Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Oh, everybody, welcome to episode number 42
00:04
of the penetration Destin simulation module
00:07
for engagement actions. This is Alejandro gonna, and I'll be instructor for day session.
00:13
Learning our objectives is to understand the main steps you need to follow during the penetration testing process and apply techniques to successfully perform Ah, penetration testing. So this will differ from the other modules we have seen so far.
00:29
Because we will be just, you know, discussing the topics you need to address
00:34
before you started penetration testing. You know, patrician testing involves actions that can go began scope to a large extent or cause some kind of service, you know, degradation to the customers network, you know, hands
00:50
understanding the goals off the test is key factor. These goals mostly include, you know, scope and rules off engagement.
00:58
While the clients might have their turns proper already, you know, do a PSA test. Er need to define the terms. Clearly. The tester you know, you in this case, must contribute to a better a strategy about in this cope crip as an example to check you for service vulnerable,
01:17
for example, to a denial of service attack requests.
01:21
No,
01:22
our requests are approved in a huge number which my clock the network rendering the server unresponsive, you know, which is not acceptable. So for for such activities, the target server needs to be isolated.
01:38
Our metrics should be defined in terms of, you know, maybe a number of requests or time to be a You know, time of these requests
01:47
so you can, you know, define an acceptable range are acceptable, you know, level off off tries during this penetration test. Having said that, there are some things you need to consider before even touching your keyboard to start your penetration test. For example,
02:07
this scope,
02:08
this is, you know, the findings. Copa is maybe one of the most important components of the penetration test. Yet it's almost one of the most overlooked. Unfortunately,
02:20
penetration, testing eyes, not something which can work, you know, as an experiment or something like that. You know, things are done according to established practices and standers.
02:34
Legal legal aspect off for pan tests are to be consider, you know very carefully both both you know, doing the client I need to be ah familiar with loss on jurisdiction under which a test environment or test location is located two.
02:52
There might be cases where apprentice is required to perform
02:55
Know remotely. Maybe you're leaving the U. S. And you know your client lives in the UK or maybe Latin America or something like that. In such cases, it is required to of a loss. You know, there are, you know, maybe local lows or maybe international laws. And maybe, you know, for example, you're about,
03:15
you know, executing a patrician test in Europe, for example. So you have to consider things like your DPR, for example.
03:23
So if something is in the test plan approved by the customer, but it's not actually allowed under local laws or regulations, it will be wise to bring, you know, maybe a lawyer. Or maybe this cause that with the customer and tell you that you might not be You might not be able to do that because, you know, there's, ah,
03:43
you have to consider that the local laws or regulations
03:46
for that activity it is important to know that use of such something, you know, maybe you're actually using sub word that is not allowed in certain countries like, for example, that the key linked or T sizes.
04:01
For example, Heiress Aid, which is rated that raider than
04:08
2048 are not allowed in from some countries. So you know, you have to consider all of that. If you are not, you know, familiar with locker regulations. You should better get a lawyer and maybe someone that actually understands that those laws and regulations
04:25
you know timelines and coast are involved are something which, you know cannot be ignored as well. It's important to agree up in timelines allowing for apprenticed. The tester needs to estimate the time that called, you know, be consumed for the testing play, depending on the resource is provided.
04:44
I'm performance
04:45
of the infrastructure during the test period period as an example, a customer request that for several one I got 100 p addresses to be distant for the price of 100
04:59
100 bucks, for example. One book, 11 went all of practice, for example, eh? So this means that the customers offering $1 per I p address. Obviously, this is just an example. You guys don't freak out. However, discussed a structure on remains effective at a volume
05:15
you're, you know, again trying to pass in 100 piece or something like that.
05:20
Ah, common trap. This some tester fall into is maintaining linear coast through Ah, the testing process. If the customer had only asked for one business critical application to be destiny at the same price instructor in this case, $1
05:36
while the tester will still be on Lee attacking a scene like P
05:41
volume that off work has increased,
05:44
you know dramatically for because, you know, maybe when you have a lot of peace or 100 piece you maybe, you know, running one command to scan all the ports or you know, all the eyepiece. You know, when your task
06:00
to actually pan tests on Lee a single application, you will have to trow several exploits like may be tested for buffer overflow tested for cross eyed, expecting, tested for no local file inclusion, remote, full inclusion and all the all the all the techniques you have apply so far in this car. So
06:18
this is something you have to consider,
06:20
You know otherwise, you know you can easily find yourself, you know, under charging for the service is you're offering to the customers this despite having a solid pricing structure. The process is not out black and white, though
06:35
it is not uncommon for a client to be completely on a word off exactly what they're needed or what they're, you know, expecting from penetration testing. It's also possible that the client will not know
06:47
how to communicate effectively what they're respecting from the test.
06:53
It is important that the pre engagement bri engagement face the dexterous able to serve
06:59
kind of a guy kind of a partner for the customer. You know, you must understand the difference between the tests which focuses on a single application. You know, as example I just gave you You have to, you know, maybe be able to translate business needs to maybe more technical mates. Maybe the customers actually worry.
