Ready to Start Your Career?
July 16, 2015
A Short Practice Guide for PenTests
July 16, 2015
A Short Practice Guide for PenTestsDefinition:A penetration test is a proven method that looks for security weaknesses, potentially gaining access to the computer's features and data.Typical starting points for penetration tests are:
- Active components like router, switches or gateways
- Security gateways like firewall, packet filter, intrusion detection systems, antivirus software etc.
- Server like database server, mail server, file server etc.
- Telecommunication systems
- Web- Application
- Wireless LAN
- The contract should include the audit period, the audit objects and the scope.
- Costs incurred should be listed. The obligation to co-operate must be given by purchaser.
- It should continue to underscore the understood agreements and liability of secrecy will.
- The contract should include the results obtained at that time the only.
Penetration tests are valid and because of possible restrictions on the time,money and human resources is not ensured that all existing errors are found.
A “Non - Disclosure Agreement” has to be defined, also guidelines about privacy.The institution and the penetration tester should specify exactly which areas will be tested.,
Subject requirements:Determination of the specimen between penetration tester and institution.The current threat of assessment and protection requirements of the business process provides a basis. Typical test objects are similar to the typical starting points for penetration. The institution may wish to identify any possible attack and eliminate them. However, this is very time consuming and expensive. Therefore, consideration should be given where an attack is most likely and the identified interfaces should be tested first. As penetration testers, you cannot assume quality assurance and Blindness have to be avoided. The same test objects should not multiply by the same penetration testers as tested. Defining the scope of testing:Here, the following aspects are agreed upon:
- scope of testing
- test location
- test period
- test conditions
Test conditionsIf the production system is being tested, it can be considered if the test period on aPeriod is placed in the little impairment for normal operation can be expected.
Here, however, it must be noted that then, if appropriate, the necessary traffic could be missing for the tests.The client should ensure that any changes to the system during the test be performed.If the contact person of the client by observing the penetration testing or discussions on vulnerabilities attention, so he has to wait,until the penetration test is completed before it eliminates the gap, otherwise theTest result can be falsified. Should such a serious gap to be discovered that it is imperative to fill this immediately, so the penetration test should be stopped and be performed at a later time.When tested on the internet, access the penetration testers must be enabled to test IT systems. Any blockages of security gateways need for the test period will be switched off.This serves regarding accurate results. Of the tested obtain IT application. If the security gateway holds additional safeguards, is the good for the operation.An accurate test results, where what weaknesses need to be removed, can lighter and thus more economical produce the penetration tester when the IT systems separately testing each other.The function of the security gateway should be in a separate Penetration test are tested.Test periodIt is important before any penetration testing a time frame for the implementation define,on the one hand the institution to prepare and plan the penetration testing exactly can on the other hand the penetration tester has a default.There should be sufficient training period in which to be tested technology and time for reporting is scheduled.DocumentationThus, the penetration tester get a quick overview of the test objects, should the documents listed below by client are made available.1. Networks with communication link with other IT systems and IT applications.All interfaces for humans and machines should be clearly identifiable. Interfaces, which can be reached by external (eg connection to the Internet Services, WiFi, network outlets in meeting rooms), should pay special are identified.2. Description of the test objectA documentation of the specimen should be available. Here will be described, what the test object is required.The documentation should at least describe, which participants have access to the object, at what times, accesses,which data are personal or may need to be treated in accordance with confidentiality and which IT systems are important for the functioning of the IT application.IT applications to be divided and described in clearly defined functions.Special security measures regarding the IT application should be described.3. List of IT systems with description of hardening measuresSince most IT systems consist of running processes, for example, by regular updates to remain changeable, sufficient for the preparation of penetration testing is a status-quo image of IT systems.For servers, this means that a list of installed programs and services will be created and the current processes be documented. For the assessment of network components Configuration files and rules important.4. ResponsibilitiesFinally, those responsible must be set on both sides which must be available at a penetration test.Sequence of a penetration testIn the following, as far as possible, the practical course of a penetration test described.In most cases, especially in the practical part of other aspects added, which are determined individually based on the test object.1. Incorporation of the penetration TesterThe institution must provide detailed documentation available to penetration testers for incorporation.2. Test of the test objectIt will recommended to divide the test in the following work packages:Start conversationSetting up the work environmentPractical ExamConcluding discussionDepending on the scope of the tests also can be necessary or various intermediate calls individual packages such as setting up of the working environment and the practical test multiple times is performed.In several days of tests every morning to be held a short conversation between the penetration testers and the participating technical staff of the client, in clarifies what is planned.After completion of the work, should be a short summary done.
Practical ExamBelow are some recurring elements which basically occur in the practical part of a penetration test, described.The modules described below are intended to provide an overview of the core elements of a penetration test.During the test must at all times the possibility to be kept open, go beyond these core elements, if an attack on another way is possible.Conceptual weaknessesMostly the penetration testers at the sighting of the documentation of the test object in the preparation time will notice open issues and questions.This can on conceptual Weaknesses of the test object point, which might not have noticed the person in charge on site is.Implementation hardening measuresIn this module it is determined whether the information necessary for the test objects hardening measures are implemented.Here, at least the following points should be clarified:1. Open ports2. Interfaces3. Timeliness of patch levels and the software versions used4. Admission Requirements for programs / authentication5. Service Hardening / regulationsKnown vulnerabilitiesIn this module, the test object is inspected for known vulnerabilities. This can happen because of the encountered in Module 2 (Implementation hardening measures) Patch stands or in association withso-called vulnerability scanners can be performed.ExploitsThe exact evidence that a vulnerability exists, only takes place when it is also used, so an exploit has been used successfully.Penetration testers should only use such exploits, which Action they have already studied and tested.
After testing, a conversation between penetration testers and the contact persons to be held by the client.The aim is to inform you of the progress and outcome of the practical test.Report:The last work package a penetration test constitutes the report. The report should be made available because of the potentially explosive contents only the penetration tester and its quality as well as a select group of the client. Depending on criticality must be performed confidentiality markings of the document.