Learning Dump: The Pentest Process

I've got a pretty solid high level idea of the stages involved with a penetration testing process but I want to map it all out in order to fill in any gaps in my knowledge and see it better in my head, the framework I want to follow is PTES. 

 This post will be a WIP that will be continually updated, I'll be adding descriptions and information under the headings and subheadings. I'm going to skip the pre-engagement process and just go with the more technical sections.

  • Intelligence gathering

    • OSINT

      • Corporate

        • Physical
          • Locations
          • Pervasiveness
          • Relationships
        • Logical
        • Org chart
        • Electronic
          • Documend metadata
          • Marketing communications
        • Infrastructure assets
          • Network blocks owned
          • Email addresses
          • External infrastructure profile
          • Technologies used
          • Purchase agreements
          • Remote access
          • Application usage
          • Defense technologies
            • Passive fingerprinting
            • Active fingerprinting
          • Human capability
        • Financial
          • Reporting
          • Market analysis
            • Trade capital
            • Value history
            • EDGAR

      • Individual

        • Employee
          • History
          • Social network profiles
          • Internet presence
          • Physical locations
          • Mobile footprints
          • "For Pay" information

    • Covert gathering

      • Corporate

        • On location gathering
        • Offsite gathering

      • HUMINT

        • Results

    • Footprinting

      • External footprinting

        • Identify customer external ranges
        • Passive reconnaissance
          • WHOIS
          • BGP looking glasses
        • Active footprinting
          • Port scanning
          • Banner grabbing
          • SNMP sweeps
          • Zone transfers
          • SMTP bounce back
          • DNS discovery
          • Forward/reverse DNS
          • DNS bruteforce
          • Web application discovery
          • Virtual host detection & enumeration

      • Internal footprinting

        • Passive reconnaissance
        • Identify customer internal ranges
        • Active reconnaissance

    • Identify protection mechanisms

      • Network based protections
      • Host based protections
      • Application level protections
      • Storage protections
      • User protections

  • Threat modelling

    • Business asset analysis

      • Organisational data

        • Policies, plans and procedures
        • Product information
        • Marketing information
        • Financial information
        • Technical information
        • Employee data
        • Customer data

      • Human Assets

    • Business process analysis

      • Technical infrastructure supporting process
      • Information assets supporting process
      • Human assets supporting process
      • 3rd party integration and/or usage of/by process

    • Threat agents/community analysis

      • Employees
      • Management (Executive, middle)

    • Threat capability analysis

      • Analysis of tools in use
      • Availability to relevant exploits/payloads
      • Communication mechanism
      • Accessibility

    • Motivation modelling
    • Finding relevant news of comparable organisations being compromised

  • Vulnerability analysis

    • Vulnerability testing
    • Vulnerability validation
    • Attack avenues

  • Exploitation

    • Precision strike
    • Customised exploitation
    • RF Access
    • Attacking the user
    • VPN detection
    • Route detection, including static routes
    • Pillaging
    • Business impact attacks
    • Further penetration into infrastructure
    • Persistence

  • Post exploitation
  • Reporting

Comments

Post a Comment

Popular Posts