Oh, everybody, welcome to episode number 42
of the penetration Destin simulation module
for engagement actions. This is Alejandro gonna, and I'll be instructor for day session.
Learning our objectives is to understand the main steps you need to follow during the penetration testing process and apply techniques to successfully perform Ah, penetration testing. So this will differ from the other modules we have seen so far.
Because we will be just, you know, discussing the topics you need to address
before you started penetration testing. You know, patrician testing involves actions that can go began scope to a large extent or cause some kind of service, you know, degradation to the customers network, you know, hands
understanding the goals off the test is key factor. These goals mostly include, you know, scope and rules off engagement.
While the clients might have their turns proper already, you know, do a PSA test. Er need to define the terms. Clearly. The tester you know, you in this case, must contribute to a better a strategy about in this cope crip as an example to check you for service vulnerable,
for example, to a denial of service attack requests.
our requests are approved in a huge number which my clock the network rendering the server unresponsive, you know, which is not acceptable. So for for such activities, the target server needs to be isolated.
Our metrics should be defined in terms of, you know, maybe a number of requests or time to be a You know, time of these requests
so you can, you know, define an acceptable range are acceptable, you know, level off off tries during this penetration test. Having said that, there are some things you need to consider before even touching your keyboard to start your penetration test. For example,
this is, you know, the findings. Copa is maybe one of the most important components of the penetration test. Yet it's almost one of the most overlooked. Unfortunately,
penetration, testing eyes, not something which can work, you know, as an experiment or something like that. You know, things are done according to established practices and standers.
Legal legal aspect off for pan tests are to be consider, you know very carefully both both you know, doing the client I need to be ah familiar with loss on jurisdiction under which a test environment or test location is located two.
There might be cases where apprentice is required to perform
Know remotely. Maybe you're leaving the U. S. And you know your client lives in the UK or maybe Latin America or something like that. In such cases, it is required to of a loss. You know, there are, you know, maybe local lows or maybe international laws. And maybe, you know, for example, you're about,
you know, executing a patrician test in Europe, for example. So you have to consider things like your DPR, for example.
So if something is in the test plan approved by the customer, but it's not actually allowed under local laws or regulations, it will be wise to bring, you know, maybe a lawyer. Or maybe this cause that with the customer and tell you that you might not be You might not be able to do that because, you know, there's, ah,
you have to consider that the local laws or regulations
for that activity it is important to know that use of such something, you know, maybe you're actually using sub word that is not allowed in certain countries like, for example, that the key linked or T sizes.
For example, Heiress Aid, which is rated that raider than
2048 are not allowed in from some countries. So you know, you have to consider all of that. If you are not, you know, familiar with locker regulations. You should better get a lawyer and maybe someone that actually understands that those laws and regulations
you know timelines and coast are involved are something which, you know cannot be ignored as well. It's important to agree up in timelines allowing for apprenticed. The tester needs to estimate the time that called, you know, be consumed for the testing play, depending on the resource is provided.
of the infrastructure during the test period period as an example, a customer request that for several one I got 100 p addresses to be distant for the price of 100
100 bucks, for example. One book, 11 went all of practice, for example, eh? So this means that the customers offering $1 per I p address. Obviously, this is just an example. You guys don't freak out. However, discussed a structure on remains effective at a volume
you're, you know, again trying to pass in 100 piece or something like that.
Ah, common trap. This some tester fall into is maintaining linear coast through Ah, the testing process. If the customer had only asked for one business critical application to be destiny at the same price instructor in this case, $1
while the tester will still be on Lee attacking a scene like P
volume that off work has increased,
you know dramatically for because, you know, maybe when you have a lot of peace or 100 piece you maybe, you know, running one command to scan all the ports or you know, all the eyepiece. You know, when your task
to actually pan tests on Lee a single application, you will have to trow several exploits like may be tested for buffer overflow tested for cross eyed, expecting, tested for no local file inclusion, remote, full inclusion and all the all the all the techniques you have apply so far in this car. So
this is something you have to consider,
You know otherwise, you know you can easily find yourself, you know, under charging for the service is you're offering to the customers this despite having a solid pricing structure. The process is not out black and white, though
it is not uncommon for a client to be completely on a word off exactly what they're needed or what they're, you know, expecting from penetration testing. It's also possible that the client will not know
how to communicate effectively what they're respecting from the test.
It is important that the pre engagement bri engagement face the dexterous able to serve
kind of a guy kind of a partner for the customer. You know, you must understand the difference between the tests which focuses on a single application. You know, as example I just gave you You have to, you know, maybe be able to translate business needs to maybe more technical mates. Maybe the customers actually worry.
