Planning and scoping
The first phase of the penetration testing process is planning and scoping. This phase is important as it is when you identify the goals of the penetration test, the timeframe, and the rules of engagement (the types of attacks you are allowed and not allowed to perform during the pentest).
The planning and scoping phase should start with a pre-engagement meeting that determines the extent of the penetration test, such as whether the testing will include internal and external assets. In this phase, you will also determine what systems need to be tested, the best time for testing, and the types of attacks that are allowed and not allowed.
An important part of the planning and scoping phase is to create a statement of work that specifies exactly what is to be tested and to get written authorization from a person of authority for the business that gives you permission to perform the penetration test. Remember that attacking and exploiting systems without prior authorization is illegal.
Chapter 2 covers planning and scoping.
Information gathering and vulnerability identification
The second phase of the penetration testing process is the information gathering and vulnerability identification phase, which is also known in other pentest models as the “reconnaissance phase.” This phase can be broken into two subphases: information gathering as the first subphase, and vulnerability identification as the second subphase.
Information gathering
The information gathering part of the penetration test is a time-consuming part of the penetration test. It involves both passive and active information gathering.
With passive information gathering, you use public Internet resources to collect information about the target such as public IP addresses used, names and email addresses of persons that could be targets to a social engineer attack, DNS records, and information about products being used. This is called passive information gathering because you are not actually communicating with the company’s live systems (unless you surf its website); instead, you are collecting public information that anyone can access and it will not look suspicious. Note that passive information gathering is also known as passive reconnaissance.
Active information gathering involves using tools to communicate with the company’s network and systems to discover information about its systems. For example, doing a port scan to find out what ports are open on the company’s systems is considered active because in order to know what ports are open on each system, you have to communicate with those systems. Once you start communicating with the company’s network, you risk detection, which is why these techniques are categorized differently than passive information gathering techniques. Note that active information gathering is also known as active reconnaissance.
Vulnerability identification
Once the information gathering subphase is complete, you should now have a listing of the ports open on the system and potentially a list of the software being used to open those ports. In the vulnerability identification subphase, you research the vulnerabilities that exist with each piece of software being used by the target. Vulnerability identification also involves using a vulnerability scanner to automate the discovery of vulnerabilities that exist on the target networks and systems.
Chapters 3 and 4 cover information gathering and vulnerability identification.
Attacks and exploits
The third phase of the penetration testing process is to perform the attacks and exploit systems. In this phase, with knowledge of the vulnerabilities that exist on the targets, you can then break out the penetration tools to attack and exploit the systems. This involves social engineering attacks, network attacks, software attacks such as SQL injection, and wireless attacks against wireless networks.
Once a system is compromised, you can then perform post-exploitation tasks, which involve collecting more information about the system or planting a backdoor to ensure you can gain access at a later time.
Chapters 5 through 10 cover attacks and exploits.
Reporting and communication
The fourth and final phase of the penetration testing process is reporting and communication. These tasks are the reason the penetration test was performed in the first place: to report on the findings and specify remediation steps the customer can take to reduce or eliminate the threats discovered.
During this phase, you will write a report of the actions you performed during the penetration test and the results of the testing. You will also include recommendations on how to better secure the systems in the report. The report will be delivered to the customer in the sign-off meeting, and the customer will sign-off on the completion of the penetration test.
Chapter 11 covers reporting and communication.
Graphic designed and created by Brendon Clarke.
FIGURE 1-2: The CompTIA penetration testing process.
Identifying Testing Standards and Methodologies
Over the years a number of security assessment and penetration testing methodologies have been developed. In this section, you learn about some of the common security assessment methodologies. Keep in mind that you should be familiar with these for the exam, but you do not need to know the detailed steps performed by each methodology.
MITRE ATT&CK
MITRE ATT&CK is a recognized knowledge base of tactics and techniques used by attackers to compromise systems. The goal of MITRE ATT&CK is to use the information collected and presented in the standard as a basis for threat modeling and analysis. At the MITRE ATT&CK website you can choose a threat and read the details about the threat, including how the threat can be detected and mitigated.
To learn more about MITRE ATT&CK, visit https://attack.mitre.org
.
Open Web Application Security Project (OWASP)
The OWASP Foundation is a nonprofit foundation focused on improving the security of software. OWASP released the very popular OWASP Top 10 document that lists the ten most common security flaws