0xor1day

THM-Pentesting-Fundamentals

5 min read

Pentesting Fundamentals

TryHackMe | Pentesting Fundamentals

Michael Jack | 06/2022

Task 1 - What is Penetration Testing?

A Penetration test or pentest is an ethically-driven attempt to test and analyse the security defences to protect these assets and pieces of information. A penetration test involves using the same tools, techniques, and methodologies that someone with malicious intent would use and is similar to an audit.

Task 2 - Penetration Testing Ethics

Penetration testers will often be faced with potentially morally questionable decisions during a penetration test. For example, they are gaining access to a database and being presented with potentially sensitive data. Or they are, perhaps, performing a phishing attack on an employee to test an organisation’s human security. If that action has been agreed upon during the initial stages, it is legal — however ethically questionable.

Recall “hackers” can be grouped into three hats, black, grey, and white, as a spectrum from legal and moral to less so.

Rules of Engagement (ROE)

Before a pentest happens a document should be made that clearly outlines the *permission being given to the testers, the test scope (what are the targets of the test, what aren’t), and the rules that could outline what techniques are allowed or any other stipulations.

Q: You are given permission to perform a security audit on an organisation; what type of hacker would you be?

White Hat

Q: You attack an organisation and steal their data, what type of hacker would you be?

Black Hat

Q: What document defines how a penetration testing engagement should be carried out?

Rules of Engagement

Task 3 - Penetration Testing Methodologies

The steps a penetration tester takes during an engagement is known as the methodology. A practical methodology is a smart one, where the steps taken are relevant to the situation at hand. 

For example, having a methodology that you would use to test the security of a web application is not practical when you have to test the security of a network.

Generally the steps follow a pattern of:

  • Information Gathering

  • Enumeration/Scanning

  • Exploitation

  • Privilege Escalation

  • Post-exploitation

OSSTMM

The Open Source Security Testing Methodology Manual provides a detailed framework of testing strategies for systems, software, applications, communications and the human aspect of cybersecurity.

OWASP

The “Open Web Application Security Project” framework is a community-driven and frequently updated framework used solely to test the security of web applications and services.

The foundation regularly writes reports stating the top ten security vulnerabilities a web application may have, the testing approach, and remediation.

NIST Cybersecurity Framework 1.1

The NIST Cybersecurity Framework is a popular framework used to improve an organisations cybersecurity standards and manage the risk of cyber threats. This framework is a bit of an honourable mention because of its popularity and detail.

The framework provides guidelines on security controls & benchmarks for success for organisations from critical infrastructure (power plants, etc.) all through to commercial.  There is a limited section on a standard guideline for the methodology a penetration tester should take.

NCSC CAF

The Cyber Assessment Framework (CAF) is an extensive framework of fourteen principles used to assess the risk of various cyber threats and an organisation’s defences against these.

The framework applies to organisations considered to perform “vitally important services and activities” such as critical infrastructure, banking, and the likes. The framework mainly focuses on and assesses the following topics:

  • Data security
  • System security
  • Identity and access control
  • Resiliency
  • Monitoring
  • Response and recovery planning

Q: What stage of penetration testing involves using publicly available information?

Information Gathering

Q: If you wanted to use a framework for pentesting telecommunications, what framework would you use? Note: We’re looking for the acronym here and not the full name.

OSSTMM

Q: What framework focuses on the testing of web applications?

OWASP

Task 4 - Black box, White box, Grey box Penetration Testing

There are three main scopes when testing an application or service. From no knowledge, to full knowledge, and this has effects on how we go about things.

Black-Box Testing

  • No knowledge

  • Testing process is usually high level

  • Testers act as regular users

  • Takes longer to gather information and enumerate/scan to understand the attack surface

Grey-Box Testing

  • Some knowledge

  • Tester has limited knowledge of the components, but still acting as a regular user.

  • The added knowledge speeds things up

White-Box Testing

  • Full knowledge

  • Low level process

  • Tester is fully familiar with the application logic and components

  • More time consuming to fully go through every element

  • The entire attack surface can be evaluated

Q: You are asked to test an application but are not given access to its source code - what testing process is this?

Black Box

Q: You are asked to test a website, and you are given access to the source code - what testing process is this?

White Box

Task 5 - Practical: ACME Penetration Test

ACME has approached you for an assignment. They want you to carry out the stages of a penetration test on their infrastructure. View the site (by clicking the green button on this task) and follow the guided instructions to complete this exercise.

THM{PENTEST_COMPLETE}

Graph View