Hey, has to be complained
with. No, sir. Tain law in relation. Maybe they're trying to be compliant with PC I So they ask you to perform Ah p c I
penetration test in a kind of test. So you have to, you know, be able to understand what the customer needs and be able to translate that into actually,
some processor or or a plan or its scope for do penetration testing process.
Also, another thing that is really critical for the British Interesting is the dealing with third parties.
Ah, for example, sometimes it decline is served by, for example, of manage security service provider on our M s SP. It is crucial that are you know, you're petting test doesn't violate the turn of the M. Mississippi, however declined, can request any access privileges to the ah, Mississippi
environment that serves them. But the chances are that it cannot be agreed
with the MSP because there might not be Ah, dedicate er infrastructure for your client in the M Mississippi, you know, infrastructure. So you might be limited to be no, in a great extent because of this this restriction.
So be sure to actually mention that's the customer that he's aware of that
maybe he's not. Most likely, he will be not aware of that. So yeah, maybe I should make sure you mention that to the customer. However, it will be benefit to, uh, you know, maybe you can arrange mated with MSs be and maybe get to an agreement and maybe tell him that maybe he can set aside some of the critical
service is that they're actually running for the customer. You know, you have to, uh, those those soft skills you have to, you know, use them as well so you can actually get the better the very result from your contrition test. In another thing that you have to consider if the customers actually using the cloud
most most cloud service providers will not let you conduct
a penetration testing over their system because at the end, there actually also provided the same service to other customers. Or they might recite in the same,
um, physical machine. Although there, you know, your customers environment is brutalized and you know, But, you know, they might be insane machine or using the same happy hyper visor. Or maybe if they are using
any other technology, they might not be able to give you that chance. I ran into some cases where Microsoft Asher actually gave us from permission to actually planet contest some from off customers applications. So yeah, it will give, you know, just give it a shot,
give a shot. I tried to talk with the MSP
with the cloud provider and see what you can get from that and you know, you will look really good in front of the customer trying to, you know, kind of a great give the extra mile. Uh, another thing you have to consider is the rules of engagement
must come and practice. The taste that
that the tester brings his own system with all necessary tools are required to the pen test. You know, it should be, you know, remembered that the purpose of the test is not to alter any of the clients environment, but only to assess the security.
So it is better to avoid an installation off the sovereign in a test environment or change any of the network configuration.
It is the review, you know, have your machine on. You already know the tools. You'll really know what to do, what not to do than to actually the customer giving you one machine to actually conduct your penetration test.
You need to provide access, you know, to be provided access with necessary privileges to the test location. If the tests are required to be performed. Assan insider kind of Ah, great box test. If the test to be executed without any interruption of business operation, you know, in life a moment.
Ah, I will recommend you Thio. Have an incident response team or plan
Or, you know, if the customer has an insulin response team, you have to inform them because you know you never know what could go wrong in a penetration test.
The rules of engagement aligned with the finest cope should be well documented in a contract. Before you know it, even starting your penetration test Ah ah, nothing to be to consider. Is
documentation on report handling?
You know, it is to be agreed in contract on how the process and results of the pen tests need to be documented. Each customer has their own need of whether abortion will contain often they often they required a detailed report off every step. Performed a lot with, you know, the outcomes
not limited to locks, but also to an hour to the not. You know, they should include analysis
and, you know, graphics or something like that. And most of the time they're also required on executed report s O. They can present to the business, you know, meetings or something like that. Also, both you know, doing the customer you're the customer needs to be cleared on what is to be preserved as an evidence and how
the claim may be, you know, maintaining posterity If all planted evidence, our reports at some central
a search location which restrict access may be due to compliance. Eso this important to have this included in the contract that you know what should be handled about you. What should be saved in the customer area and you know everything.
Usually all the traces are required to be wiped off before the tester moves to you. No other locations or maybe continue with the penetration test. Sometimes they even ask you not to actually save anything in your machine. Or maybe take snapshots of the machine that you're actually using. And then at Riverton
those night ships after you know, depends is finished or something. They ask, you
supply something knicks or two actually ensure that you don't believe with any information from from the customer. You know you can, you know, you have to
define all this during the initial engagement activities. I mean, as the customer, what they want to see in the Inter report template. Let me just go to this page. Sorry about that. let me just go to this page and and actually showed you
just let me just competent link over here
and show you have to. You can actually
speech, and you will see a lot of reports,
you know, structures and examples. You can actually use me. Is this going from back grout? They might be able to tell you something really cool.
