration testing process? (A) Attacks and exploits (B) Reporting and communication (C) Planning and scoping (D) Information gathering and vulnerability identification 9. What threat actor has limited knowledge of the attacks being performed and typically just runs prebuilt tools to perform the attack? (A) APT (B) Script kiddie (C) Hacktivist (D) Insider threat 10. You are part of the team within your organization that performs the attacks during the penetration test. What is the name for your team? (A) Blue team (B) Black team (C) White team (D) Red team CHAPTER 1 Introduction to Penetration Testing 35 11. What OWASP Top 10 security flaw is a result of an application not employing encryption technology to protect data in storage or data at rest? (A) Injection (B) Sensitive Data Exposure (C) Broken Authentication (D) Broken Access Control 36 PART 1 Planning and Information Gathering Answers 1. B. Bob is performing active reconnaissance, or active information gathering, when using a port scanner to discover ports that are open on a system. See “Information gathering and vulnerability identification.” 2. A. An unknown-environment test (black box test) is when the pentester is given no knowledge of the environment being tested. Review “Pentest strategy.” 3. D. Passive reconnaissance, or passive information gathering, is when the pentester uses public Internet resources to discover information about the target. Check out “Information gathering and vulnerability identification.” 4. C. Organizations may be governed by regulations that force a company to perform penetration tests on a regular basis in order to be compliant. Peruse “Reasons for a pentest.” 5. B. The purpose of the penetration test is to better the security of the organization. Therefore, it is critical the report contains remediation steps on how to improve the security of vulnerable systems. Take a look at “Reporting and communication.” 6. D. It is imperative that you get written authorization to perform the penetration test before doing any testing. Also, be sure to get written authorization from an authorized party such as the business owner or an upper-level manager. It is not enough to get authorization from a local manager. Peek at “Planning and scoping.” 7. C. A partially known-environment test (gray box test) involves giving limited information to the tester so that the tester is more focused on specific targets during the pentest. Look over “Pentest strategy.” 8. A. The third phase of the CompTIA penetration testing process is attacks and exploits. Study “Looking at CompTIA’s Penetration Testing Phases.” 9. B. A script kiddie has limited technical knowledge of the details of the attack and simply runs the tools that are already created. Peek at “Threat actors and threat models.” 10. D. The red team is the name of the penetration testing team that simulates the attacks, while the blue team tries to detect and defend against those attacks. Peek at “Types of assessments.” 11. B. Sensitive Data Exposure (2017 OWASP) is now known as Cryptographic Failures (2021 OWASP) and involves flaws of not protecting sensitive data from unauthor- ized individuals due to lack of encryption technology. Peek at “Open Web Application Security Project (OWASP).” CHAPTER 1 Introduction to Penetration Testing 37 EXAM OBJECTIVES »» Understanding key legal concepts »» Scoping the project and identifying the rules of engagement »» Defining targets and ensuring acceptance to risk »» Scheduling and handling scope creep Chapter 2 Planning and Scoping G ood penetration testers know that before starting a penetration test, they must spend time with the customer scoping out the project and setting the rules of engagement. Planning and scoping is a critical phase of the pen- test process, as too often penetration testers dive right into trying to compromise systems without giving any thought to the ramifications of their actions. Not planning the penetration test properly can result in crashing the customer’s sys- tems or network (causing loss in production and revenue) and triggering intru- sion detection systems. A lack of planning can also create legal problems due to a failure to obtain proper authorization to perform the penetration test. In this chapter, you learn the importance of planning for the penetration test by jumping into the first phase of the CompTIA penetration testing process: planning and scoping. Understanding Key Legal Concepts The CompTIA PenTest+ certification exam is sure to have a few questions regard- ing the legal concepts surrounding a penetration test that come into play during the planning and scoping phase. The following sections outline the three most important concepts you should be aware of: obtaining written authorization, con- tract types, and the importance of disclaimers. CHAPTER 2 Planning and Scoping 39 Written authorization It is illegal to hack into systems without proper authorization from the owner of the asset being compromised. As a penetration tester, you have to remember this. Before any pentest can start, you must first get written permission in the form of a signed contract from the customer in order to conduct the work. Once the con- tract is signed, you then schedule a planning and scoping meeting with the cus- tomer so that you can identify the goals for the penetration test, identify what should be tested, and understand how far the testing should go. The planning and scoping phase of the penetration testing process is also known as the pre-engagement phase. In this phase you want to