07:17
Hey, has to be complained
07:20
with. No, sir. Tain law in relation. Maybe they're trying to be compliant with PC I So they ask you to perform Ah p c I
07:30
penetration test in a kind of test. So you have to, you know, be able to understand what the customer needs and be able to translate that into actually,
07:44
you know, that
07:45
some processor or or a plan or its scope for do penetration testing process.
07:51
Also, another thing that is really critical for the British Interesting is the dealing with third parties.
08:01
Ah, for example, sometimes it decline is served by, for example, of manage security service provider on our M s SP. It is crucial that are you know, you're petting test doesn't violate the turn of the M. Mississippi, however declined, can request any access privileges to the ah, Mississippi
08:20
environment that serves them. But the chances are that it cannot be agreed
08:24
with the MSP because there might not be Ah, dedicate er infrastructure for your client in the M Mississippi, you know, infrastructure. So you might be limited to be no, in a great extent because of this this restriction.
08:41
So be sure to actually mention that's the customer that he's aware of that
08:46
maybe he's not. Most likely, he will be not aware of that. So yeah, maybe I should make sure you mention that to the customer. However, it will be benefit to, uh, you know, maybe you can arrange mated with MSs be and maybe get to an agreement and maybe tell him that maybe he can set aside some of the critical
09:07
service is that they're actually running for the customer. You know, you have to, uh, those those soft skills you have to, you know, use them as well so you can actually get the better the very result from your contrition test. In another thing that you have to consider if the customers actually using the cloud
09:24
most most cloud service providers will not let you conduct
09:28
a penetration testing over their system because at the end, there actually also provided the same service to other customers. Or they might recite in the same,
09:39
um, physical machine. Although there, you know, your customers environment is brutalized and you know, But, you know, they might be insane machine or using the same happy hyper visor. Or maybe if they are using
09:54
any other technology, they might not be able to give you that chance. I ran into some cases where Microsoft Asher actually gave us from permission to actually planet contest some from off customers applications. So yeah, it will give, you know, just give it a shot,
10:13
give a shot. I tried to talk with the MSP
10:16
with the cloud provider and see what you can get from that and you know, you will look really good in front of the customer trying to, you know, kind of a great give the extra mile. Uh, another thing you have to consider is the rules of engagement
10:33
must come and practice. The taste that
10:37
that the tester brings his own system with all necessary tools are required to the pen test. You know, it should be, you know, remembered that the purpose of the test is not to alter any of the clients environment, but only to assess the security.
10:54
So it is better to avoid an installation off the sovereign in a test environment or change any of the network configuration.
11:01
It is the review, you know, have your machine on. You already know the tools. You'll really know what to do, what not to do than to actually the customer giving you one machine to actually conduct your penetration test.
11:13
You need to provide access, you know, to be provided access with necessary privileges to the test location. If the tests are required to be performed. Assan insider kind of Ah, great box test. If the test to be executed without any interruption of business operation, you know, in life a moment.
11:33
Ah, I will recommend you Thio. Have an incident response team or plan
11:37
Or, you know, if the customer has an insulin response team, you have to inform them because you know you never know what could go wrong in a penetration test.
11:48
The rules of engagement aligned with the finest cope should be well documented in a contract. Before you know it, even starting your penetration test Ah ah, nothing to be to consider. Is
12:01
documentation on report handling?
12:05
You know, it is to be agreed in contract on how the process and results of the pen tests need to be documented. Each customer has their own need of whether abortion will contain often they often they required a detailed report off every step. Performed a lot with, you know, the outcomes
12:24
not limited to locks, but also to an hour to the not. You know, they should include analysis
12:31
and, you know, graphics or something like that. And most of the time they're also required on executed report s O. They can present to the business, you know, meetings or something like that. Also, both you know, doing the customer you're the customer needs to be cleared on what is to be preserved as an evidence and how
12:50
the claim may be, you know, maintaining posterity If all planted evidence, our reports at some central
12:56
a search location which restrict access may be due to compliance. Eso this important to have this included in the contract that you know what should be handled about you. What should be saved in the customer area and you know everything.
13:11
Usually all the traces are required to be wiped off before the tester moves to you. No other locations or maybe continue with the penetration test. Sometimes they even ask you not to actually save anything in your machine. Or maybe take snapshots of the machine that you're actually using. And then at Riverton
13:31
those night ships after you know, depends is finished or something. They ask, you
13:35
supply something knicks or two actually ensure that you don't believe with any information from from the customer. You know you can, you know, you have to
13:48
define all this during the initial engagement activities. I mean, as the customer, what they want to see in the Inter report template. Let me just go to this page. Sorry about that. let me just go to this page and and actually showed you
14:05
how to
14:07
actually
14:09
just let me just competent link over here
14:13
and show you have to. You can actually
14:18
speech, and you will see a lot of reports,
14:22
you know, structures and examples. You can actually use me. Is this going from back grout? They might be able to tell you something really cool.