Ah, the point is that they you know, you can find several structures off what you should report on. How can you report it? Ah, here's just one example, But you can imagine we have this. This page contains several examples What you can do. You mean just let me just go to the price and, for example, rice and
And you know, you will find useful information or useful templates that you can actually use during your penetration testing process. And here, you know, I'm over details a structure of how to do that.
I mean, just just make sure to to see the link, and you can actually get that information for you. Another thing you have to consider is the additional
on hourly rate. Uh, most of the time, anything that is not explicitly covered within the scope of the engagement should be handled very carefully. The first, the first reason is the scope grip. I had mentioned it at the beginning of the video.
You know, at this cope expands, resources are consumed cooking
into the profits off your you know, your company or us a tester, and maybe even create confusion and anger. Um, part of the customer. So there's, you know, another issue that my many testers, you know, think off when taking off. Additional worry is, you know that the legal ramifications
again, I told you at the beginning you have to
be very clear on what you can and cannot do in the customer's environment. So if they just, you know, pick up the phone and give you a call until I tell you to perform animal, for example, social engineer attack or maybe a denial of service attack, they might not be
quite sure what they're they're asking. And if you just perform it,
you will get in trouble. So make sure to create a statement off, work on and, you know, properly sign it with the customer and and consider like any contract if you like, so you can actually not getting to travel on the final thing. Our question. Aires
during initial communication with the customer, there are several questions which the client will have to answer in order for the engagement scope to be properly estimated. These questions are designed to provide a better understanding of what declines is looking to gain out of the penetration test
and what declines is looking to how actually have a penetration test.
Um, and you know whether or not they can't retain types of tests be performed the penetration testing process. Depending on the penetration test, you can last questions like, for example, if you're performing a network penetration test for simple ways, the customer having ah penetrations has performed against the environment. Um,
Many I PS I P addresses are to be tested. I know in the in the case that the system is penetrated. How should the testing team proceed? Should you continue compromises? Machines are juicy him or something like that. If your application, if you're actually performing a Web application
how many Web applications are being asked, said how many dynamic pages are being asked? Is it, for example, will static analysis performed on application? Declined one credential scans for the way application performed. The decline One roll base, our Fossen
testing perform again. The application
performing a wireless network penetration test, huh? I don't know how many wireless networks are you actually penetrating? Will in numerous ation of road devices be necessary? What is the square footage of? The coverage of what the range off of the wireless penetration test you actually performed
were driving or something like that. Like going into the card and trying to get a signal from outside the street. You know, questions like that. If you're actually perform a physical penetration, test us questions like are all physical security measures documented? What happens is if our guard actually called you.
Do they have alarms? They have, you know, trigger motions triggered by emotions. I know that kind of stuff. If you're going to perform social engineering, which most of the times, by the way, this is an attack, that is, you know, the customer preferred not to perform, because at the end, they already know kind of know that
a ll the employees are not well trained
to Actually, you know, denies une mail coming fromthe CEO or something like that. You know,
all these kind of questions you have to perform. And I have a question ery prepared before you actually find this cope. And, you know, it will help the customer to actually narrow down What? What? What they actually are expecting to get from the penetration test. And you will, you know, help them and help you understand what? It's actually
the scope of the project.
What? What is one of the most one of the first things you have to do before you start your penetration test? Well, define Interscope, but I guess the 1st 1 is actually, you know, signing the contract. Of course, signing the contract implies that you already know the scope. You really know what to do and what not to do.
You're really familiarized with the local regulations and you know,
laws and regulations. So, yes, I get the contract is one of the first things you have to do. Why is it important to define the scope before you start your pan test? Because you don't want to do something that is not expected you to do. You know, like if you didn't find this cope, maybe you're your end up
performing the penetration test against ah server that you weren't supposed to see or you weren't supposed to actually try, you know, exploits on it, you know? Yeah, you have to. That's twice. It's so important that you defined scope.
It is video. We learned one important step you have to perform during your prints oration testing process, which is the pre engagement activity. We apply some techniques that will help you or help us perform a penetration testing successfully.
Ah, one book that the recommend for this part is the advance penetration testing, hacking the world's most secure networks is that would read. I mean, good book. He has a lot of information. Um, And you you should check it out in the next video. We'll cover reconnaissance ambled inability, identification.
Well, that's it for today. Hope folks. I'm hoping you're deberia interpretation