Open in app

Sign in

Write

Sign in

THM Introduction to Pentesting

Dehni
Dehni’s Notes
Published in
8 min readOct 27, 2023

Introduction to Pentesting Module Notes

Penetration Testing Ethics

A penetration test is an authorised audit of a computer system’s security and defences as agreed by the owners of the systems. The legality of penetration is pretty clear-cut in this sense; anything that falls outside of this agreement is deemed unauthorised.

Before a penetration test starts, a formal discussion occurs between the penetration tester and the system owner. Various tools, techniques, and systems to be tested are agreed on. This discussion forms the scope of the penetration testing agreement and will determine the course the penetration test takes.

Rules of Engagement (ROE)

The ROE is a document that is created at the initial stages of a penetration testing engagement. This document consists of three main sections which are ultimately responsible for deciding how the engagement is carried out. The SANS institute has a great example of this document which you can view online here.

Answers:

1- white hat

2- black hat

3- rules of engagement

Penetration Testing Methodologies

The steps a penetration tester takes during an engagement is known as the methodology. A practical methodology is a smart one, where the steps taken are relevant to the situation at hand.

Before discussing some different industry-standard methodologies, we should note that all of them have a general theme of the following stages:

OSSTMM

The Open Source Security Testing Methodology Manual provides a detailed framework of testing strategies for systems, software, applications, communications and the human aspect of cybersecurity.

The methodology focuses primarily on how these systems, applications communicate, so it includes a methodology for:

  1. Telecommunications (phones, VoIP, etc.)
  2. Wired Networks
  3. Wireless communications

OWASP

The “Open Web Application Security Project” framework is a community-driven and frequently updated framework used solely to test the security of web applications and services.

The foundation regularly writes reports stating the top ten security vulnerabilities a web application may have, the testing approach, and remediation.

NIST Cybersecurity Framework 1.1

The NIST Cybersecurity Framework is a popular framework used to improve an organisations cybersecurity standards and manage the risk of cyber threats. This framework is a bit of an honourable mention because of its popularity and detail.

The framework provides guidelines on security controls & benchmarks for success for organisations from critical infrastructure (power plants, etc.) all through to commercial. There is a limited section on a standard guideline for the methodology a penetration tester should take.

NCSC CAF

The Cyber Assessment Framework (CAF) is an extensive framework of fourteen principles used to assess the risk of various cyber threats and an organisation’s defences against these.

The framework applies to organisations considered to perform “vitally important services and activities” such as critical infrastructure, banking, and the likes. The framework mainly focuses on and assesses the following topics:

  • Data security
  • System security
  • Identity and access control
  • Resiliency
  • Monitoring
  • Response and recovery planning

Answers:

1- information gathering

2- osstmm

3- owasp

Black box, White box, Grey box Penetration Testing

There are three primary scopes when testing an application or service. Your understanding of your target will determine the level of testing that you perform in your penetration testing engagement.

Black-Box Testing

This testing process is a high-level process where the tester is not given any information about the inner workings of the application or service.

The tester acts as a regular user testing the functionality and interaction of the application or piece of software. This testing can involve interacting with the interface, i.e. buttons, and testing to see whether the intended result is returned. No knowledge of programming or understanding of the programme is necessary for this type of testing.

Black-Box testing significantly increases the amount of time spent during the information gathering and enumeration phase to understand the attack surface of the target.

Grey-Box Testing

This testing process is the most popular for things such as penetration testing. It is a combination of both black-box and white-box testing processes.The tester will have some limited knowledge of the internal components of the application or piece of software. Still, it will be interacting with the application as if it were a black-box scenario and then using their knowledge of the application to try and resolve issues as they find them.

With Grey-Box testing, the limited knowledge given saves time, and is often chosen for extremely well-hardened attack surfaces.

White-Box Testing

This testing process is a low-level process usually done by a software developer who knows programming and application logic. The tester will be testing the internal components of the application or piece of software and, for example, ensuring that specific functions work correctly and within a reasonable amount of time.

The tester will have full knowledge of the application and its expected behaviour and is much more time consuming than black-box testing. The full knowledge in a White-Box testing scenario provides a testing approach that guarantees the entire attack surface can be validated.

Answers:

1- black box

2- white box

Principles of Security

Defence in Depth is the use of multiple varied layers of security to an organisation’s systems and data in the hopes that multiple layers will provide redundancy in an organisation’s security perimeter.

The CIA Triad

The CIA triad is an information security model that is used in consideration throughout creating a security policy.

