, , ,

Day 050 #FromZeroToHacker – Pentesting fundamentals

Before starting to pentest, we need to learn the ethical implications and methodologies we can apply to them.

Let’s mull it in our daily #FromZeroToHacker challenge.

Table of contents
Introduction
What I have learnt today?
Stats
Resources

Introduction to Pentesting Fundamentals

Before learning how to hack, we need to understand more about what a penetration tester’s job responsibilities are and also what processes are followed in performing pentests.

What have I learnt today?

 What is Penetration Testing?

Just read or watch the news: Every day we see that another hack or data leak threatens thousands, if not more, of people. According to Security Magazine, there are over 2.200 cyber attacks daily. This means one attack every 39 seconds (in 2017).

Cybersecurity is relevant to all people in the world, as more and more people work remotely.

A penetration test or pentester is a security specialist tasked with penetrating an organisation’s assets to evaluate the security of an IT infrastructure by trying to exploit its vulnerabilities.

Penetration testing ethics

A penetration test is an authorised audit of a computer system’s security and defences, as agreed by the owners of the systems. Anything that falls outside this agreement is unauthorised.

Before a penetration test starts, the penetration tester and the system owner discuss which tools, techniques and systems to be tested are agreed on. This forms the scope of the penetration testing agreement.

Ethics is the moral debate between right and wrong: Where an action may be legal, it may go against an individual’s belief system of right or wrong.

To simplify it, hackers are sorted into three hats, with different ethics and motivations:

Hacker hats

Rules of engagement (ROE)

The ROE is a document created at the first stages of a penetration testing engagement, and consists of three main sections that lay the tracks about how the engagement is carried out:

Rules of engagement

Penetration testing methodologies

As penetration tests have a wide variety of objectives and targets, there is no single solution to all problems. The steps a penetration tester takes are known as the methodology.

Methodology

OSSTMM

The Open Source Security Testing Methodology Manual provides a detailed framework of testing strategies for systems, software, applications, communications and the human aspect of cybersecurity.

Open Source Security Testing Methodology Manual

OWASP

The Open Web Application Security Project framework is a community-driven framework used to test the security of web applications and services.

The foundation writes reports stating the top ten security vulnerabilities a web application may be vulnerable to, how to test for them, and how to remediate them. We reviewed the Top 10 OWASP vulnerabilities from 2021 here and played around the OWASP Juice Shop.

OWASP

NIST Cybersecurity Framework 1.1

The NIST Cybersecurity Framework is a popular one, used to improve an organisation’s cybersecurity standards and manage the risk of cyber threats.

This framework provides guidelines on security controls.

NIST Cybersecurity Framework

NCSC CAF

The Cyber Assessment Framework (CAF) is an extensive framework of fourteen principles used to assess the risk of various cyber threats and an organisation’s defences against these. The framework mainly focuses on and assesses the following topics:

  • Data security
  • System security
  • Identity and access control
  • Resiliency
  • Monitoring
  • Response and recovery planning
Cyber assessment framework

Black box, white box, grey box

There are three primary scopes when testing an application or service:

Boxes

Black-box testing

Here the tester has no information about the inner workings of the application or service.

The tester acts as a regular user, testing the functionality and interaction of the application or software. No knowledge of programming or understanding of the program is necessary for this type of testing.

As we have no knowledge, we need to spend more time during the information gathering and enumeration phase to gain more understanding of how it works.

Grey-box testing

A combination of both black and white box, here we have some limited knowledge of the internal components of the application.

With grey-box testing, the limited knowledge saves time.

White-box testing

This process is usually done by a software developer who knows programming and application logic. Here, the tester will be testing to ensure that everything works as intended.

The tester has full knowledge of the application and its expected behaviour.

Summary

In this lesson we have learnt about:

  • Penetration testing ethics.
  • Penetration testing methodologies.
  • What Black box, white box and grey box are.

Stats

From 86.165th to 82.639th. Still at the top 4%!

Here is also the Skill Matrix:

Skills Matrix

Resources

Path: Jr Penetration tester

Introduction to Pentesting

TryHackMe: Pentesting Fundamentals

Other resources

Security Magazine article
Open Source Security Testing Methodology Manual
Open Web Application Security Project
Top 10 OWASP vulnerabilities from 2021 here
OWASP Juice Shop
NIST Cybersecurity Framework