THM – Intro to pentesting – Fundamentals – Part 1
This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing.
Table Of Contents
Penetration testing ethics
| Hat Category | Description | Example |
| White Hat | These hackers are considered the “good people”. They remain within the law and use their skills to benefit others. | For example, a penetration tester performing an authorised engagement on a company. |
| Grey Hat | These people use their skills to benefit others often; however, they do not respect/follow the law or ethical standards at all times. | For example, someone taking down a scamming site. |
| Black Hat | These people are criminals and often seek to damage organisations or gain some form of financial benefit at the cost of others. | For example, ransomware authors infect devices with malicious code and hold data for ransom. |
Rules of Engagement (ROE)
| Section | Description |
| Permission | This section of the document gives explicit permission for the engagement to be carried out. This permission is essential to legally protect individuals and organisations for the activities they carry out. |
| Test Scope | This section of the document will annotate specific targets to which the engagement should apply. For example, the penetration test may only apply to certain servers or applications but not the entire network. |
| Rules | The rules section will define exactly the techniques that are permitted during the engagement. For example, the rules may specifically state that techniques such as phishing attacks are prohibited, but MITM (Man-in-the-Middle) attacks are okay. |
Penetration Testing Methodoligies
| Stage | Description |
| Information Gathering | This stage involves collecting as much publically accessible information about a target/organisation as possible, for example, OSINT and research. Note: This does not involve scanning any systems. |
| Enumeration/Scanning | This stage involves discovering applications and services running on the systems. For example, finding a web server that may be potentially vulnerable. |
| Exploitation | This stage involves leveraging vulnerabilities discovered on a system or application. This stage can involve the use of public exploits or exploiting application logic. |
| Privilege Escalation | Once you have successfully exploited a system or application (known as a foothold), this stage is the attempt to expand your access to a system. You can escalate horizontally and vertically, where horizontally is accessing another account of the same permission group (i.e. another user), whereas vertically is that of another permission group (i.e. an administrator). |
| Post-exploitation | This stage involves a few sub-stages: 1. What other hosts can be targeted (pivoting) 2. What additional information can we gather from the host now that we are a privileged user 3. Covering your tracks 4. Reporting |
OSSTMM
The Open Source Security Testing Methodology Manual provides a detailed framework of testing strategies for systems, software, applications, communications and the human aspect of cybersecurity.
| Advantages | Disadvantages | |
| Covers various testing strategies in-depth. | The framework is difficult to understand, very detailed, and tends to use unique definitions. | |
| Includes testing strategies for specific targets (I.e. telecommunications and networking) | Intentionally left blank. | |
| The framework is flexible depending upon the organisation’s needs. | Intentionally left blank. | |
| The framework is meant to set a standard for systems and applications, meaning that a universal methodology can be used in a penetration testing scenario. | Intentionally left blank. |
OWASP
The “Open Web Application Security Project” framework is a community-driven and frequently updated framework used solely to test the security of web applications and services.
| Advantages | Disadvantages |
| Easy to pick up and understand. | It may not be clear what type of vulnerability a web application has (they can often overlap). |
| Actively maintained and is frequently updated. | OWASP does not make suggestions to any specific software development life cycles. |
| It covers all stages of an engagement: from testing to reporting and remediation. | The framework doesn’t hold any accreditation such as CHECK. |
| Specialises in web applications and services. | Intentionally left blank. |
NIST Cybersecurity Framework 1.1
The NIST Cybersecurity Framework is a popular framework used to improve an organisations cybersecurity standards and manage the risk of cyber threats. This framework is a bit of an honourable mention because of its popularity and detail.
| Advantages | Disadvantages |
| The NIST Framework is estimated to be used by 50% of American organisations by 2020. | NIST has many iterations of frameworks, so it may be difficult to decide which one applies to your organisation. |
| The framework is extremely detailed in setting standards to help organisations mitigate the threat posed by cyber threats. | The NIST framework has weak auditing policies, making it difficult to determine how a breach occurred. |
| The framework is very frequently updated. | The framework does not consider cloud computing, which is quickly becoming increasingly popular for organisations. |
| NIST provides accreditation for organisations that use this framework. | Intentionally left blank. |
| The NIST framework is designed to be implemented alongside other frameworks. | Intentionally left blank. |
NCSC CAF
The Cyber Assessment Framework (CAF) is an extensive framework of fourteen principles used to assess the risk of various cyber threats and an organisation’s defences against these.
| Advantages | Disadvantages |
| This framework is backed by a government cybersecurity agency. | The framework is still new in the industry, meaning that organisations haven’t had much time to make the necessary changes to be suitable for it. |
| This framework provides accreditation. | The framework is based on principles and ideas and isn’t as direct as having rules like some other frameworks. |
| This framework covers fourteen principles which range from security to response. | Intentionally left blank. |
Black box, White box, Grey box penetration testing
Black-Box testing
This testing process is a high-level process where the tester is not given any information about the inner workings of the application or service.
Grey-box testing
This testing process is the most popular for things such as penetration testing. It is a combination of both black-box and white-box testing processes. The tester will have some limited knowledge of the internal components of the application or piece of software. Still, it will be interacting with the application as if it were a black-box scenario and then using their knowledge of the application to try and resolve issues as they find them.
White-Box Testing
The tester will have full knowledge of the application and its expected behaviour and is much more time consuming than black-box testing. The full knowledge in a White-Box testing scenario provides a testing approach that guarantees the entire attack surface can be validated.