be sure to get authorization that allows the organization’s systems to be tested and compromised. It is important to understand that often this authorization cannot come from an office manager, IT manager, or local network administrator, as they are not the owners of the assets being tested. It is critical you get authorization from the owners of the assets, such as the company owner, or from a member of upper- level management who has signing authority. If some of the company resources are being hosted by a third-party company, you must get authorization from that third party as well. For example, if the company’s website is hosted on its ISP’s web server, or the ISP hosts the domain name system (DNS) service for the company, it is important to get authorization from the ISP if you are going to perform penetration testing on those resources. If you do not get authorization to perform the penetration test on those systems, you must ensure they are not in the scope of the penetration test. In addition, virtualization technology in the cloud has become a huge resource for companies to leverage, as it allows a company to get high availability and access to resources from anywhere. During pre-engagement activities and discussions, verify if there are any resources that are in the cloud, because you will need to get authorization from the cloud provider to perform a pentest on the cloud resources. For the PenTest+ certification exam, remember that you must obtain a signature from a proper signing authority to perform the penetration test. Also remember to check if any resources are hosted by third parties such as an ISP or cloud provider because you will need third-party provider authorization to test those resources. Contracts and agreements Before starting the penetration test and typically before you start scoping out the project, you need to take care of the legal concepts by ensuring the correct con- tracts are in place. You will receive a signed contract that is essentially hiring you 40 PART 1 Planning and Information Gathering for the pentest service. These contracts are designed to protect the contractor from liability if something goes wrong with the penetration test, and protect the customer from sensitive data leakage on the part of the contractor. The CompTIA PenTest+ certification exam refers to the following types of con- tracts and agreements: »» SLA: A service-level agreement (SLA) is a contract between a service provider and the customer as to the expected level of service that should be received. The level of service could be measured in bandwidth, uptime, or quality of service expected. »» Confidentiality: A confidentiality agreement is an agreement to keep details private between the two parties. The confidentiality agreement identifies information that should be kept private to the two parties involved and for how long the information is to be kept private. As it relates to penetration testing, the customer may have the pentester sign a confidentiality agreement that indicates the pentester is not to disclose information about the customer’s environment and the results of the penetration test to anyone. A confidentiality agreement is also known as a non-disclosure agreement (NDA). »» SOW: A statement of work (SOW) is a contract created by the penetration testing company that specifies the type of work its pentesters are providing, the timeline for performing the work, the cost of the work, the payment schedule, and any terms and conditions covering the work. »» MSA: A master service agreement (MSA) is a useful contract if you are performing repeat work for a company. The MSA acts as a standard boiler plate contract for the business relationship between the contractor and customer saving time when repeat work is needed from the contractor. With the MSA, you can define the terms of the work in the MSA and then refer to that from the SOW for each reoccurring engagement. Examples of terms in the MSA include payment terms, working conditions, remediation processes, and ownership of intellectual property. »» NDA: A non-disclosure agreement (NDA) is a common document outlining the importance of confidentiality in regard to the relationship of the two parties and the work performed. It identifies what information should be kept confidential and how confidential information should be handled. The NDA is created by the customer and given to the contractor to sign. The NDA is designed to protect the confidentiality of sensitive information that the contractor may come across while doing the penetration test. For the PenTest+ certification exam, be familiar with the different types of con- tracts and agreements, and know that they are usually signed before the scoping discussion. CHAPTER 2 Planning and Scoping 41 Disclaimers During the pre-engagement discussions and in the SOW, it is important to include two disclaimers that outline two important points about the penetration test. First, you should have a disclaimer that states that the penetration test is a point- in-time assessment — meaning you have tested against known vulnerabilities and exploits as of the current date. As time goes on and new software and systems are installed on the network, your assessment would not have tested those new items. Second, you should have a disclaimer that indicates that the comprehensiveness of the penetration test is based on the types of tests authorized by the customer and the known vulnerabilities at the time. For example, if the customer requests that no denial of service (DoS) attacks are performed (which is common), your pene- tration test would not have tested how the company stands up against a DoS attack. This disclaimer will help protect you if the customer is hit with a DoS attack after the penetration test is performed. Your agreement should also make it clear that a penetration test uses hacking tools that a hacker would use, and although you have tested these tools, it is pos- sible that they could have unpredictable results due to the additional software installed on the systems or the configuration of the systems. Unpredictable results in this case is referring to the fact that it is possible that the target systems could crash and be unavailable. For example, I have heard cases where performing a vulnerability scan of the network caused the print servers to drop off the network. This is not something that happens all the time, but the point is that different products from different vendors respond differently to the scanning and attack tools. One way to help prevent disruption on the network is to perform the pene- tration test on virtual machines within a test environment that are copies of the production systems. Ensure you have a disclaimer in the agreement that specifies that the pentest is a point-in-time assessment and that the comprehensiveness is based on the scope of the assessment. Scoping the Project During the pre-engagement activities, it is important to have an initial meeting with the customer that allows you to discuss the scope of the project and get an understanding of what the customer’s goals are for the penetration test. 42 PART 1 Planning and Information Gathering When preparing for the initial meeting with the customer, you should plan out scoping questions that will help you understand the magnitude of the project. Some common questions to ask when determining the scope of the pentest are: »» What is the goal of the penetration test? (Why is it being done?) »» Is the penetration test going to test internal systems, external systems, or both? »» What are the Internet Protocol (IP) ranges of the internal and external systems that are being tested? »» What are the internal and external domain names of the systems to be tested? »» Does the company own the systems using those IP addresses? »» Are there any systems hosted by third-party companies such as an ISP or a cloud provider? »» What applications and services will be tested? »» What types of tests are to be performed? For example, are you testing physical security and/or social engineering, and are DoS attacks allowed? If performing an unknown-environment (or black box) test, which is discussed in Chapter 1, the penetration tester is typically responsible for discovering target services, and some would say the target IP addresses. The important point here to remember is that you want the customer to give you the target IP addresses and domain names so that you can be sure you have proper authorization to perform testing on those systems. If it is up to the pentester to discover the IP addresses, especially external IP addresses, the tester runs the risk of performing the pene- tration test on an unauthorized IP address or system owned by someone else. Target list/in-scope assets As you scope out the penetration test, you need to determine what company assets are the in-scope assets for the penetration test. In-scope assets are targets during the penetration test. Following are examples of targets for a penetration test: »» Wireless networks: Determine what wireless SSIDs are to be targeted in the penetration test. »» Internet Protocol (IP) ranges: Determine IP ranges that are to be targeted during the penetration test. CHAPTER 2 Planning and Scoping 43 »» Domains: Determine any internal and external domain names that should be targeted during the penetration test. »» Application programming interfaces (APIs): Identify any APIs that should be tested. APIs are code that is called upon by other applications and should be tested. This includes stand-alone APIs such as custom DLLs and web APIs such as RESTful web services. »» Physical locations: Determine the physical locations that are in scope with the penetration test and if you have permission to attempt to bypass physical access controls to gain access to those locations. For example, a customer may state that the company’s Boston data center is in scope, but data centers at other locations are not. »» Domain name system (DNS): Identify the DNS server addresses used for internal DNS and external DNS. »» External versus internal targets: Take time to identify what internal targets (on the LAN) are in scope and what external targets (on the Internet) are in scope. »» First-party versus third-party hosted: It is important to identify assets that exist on-premises (first-party) and assets that are hosted in the cloud (third-party). Be sure to understand the type of targets for a penetration test. Also note that if the target is a cloud resource or other asset hosted by a third party, you must get permission from the third party or cloud provider to perform testing on those assets. Depending on the type of testing being performed, there are a number of other questions you can ask during the scoping of the project. The Penetration Testing Execution Standard (PTES) website found at www.pentest-standard.org has an extensive list of questions you can ask. The following sections list example ques- tions for each different type of test. General questions »» What is the goal of the penetration test? (Why is it being done?) »» Is the pentest being performed for compliance reasons? »» What hours of the day can the penetration test be performed (business hours/non-business hours)? »» What are the internal and external target IP addresses? 