14:33
Ah, the point is that they you know, you can find several structures off what you should report on. How can you report it? Ah, here's just one example, But you can imagine we have this. This page contains several examples What you can do. You mean just let me just go to the price and, for example, rice and
14:54
start off hack.
14:56
And you know, you will find useful information or useful templates that you can actually use during your penetration testing process. And here, you know, I'm over details a structure of how to do that.
15:09
I mean, just just make sure to to see the link, and you can actually get that information for you. Another thing you have to consider is the additional
15:22
support.
15:22
Nope. Sorry.
15:24
Support based
15:26
on hourly rate. Uh, most of the time, anything that is not explicitly covered within the scope of the engagement should be handled very carefully. The first, the first reason is the scope grip. I had mentioned it at the beginning of the video.
15:43
You know, at this cope expands, resources are consumed cooking
15:48
into the profits off your you know, your company or us a tester, and maybe even create confusion and anger. Um, part of the customer. So there's, you know, another issue that my many testers, you know, think off when taking off. Additional worry is, you know that the legal ramifications
16:07
again, I told you at the beginning you have to
16:08
be very clear on what you can and cannot do in the customer's environment. So if they just, you know, pick up the phone and give you a call until I tell you to perform animal, for example, social engineer attack or maybe a denial of service attack, they might not be
16:26
quite sure what they're they're asking. And if you just perform it,
16:30
um,
16:32
you will get in trouble. So make sure to create a statement off, work on and, you know, properly sign it with the customer and and consider like any contract if you like, so you can actually not getting to travel on the final thing. Our question. Aires
16:52
uh,
16:52
during initial communication with the customer, there are several questions which the client will have to answer in order for the engagement scope to be properly estimated. These questions are designed to provide a better understanding of what declines is looking to gain out of the penetration test
17:11
and what declines is looking to how actually have a penetration test.
17:15
Um, and you know whether or not they can't retain types of tests be performed the penetration testing process. Depending on the penetration test, you can last questions like, for example, if you're performing a network penetration test for simple ways, the customer having ah penetrations has performed against the environment. Um,
17:34
home.
17:34
Many I PS I P addresses are to be tested. I know in the in the case that the system is penetrated. How should the testing team proceed? Should you continue compromises? Machines are juicy him or something like that. If your application, if you're actually performing a Web application
17:55
penetration test,
17:56
how many Web applications are being asked, said how many dynamic pages are being asked? Is it, for example, will static analysis performed on application? Declined one credential scans for the way application performed. The decline One roll base, our Fossen
18:14
testing perform again. The application
18:15
If you're
18:18
performing a wireless network penetration test, huh? I don't know how many wireless networks are you actually penetrating? Will in numerous ation of road devices be necessary? What is the square footage of? The coverage of what the range off of the wireless penetration test you actually performed
18:37
were driving or something like that. Like going into the card and trying to get a signal from outside the street. You know, questions like that. If you're actually perform a physical penetration, test us questions like are all physical security measures documented? What happens is if our guard actually called you.
18:56
Ah, you know,
18:57
Do they have alarms? They have, you know, trigger motions triggered by emotions. I know that kind of stuff. If you're going to perform social engineering, which most of the times, by the way, this is an attack, that is, you know, the customer preferred not to perform, because at the end, they already know kind of know that
19:17
a ll the employees are not well trained
19:19
to Actually, you know, denies une mail coming fromthe CEO or something like that. You know,
19:26
all these kind of questions you have to perform. And I have a question ery prepared before you actually find this cope. And, you know, it will help the customer to actually narrow down What? What? What they actually are expecting to get from the penetration test. And you will, you know, help them and help you understand what? It's actually
19:45
the scope of the project.
19:49
What? What is one of the most one of the first things you have to do before you start your penetration test? Well, define Interscope, but I guess the 1st 1 is actually, you know, signing the contract. Of course, signing the contract implies that you already know the scope. You really know what to do and what not to do.
20:07
You're really familiarized with the local regulations and you know,
20:11
laws and regulations. So, yes, I get the contract is one of the first things you have to do. Why is it important to define the scope before you start your pan test? Because you don't want to do something that is not expected you to do. You know, like if you didn't find this cope, maybe you're your end up
20:30
performing the penetration test against ah server that you weren't supposed to see or you weren't supposed to actually try, you know, exploits on it, you know? Yeah, you have to. That's twice. It's so important that you defined scope.
20:45
It is video. We learned one important step you have to perform during your prints oration testing process, which is the pre engagement activity. We apply some techniques that will help you or help us perform a penetration testing successfully.
21:00
Ah, one book that the recommend for this part is the advance penetration testing, hacking the world's most secure networks is that would read. I mean, good book. He has a lot of information. Um, And you you should check it out in the next video. We'll cover reconnaissance ambled inability, identification.
21:19
Well, that's it for today. Hope folks. I'm hoping you're deberia interpretation

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor