4
Chapter 1
Suppose, for example, that your client is a large software development
shop that ships custom-coded applications to customers for use in manufac-
turing environments. Can you backdoor their source code and essentially
compromise all of their customers? What would that do to harm their brand
credibility?
Post exploitation is one of those tricky scenarios in which you must take
the time to learn what information is available to you and then use that infor-
mation to your benefit. An attacker would generally spend a significant amount
of time in a compromised system doing the same. Think like a malicious
attacker—be creative, adapt quickly, and rely on your wits instead of auto-
mated tools.
Reporting
Reporting
is by far the most important element of a penetration test. You will
use reports to communicate what you did, how you did it, and, most impor-
tant, how the organization should fix the vulnerabilities discovered during
the penetration test.
When performing a penetration test, you’re working from an attacker’s
point of view, something that organizations rarely see. The information you
obtain during a test is vital to the success of the organization’s information
security program and in stopping future attacks. As you compile and report
your findings, think about how the organization can use your findings to
raise awareness, remediate the issues discovered, and improve overall security
rather than just patch the technical vulnerabilities.
At a minimum, divide your report into an executive summary, executive
presentation, and technical findings. The technical findings will be used by
the client to remediate security holes, but this is also where the value lies in a
penetration test. For example, if you find a SQL injection vulnerability in the
client’s web-based applications, you might recommend that your client sani-
tize all user input, leverage parameterized SQL queries, run SQL as a limited
user account, and turn on custom error messages.
After the client implements your recommendations and fixes the one
specific SQL injection vulnerability, are they really protected from SQL injec-
tion? No. An underlying problem likely caused the SQL injection vulnerability
in the first place, such as a failure to ensure that third-party applications are
secure. Those will need to be fixed as well.
Types of Penetration Tests
Now that you have a basic understanding of the seven PTES categories, let’s
examine the two main types of penetration tests:
overt
and
covert.
An overt
pen test, or “white hat” test, occurs with the organization’s full knowledge;
covert tests are designed to simulate the actions of an unknown and unan-
nounced attacker. Both tests offer advantages and disadvantages.