welcome to Cyber Very I am Raymond Evans and I will be your subject matter expert for Cyber Aires without penetration testing course.
In this video, we will be discussing pen tester best practices, what will be covered,
Gaining permission documentation, boating reports, one to test and working with other departments. This video is handy because many of the things in this video
can help keep you out of a lot of trouble and help you keep yourself covered in case somebody tries to throw blame at you for something that you didn't necessarily. D'oh. So the first and
of pen testing or the preparation for pen testing is gaining permission.
Reading permission should always be established prior to performing tests.
You should never use the word of mouth or
a vague email or some sort of memo that was sent to you. You should always have an agreement has been written out and signed
by heads of departments and individuals who are allowed to approve this kind of thing.
If you have a low level boss who says, Hey, go do this and you know that that individual is not allowed to give that kind of
talked to somebody higher than him. And make sure that that's exactly what needs to be done
right to cover yourself. This written permission will also act as an agreement
which will house things like different boundaries and what exactly needs to be done or wants to be done for this test. So in this agreement, you will need to have a list of what tests will be done,
how long each of these tests will be performed for. So this helps establish sort of time frames.
you will be performing the tests today.
that company who you work for or who your company is sending you out to perform the pen test for will know that that traffic that's going across the wire at that time will most likely be yours.
Along with these times, you will also need what your targets will be. So specific Websites are different machines that you have
set as the targets that you will be testing. This ups the people who you're working for identify that
they're not necessarily under an attack. But that's that. That is your traffic that is going across the wire there, not only to agreements need to be made with your customer, but they should also be established with any third party. Organizations that provide additional service is so I S s A S r p A S o
infrastructure service or platforms, as service is
cloud systems or cloud service is,
if you're going to be performing tests on a website that's hosted on the cloud, you will need to let that person who host that website on the cloud
I know that this will be happening. You know, you need to put them in the agreement as well and have them sign off,
have an individual who has a website and they give you permission
performing where that pen test on it. But the people who are hosting it on there
don't give you permission than the people who are hosting on the cloud,
can come after you and can call the cops on you and can look at this as an attack. Documentation should be maintained in order to protect yourself as soon as you get on the network. Anything that goes wrong
Well, most likely be blamed on you
by individuals who don't understand what you're doing.
They just know that you are there and you're performing a penetration test. And
even if they their system doesn't touch yours, it has nothing to do with yours. Um,
if you are pen testing a payment submission page on a website
and a computer goes down and h r.
The individuals in HR who don't know better are going to automatically assume that you tried to hack their computer down there
on blame will be thrown at you. So keeping a proper documentation will give you the ability to identify what you did
to damage the network or to protect yourself from accusations. This documentation should be automatic and manual. For the automatic
documentation, you have to have something like wire shark or TCP dump running.
This type of documentation allows for accountability of what happened over the network. So with wire shark or TCP dump running, you are able to accurately
show exactly what came out of your machine over the network. So if somebody and HR says, hey,
they attacked our computer
you are able to go and look your wire shark or TCP dump at that exact time.
Ensure them? No, this is the I. P address I used
for the test, or this is the Web page I was performing the test against,
and you're able to protect yourself. Or if you did take down the computer accidentally, you are able to see
how you accidentally took it down. What exactly took what exactly caused that machine to fail and then manual documentation. This documentation should include a list of all commands that were used, what time they were used in what system they were used on.
So a small excel sheet or something like that with a couple of columns for things like commands, times, websites
most likely as well, something that would be handed at into that is a notes section. So if something interesting happens when you type in a command, you could just
jot down that little note in that section.
But these are very, very important documents. These are very, very important ways of maintaining proper documentation to keep
yourself covered. When you build a report, a report should be comprehensive and easy for customers understand
their key elements that each report should include
a type of vulnerability that was found
where exactly that vulnerability was found,
how it affects the customer. So you should probably put in a little detailed item. Here is something like
this cross site scripting can be used to enumerate cookies. Um,
and if it's ah banking company and you're able to successfully
get cookies from from a test they've performed,
then you can also show
proof that this this could be used to harvest cookies and steal individuals, money and things like that after you have how it affects the customers. You should also put a suggested fixing because
good that you find vulnerabilities, but you should be knowledgeable
or semi knowledgeable as to how to fix it. So if you find something like a sequel injection, you know that they have to
have proper validation for user input.
Parse out certain key characters