background image

4

Chapter 1

Suppose, for example, that your client is a large software development 

shop that ships custom-coded applications to customers for use in manufac-
turing environments. Can you backdoor their source code and essentially 
compromise all of their customers? What would that do to harm their brand 
credibility?

Post exploitation is one of those tricky scenarios in which you must take 

the time to learn what information is available to you and then use that infor-
mation to your benefit. An attacker would generally spend a significant amount 
of time in a compromised system doing the same. Think like a malicious 
attacker—be creative, adapt quickly, and rely on your wits instead of auto-
mated tools.

Reporting

Reporting

 is by far the most important element of a penetration test. You will 

use reports to communicate what you did, how you did it, and, most impor-
tant, how the organization should fix the vulnerabilities discovered during 
the penetration test.

When performing a penetration test, you’re working from an attacker’s 

point of view, something that organizations rarely see. The information you 
obtain during a test is vital to the success of the organization’s information 
security program and in stopping future attacks. As you compile and report 
your findings, think about how the organization can use your findings to 
raise awareness, remediate the issues discovered, and improve overall security 
rather than just patch the technical vulnerabilities.

At a minimum, divide your report into an executive summary, executive 

presentation, and technical findings. The technical findings will be used by 
the client to remediate security holes, but this is also where the value lies in a 
penetration test. For example, if you find a SQL injection vulnerability in the 
client’s web-based applications, you might recommend that your client sani-
tize all user input, leverage parameterized SQL queries, run SQL as a limited 
user account, and turn on custom error messages.

After the client implements your recommendations and fixes the one 

specific SQL injection vulnerability, are they really protected from SQL injec-
tion? No. An underlying problem likely caused the SQL injection vulnerability 
in the first place, such as a failure to ensure that third-party applications are 
secure. Those will need to be fixed as well.

Types of Penetration Tests

Now that you have a basic understanding of the seven PTES categories, let’s 
examine the two main types of penetration tests: 

overt

 and 

covert.

 An overt 

pen test, or “white hat” test, occurs with the organization’s full knowledge; 
covert tests are designed to simulate the actions of an unknown and unan-
nounced attacker. Both tests offer advantages and disadvantages.