Pentesting Fundamentals
Pentesting Fundamentals
Pentesting Fundamentals
Learn the important ethics and methodologies behind every pentest the room
Pentesting Fundamentals of Tryhackme let’s get started.
#1Read me!
ANSWER: No answer needed
The battle of legality and ethics in cybersecurity, let alone penetration testing
is always controversial. Labels like “hacking” and “hacker” often hold negative
connotations, especially in pop culture, thanks to a few bad apples. The idea of
legally gaining access to a computer system is a challenging concept to grasp —
after all, what makes it legal exactly?
Companies that provide penetration testing services are held against legal
frameworks and industry accreditation. For example, the National Cyber Security
Centre (NCSC) has the CHECK accreditation scheme in the UK. This check means that
only “[CHECK] approved companies can conduct authorised penetration tests of public
sector and CNI systems and networks.” (NCSC).
Ethics is the moral debate between right and wrong; where an action may be legal,
it may go against an individual’s belief system of right and wrong.
Hackers are sorted into three hats, where their ethics and motivations behind their
actions determine what hat category they are placed into. Let’s cover these three
in the table below.
White Hat: These hackers are considered the “good guys”. They remain within the law
and use their skills to benefit others.
Grey Hat: These guys use their skills to benefit others often; however, they do not
respect/follow the law or ethical standards at all times.
Black Hat: These guys are criminals and often seek to damage organisations or gain
some form of financial benefit at the cost of others.
Example: For example, ransomware authors infect devices with malicious code and
hold data for ransom.
Section — Description
Permission: This section of the document gives explicit permission for the
engagement to be carried out. This permission is essential to legally protect
individuals and organisations for the activities they carry out.
Test Scope: This section of the document will annotate specific targets to which
the engagement should apply. For example, the penetration test may only apply to
certain servers or applications but not the entire network.
Rules: The rules section will define exactly the techniques that are permitted
during the engagement. For example, the rules may specifically state that
techniques such as phishing attacks are prohibited, but MITM (Man-in-the-Middle)
attacks are okay.
#2 You attack an organisation and steal their data, what type of hacker would you
be?
ANSWER: Black Hat
Stage — Description
2. What additional information can we gather from the host now that we are a
privileged user
4. Reporting
OSSTMM
The Open Source Security Testing Methodology Manual provides a detailed framework
of testing strategies for systems, software, applications, communications and the
human aspect of cybersecurity.
The framework is difficult to understand, very detailed, and tends to use unique
definitions.
OWASP
The foundation regularly writes reports stating the top ten security
vulnerabilities a web application may have, the testing approach, and remediation.
Advantages:
It may not be clear what type of vulnerability a web application has (they can
often overlap).
OWASP does not make suggestions to any specific software development life cycles.
The framework doesn’t hold any accreditation such as CHECK.
NIST Cybersecurity Framework 1.1
The framework provides guidelines on security controls & benchmarks for success for
organisations from critical infrastructure (power plants, etc.) all through to
commercial. There is a limited section on a standard guideline for the methodology
a penetration tester should take.
Advantages:
Data security
System security
Identity and access control
Resiliency
Monitoring
Response and recovery planning
Advantages:
The framework is still new in the industry, meaning that organisations haven’t had
much time to make the necessary changes to be suitable for it.
The framework is based on principles and ideas and isn’t as direct as having rules
like some other frameworks.
Intentionally left blank.
#1 What stage of penetration testing involves using publicly available information?
ANSWER: Information Gathering
(Task 4)- Black box, White box, Grey box Penetration Testing
There are three primary scopes when testing an application or service. Your
understanding of your target will determine the level of testing that you perform
in your penetration testing engagement. In this task, we’ll cover these three
different scopes of testing.
Black-Box Testing
This testing process is a high-level process where the tester is not given any
information about the inner workings of the application or service.
The tester acts as a regular user testing the functionality and interaction of the
application or piece of software. This testing can involve interacting with the
interface, i.e. buttons, and testing to see whether the intended result is
returned. No knowledge of programming or understanding of the programme is
necessary for this type of testing.
Black-Box testing significantly increases the amount of time spent during the
information gathering and enumeration phase to understand the attack surface of the
target.
Grey-Box Testing
This testing process is the most popular for things such as penetration testing. It
is a combination of both black-box and white-box testing processes. The tester will
have some limited knowledge of the internal components of the application or piece
of software. Still, it will be interacting with the application as if it were a
black-box scenario and then using their knowledge of the application to try and
resolve issues as they find them.
With Grey-Box testing, the limited knowledge given saves time, and is often chosen
for extremely well-hardened attack surfaces.
White-Box Testing
The tester will have full knowledge of the application and its expected behaviour
and is much more time consuming than black-box testing. The full knowledge in a
White-Box testing scenario provides a testing approach that guarantees the entire
attack surface can be validated.
#1 You are asked to test an application but are not given access to its source code
— what testing process is this?
ANSWER: Black Box
#2 You are asked to test a website, and you are given access to the source code —
what testing process is this?
ANSWER: White Box
Thanks for reading. GO TryHackMe and finish Pentesting Fundamentals module for free
and to earn the badge.