44 PART 1 Planning and Information Gathering »» Are security controls in place such as firewalls and intrusion detection systems? »» If a system is compromised, what actions should be taken next (for example, no action, elevate privileges, and so on)? Web application testing questions »» How many web applications/sites are being tested? »» How many of those require authentication? »» How many static pages are in those sites? »» How many dynamic pages are in those sites? »» Is the source code available for review? »» Is authentication testing to be performed? Wireless network testing questions »» How many wireless networks are there? »» What wireless encryption protocol(s) are being used? »» What is the area covered by wireless? »» Should detection of rogue devices be performed? »» Should wireless attacks against clients be performed (or just focus on the access point)? »» How many wireless clients are there? Physical security testing questions »» Is physical security testing part of the pentest? »» How many locations are there? »» Are the locations shared with other businesses? If so, what floors do you occupy? »» Are lock picks and bump keys allowed to bypass a locked door? »» Are video cameras being used? If so, does the customer own those devices? CHAPTER 2 Planning and Scoping 45 Social engineering testing questions »» Is social engineering testing part of the pentest? »» Does the customer have email addresses for social engineering? »» Does the customer have phone numbers for social engineering? Testing questions for IT staff »» Are there fragile systems that are easy to crash? »» What is the mean time to repair from a system outage? »» What are the business-critical servers and applications? »» Are backups tested regularly? »» Is there a disaster recovery procedure in place for devices and systems being tested? »» When was the last backup performed? Identifying the Rules of Engagement (RoE) As part of the planning and scoping phase of the CompTIA penetration testing process, it is important to define the rules of engagement (RoE) for the penetration test. The “rules of engagement” refer to any restrictions and details in regard to how the customer wants the penetration test performed. Following are some points covered by the rules of engagement: »» The timeline for the penetration test: Determine the start date and the end date of the penetration test based on a schedule for each task and phases being performed. »» When testing is to be performed (time of day): Define the hours of the day testing is permitted. This could be during work hours, non-work hours, or on weekends. »» Types of allowed and disallowed tests: Ensure that the RoE specifies what types of tests are allowed during a penetration test and any tests that are not allowed. For example, many companies would not want a DoS attack to be performed during a penetration test, so a DoS attack should be added to the RoE as a disallowed test. 46 PART 1 Planning and Information Gathering »» What to test (locations, targets, services, and applications): Identify what resources or targets will be tested. This includes the office locations, target systems, target services and applications, and the accounts to be targeted. »» How the results should be reported: The details and results of the penetra- tion tests, such as the vulnerabilities associated with each system, are highly sensitive. Define what method of communication is acceptable to communi- cate the pentest details and results. Communication should be encrypted, whether it is sent via email or on a disk. »» Who should contact the pentest team: Define who is allowed to communi- cate with the pentest team during the penetration test. »» How frequently updates should be communicated: Define who the pentest team is to go to with updates on the progress of the penetration test and how often updates should be communicated. »» Authorization to perform the pentest: Verify that you have signed authori- zation to perform the penetration test. »» Legal considerations with third parties: Verify whether any of the systems or services are hosted by a third party such as an ISP or cloud provider. If a third party is used to host services, verify that you have authorization from the third party to perform the pentest. »» Security controls that could shun the pentest: Verify whether the pentest team can expect to be blocked or shunned by security controls such as firewalls, intrusion prevention systems, and blacklisting on the network. These controls can limit the pentest and increase the time to perform the penetra- tion test. »» Whether security controls should be tested: Discuss whether you should be testing the effectiveness of the security controls in place. For example, should you report on whether the company security team was able to detect and respond to information gathering, footprinting attempts, scanning and enumeration, and attacks on systems? Environmental considerations It is important to identify the types of environments that are included within the penetration test. For example, some penetration tests may only include network- ing assets on the on-premises network, while other penetration tests may only test the web applications used by the company. Following is a list of common environments to include or exclude in