Consisting of three sections: Confidentiality, Integrity and Availability (CIA), this model has quickly become an industry standard today. This model should help determine the value of data that it applies to, and in turn, the attention it needs from the business.

Confidentiality

This element is the protection of data from unauthorized access and misuse. Organisations will always have some form of sensitive data stored on their systems. To provide confidentiality is to protect this data from parties that it is not intended for.

Integrity

The CIA triad element of integrity is the condition where information is kept accurate and consistent unless authorized changes are made. It is possible for the information to change because of careless access and use, errors in the information system, or unauthorized access and use. In the CIA triad, integrity is maintained when the information remains unchanged during storage, transmission, and usage not involving modification to the information. Steps must be taken to ensure data cannot be altered by unauthorised people (for example, in a breach of confidentiality).

Availability

In order for data to be useful, it must be available and accessible by the user.

The main concern in the CIA triad is that the information should be available when authorised users need to access it.

Availability is achieved through a combination of many elements, including:

  • Having reliable and well-tested hardware for their information technology servers (i.e. reputable servers)
  • Having redundant technology and services in the case of failure of the primary
  • Implementing well-versed security protocols to protect technology and services from attack

Answers:

1- integrity

2- availability

3- confidentiality

Principles of Privileges

It is vital to administrate and correctly define the various levels of access to an information technology system individuals require.

The levels of access given to individuals are determined on two primary factors:

  • The individual’s role/function within the organisation
  • The sensitivity of the information being stored on the system

Two key concepts are used to assign and manage the access rights of individuals, two key concepts are used: Privileged Identity Management (PIM) and Privileged Access Management (or PAM for short).

PIM is used to translate a user’s role within an organisation into an access role on a system. Whereas PAM is the management of the privileges a system’s access role has, amongst other things.

What is essential when discussing privilege and access controls is the principle of least privilege. Simply, users should be given the minimum amount of privileges, and only those that are absolutely necessary for them to perform their duties.

Answers:

1- privileged identity management

2- privileged access management

3- pam

4- pim

According to a security model, any system or piece of technology storing information is called an information system.

The Bell-La Padula Model

The Bell-La Padula Model is used to achieve confidentiality. This model has a few assumptions, such as an organisation’s hierarchical structure it is used in, where everyone’s responsibilities/roles are well-defined.

The model works by granting access to pieces of data (called objects) on a strictly need to know basis. This model uses the rule “no write down, no read up”.

Biba Model

The Biba model is arguably the equivalent of the Bell-La Padula model but for the integrity of the CIA triad.

This model applies the rule to objects (data) and subjects (users) that can be summarised as “no write up, no read down”. This rule means that subjects can create or write content to objects at or below their level but can only read the contents of objects above the subject’s level.

Answers:

1- The Bell-La Padula Model

2- The Biba Model

3- The Bell-La Padula Model

4- The Biba Model

Threat Modelling & Incident Response

Threat modelling is the process of reviewing, improving, and testing the security protocols in place in an organisation’s information technology infrastructure and services.

A critical stage of the threat modelling process is identifying likely threats that an application or system may face, the vulnerabilities a system or application may be vulnerable to.

Threat Modelling Process

  • Preparation
  • Identification
  • Mitigations
  • Review

An effective threat model includes:

  • Threat intelligence
  • Asset identification
  • Mitigation capabilities
  • Risk assessment

To help with this, there are frameworks such as STRIDE (Spoofing identity, Tampering with data, Repudiation threats, Information disclosure, Denial of Service and Elevation of privileges) and PASTA (Process for Attack Simulation and Threat Analysis)

STRIDE includes six main principles:

A breach of security is known as an incident. And despite all rigorous threat models and secure system designs, incidents do happen. Actions taken to resolve and remediate the threat are known as Incident Response (IR) and are a whole career path in cybersecurity.

Incidents are classified using a rating of urgency and impact. Urgency will be determined by the type of attack faced, where the impact will be determined by the affected system and what impact that has on business operations.

To successfully solve an incident, these steps are often referred to as the six phases of Incident Response that takes place, listed in the table below:

Answers:

1- STRIDE

2- Incident Response

3- tampering

4- recovery

Tryhackme
Tryhackme Walkthrough
Tryhackme Writeup
Thm
Pentesting

--

--

Dehni
Dehni’s Notes

Written by Dehni

7 Followers
Editor for

Writeups | Cybersecurity Notes | CTFs

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams