Overview
This room covers the foundational concepts of penetration testing, including methodologies, ethics, and practical application. Essential knowledge for anyone pursuing the PT1 certification and understanding the penetration testing lifecycle.
Task 1: What is Penetration Testing?
A penetration test is an ethically-driven attempt to test and analyse the security defences to protect assets and information. It involves using the same tools, techniques, and methodologies that someone with malicious intent would use.
Key Statistics: According to Security Magazine, there are over 2,200 cyber attacks every day - 1 attack every 39 seconds.
Task 2: Penetration Testing Ethics
The battle of legality and ethics in cybersecurity is controversial. Labels like "hacking" and "hacker" often hold negative connotations, making the idea of legally gaining access to computer systems challenging to grasp.
Legal vs Ethical:
A penetration test is an authorised audit of a computer system's security and defences as agreed by the owners. Anything outside this agreement is deemed unauthorised.
Hat Categories:
- White Hat: Good hackers who remain within the law (e.g., penetration testers)
- Grey Hat: Use skills to benefit others but don't always follow laws/ethics
- Black Hat: Criminals seeking to damage organisations or gain financial benefit
Rules of Engagement (ROE):
Document created at initial stages defining how penetration testing engagement is carried out:
- Permission: Explicit permission for engagement to legally protect individuals
- Test Scope: Specific targets for engagement (servers, applications, etc.)
- Rules: Permitted techniques (e.g., MITM allowed, phishing prohibited)
Key Points:
- NCSC has CHECK accreditation scheme in UK for authorised penetration tests
- Penetration testers face morally questionable decisions (e.g., accessing sensitive data)
- Actions may be legal but ethically questionable
Task 3: Penetration Testing Methodologies
Penetration tests can have a wide variety of objectives and targets within scope. No penetration test is the same, and there are no one-case fits all approaches.
General Testing Stages:
- Information Gathering: Collecting publicly accessible information (OSINT, research) - no system scanning
- Enumeration/Scanning: Discovering applications and services running on systems
- Exploitation: Leveraging vulnerabilities discovered on systems/applications
- Privilege Escalation: Expanding access after initial foothold (horizontal/vertical)
- Post-exploitation: Pivoting, gathering additional info, covering tracks, reporting
OSSTMM (Open Source Security Testing Methodology Manual):
- Provides detailed framework for systems, software, applications, communications, and human aspects
- Covers telecommunications, wired networks, wireless communications
- Advantages: Various testing strategies, flexible, sets universal standards
- Disadvantages: Difficult to understand, very detailed, unique definitions
OWASP (Open Web Application Security Project):
- Community-driven framework for web application and service security testing
- Regularly publishes top ten web application vulnerabilities
- Advantages: Easy to understand, actively maintained, covers testing to reporting
- Disadvantages: May not be clear on vulnerability types, no accreditation
NIST Cybersecurity Framework 1.1:
- Popular framework to improve organizational cybersecurity standards
- Used by 50% of American organizations by 2020
- Advantages: Detailed security controls, frequently updated, provides accreditation
- Disadvantages: Many iterations, weak auditing policies, doesn't consider cloud computing
NCSC CAF (Cyber Assessment Framework):
- Extensive framework of fourteen principles for critical infrastructure organizations
- Covers: Data security, System security, Identity and access control, Resiliency, Monitoring, Response and recovery planning
- Advantages: Government-backed, provides accreditation, covers fourteen principles
- Disadvantages: Still new in industry, based on principles rather than direct rules
Task 4: Black Box, White Box, Grey Box Penetration Testing
Black-Box Testing:
High-level testing process where the tester is not given any information about the inner workings of the application or service.
- Tester acts as a regular user testing functionality and interaction
- Interacts with interface (buttons, etc.) to test intended results
- No knowledge of programming or application logic required
- Significantly increases time spent on information gathering and enumeration
- Example: Testing an application without source code access
Grey-Box Testing:
Most popular for penetration testing - combination of black-box and white-box testing.
- Tester has limited knowledge of internal components
- Interacts with application as if black-box scenario
- Uses knowledge of application to resolve issues found
- Save time compared to black-box testing
- Often chosen for extremely well-hardened attack surfaces
White-Box Testing:
Low-level process usually done by software developers with programming knowledge.
- Tester has full knowledge of application and expected behavior
- Tests internal components and specific functions
- Ensures functions work correctly and within reasonable time
- More time-consuming than black-box testing
- Guarantees entire attack surface can be validated
- Example: Testing a website with source code access
Task 5: Practical: ACME Penetration Test
ACME has approached you for an assignment. They want you to carry out the stages of a penetration test on their infrastructure.
Practical Exercise Overview:
View the site and follow the guided instructions to complete this exercise.
Exercise Completion:
Flag: THM{PENTEST_COMPLETE}
Key Learning Points:
- Apply penetration testing concepts in a controlled environment
- Practice the complete penetration testing lifecycle
- Follow guided instructions to understand proper methodology
- Gain hands-on experience with real-world scenarios
PT1 Exam Relevance
This room covers fundamental concepts essential for the PT1 certification:
- Theoretical Knowledge: Understanding penetration testing principles and methodologies
- Ethical Framework: Professional and legal considerations in security testing
- Methodology Application: Structured approach to penetration testing engagements
- Practical Skills: Hands-on experience with testing techniques
- Documentation: Proper reporting and communication of findings
Key Takeaways
- Penetration testing is a systematic process requiring authorization and ethical conduct
- Multiple methodologies exist to guide comprehensive security assessments
- Different testing approaches (black, white, grey box) serve different purposes
- Practical experience is essential for developing penetration testing skills
- Professional reporting is crucial for effective security communication