a penetration test: »» Network: The network environment could include assets on the local area network (LAN), the wide area network (WAN), and public Internet resources CHAPTER 2 Planning and Scoping 47 such as DNS servers, web servers, and email servers that are hosted on-premises. »» Applications: A penetration test may include applications used by the company. This could be web applications (websites) running inside the LAN or they could be Internet applications. Many applications make calls to APIs, so check into whether testing of the API is to be included in the pentest. »» Cloud: Many businesses today have moved to hosting their assets in the cloud, such as email servers, web servers, and database servers. Determine if any assets are in the cloud and if these assets should be tested. If there are cloud assets, be sure to get authorization from the cloud provider to perform the pentest on those assets. Target audience and reason for the pentest During the pre-engagement activities, it is important to determine the target audience for the penetration test and the reason the pentest is being performed. Many companies state that the primary goal of the penetration test is to verify that their systems are secure by seeing how they hold up to real-world attacks. Another goal may be to see how the security team (known as the blue team) defends against the attacks, and to verify the effectiveness of the security controls in place (such as intrusion detection systems and firewalls). As a secondary goal, the company may need to be compliant to regulations stating that the company must have a penetration test performed regularly. It is important to know why the pentest is being performed, but also who it is being performed for. The pentest report will need to be written to satisfy the goals of the pentest and be written to include information for the intended audience. For example, upper-level management may just want an executive summary that states how the company held up to the pentest, while the network administrators and security team may want more details on the vulnerabilities that still exist within their systems. Communication escalation path In addition to determining the target audience for the penetration test and the reason the pentest is being performed, it is also important to determine who the penetration testing team is to communicate with during the pentest. This includes determining when updates are delivered to the contact person and also who to contact when there is an emergency (such as a system or network crash due to the pentest). 48 PART 1 Planning and Information Gathering Following are some common questions you can ask during the pre-engagement phase to determine communication paths: »» How frequently should updates on the progress of the penetration test be communicated? »» Who is the main point of contact in the company for communication updates? »» Are the penetration testers allowed to talk to network administrators and the security team, or is this a silent pentest? »» Who should be the point of contact in case of emergency? As a pentester you also want to be sure you have collected proper contact informa- tion in case there is an emergency, such as a system goes down or an entire net- work segment goes down. Following is the key information you should collect about the customer in case of emergency: »» Name of the company contact »» Job title and responsibility of the contact »» Does the contact have authorization to discuss details of the pentest activities? »» Office phone number, mobile phone number, and home phone number of the contact Another reason to communicate with the customer is to let the customer know if something unexpected arises while doing the pentest, such as if a critical vulner- ability is found on a system, a new target system is found that is outside the scope of the penetration test targets, or a security breach is discovered when doing the penetration test. You will need to discuss how to handle such discoveries and who to contact if those events occur. In case of such events, you typically stop the pen- test temporarily to discuss the issue with the customer, then resume once a reso- lution has been determined. Resources and requirements When defining the rules of engagement for the pentest, you also want to ensure that you discuss key points surrounding the company’s different resources such as the targets to focus on and who to communicate the results with. You learn earlier in this chapter about a few questions you should ask in relation to resources, but let’s discuss a bit more about resources and requirements. CHAPTER 2 Planning and Scoping 49 Confidentiality of findings A key point to discuss is the confidentiality of the updates given and the results of the penetration test. Determine with the customer who are the authorized persons to receive updates on the progress of the penetration test, who to go to in case of emergency, and who the penetration results (the report) should go to. Be clear that you will be unable to communicate details of the penetration test to anyone not on this authorized list. You should also set up a secure communication channel so that all communica- tions in regard to the penetration test are encrypted. This includes the actual report file as well. Be sure that the report file is encrypted so that unauthorized persons cannot view the file. You could use the Secure Shell protocol (SSH) for secure file transfers, or a tool like GNU Privacy Guard for Windows (Gpg4win) to encrypt files and email messages. You can download the latest version of Gpg4win from www.gpg4win.org. Figure 2-1 shows how you can encrypt a file with Gpg- 4win on a Windows system. FIGURE 2-1: Encrypting a file in Windows Explorer with Gpg4win. Remember to encrypt the penetration testing report and all communication with the customer that pertains to the penetration testing report. Known versus unknown During the pre-engagement phase, discuss the targets for the penetration test and how to handle the discovery of an unknown device on the network. An unknown device is a device not on the target list, or an unauthorized access point connected to the network, VPN server, or router. If any non-targeted device that makes the client network and security vulnerable is discovered, you should stop the penetra- tion test to discuss with authorized persons on how they want to proceed. 50 PART 1 Planning and Information Gathering Support for the pentester When planning for the penetration test, be sure to request all potential resources available to help you determine the number of targets and to learn a bit more detail about the targets. The first important resource to request is documentation: Ask for network diagrams identifying servers, routers, switches, and network segments to help you better prepare for the penetration test. You can request a number of other support resources from the customer: »» WSDL/WADL files: You can obtain detailed information such as the methods or functions and their parameter data types supported by a web service by looking at the Web Services Definition Language (WSDL) or the Web Application Description Language (WADL) files. These are XML-based files that describe the web service. »» SOAP project file: You can use the SOAP project file to view details about the functionality of a web service. »» SDK documentation: You can view the documentation for a software development kit (SDK) to get a better understanding of the functionality provided by the SDK and types of calls that can be made by applications using it. »» Swagger document: A swagger document is a document that describes the functionality of an application programming interface (API). Swagger is a technology that helps automate the creation of the API documentation. This documentation could help the pentester understand the functionality offered by an API. »» XSD: An XML schema document (XSD) is used to describe the structure of an XML document and is a great tool to help understand the data stored in XML. »» Sample application requests: You could view a sample application request message sent to an application to obtain detailed information about the structure of the request. »» Architectural diagrams: A key piece of documentation that can help with application testing is an architectural diagram of the application and all of its components. For example, a web application may communicate with some middleware software, which then communicates with a database. Having a diagram that shows the communication channels for all components is a great tool to help you understand the architecture of an application. CHAPTER 2 Planning and Scoping 51 Budget A big part of the pre-engagement activities is determining the cost of the pene- tration test. Once you have an idea of the size of the organization and the target resources for the penetration test, you can then work on calculating the cost of the pentest based on the man-hours you expect it to take and the cost per hour for the consultants. As the Penetration Testing Execution Standard (PTES) recommends, you should add 20 percent additional time to the estimated man-hours to accom- modate any incidents that may slow down the penetration test. This will help the customer better understand the budget for the penetration test, and you can always lower the cost if you like once the job is complete. Customers are usually okay with the final cost ending up lower than what was quoted, but not happy if the cost goes up. You also need to determine how payments are going to be scheduled. For smaller projects, you could do a net 30 days after the final report has been delivered, or for medium-sized and larger projects, you could go with a regular ongoing payment schedule that has the customer paying quarterly throughout the duration of the project. For larger jobs, some consultants ask for half of the payment upfront and then additional payments later on. Impact analysis and remediation timelines As discussed in “Disclaimers” earlier in this chapter, during the pre-engagement phase, it is critical that you communicate to the customer the risk or impact a penetration test can have on the company’s systems and the network. It is impor- tant that you try not to crash systems, and that you test all tools and techniques before using them on your customer’s systems, but in the end, the tools you are using are hacking tools, and they may have unexpected results in different envi- ronments. You must state that there is a risk to crashing a system or network in your contract, but stress during your discussions with the customer that you have tested the tools and will not intentionally try to crash systems. You can minimize the risk by performing the penetration test on exact clones of the systems in a test environment. This environment could be a set of VMs that are exact copies of the production systems. The penetration test report will include remediation steps that

Ch1-Ch3 PDF - CompTIA PenTest+ Pre-Assessment

Document Details

Tags

Related

Summary

Full Transcript