1 Planning & scoping

Question 1

Why is the penetration testers teams and the owner of the system that will be pentested need to discuss?

Answer 1

They need to agree on the scope of the penetration testing agreement and will determine the course the penetration test takes

Question 2

What is White Hat?

Answer 2

These hackers are considered the “good people”. They remain within the law and use their skills to benefit others. For example, a penetration tester performing an authorised engagement on a company.

Question 3

What is Grey Hat?

Answer 3

These people use their skills to benefit others often; however, they do not respect/follow the law or ethical standards at all times. For example, someone taking down a scamming site.

Question 4

What is Black Hat?

Answer 4

These people are criminals and often seek to damage organisations or gain some form of financial benefit at the cost of others. For example, ransomware authors infect devices with malicious code and hold data for ransom

Question 5

What is the Rules of Engagement (ROE)?

Answer 5

The ROE is a document that is created at the initial stages of a penetration testing engagement and consists of three main sections, which are ultimately responsible for deciding how the engagement is carried out.

Question 6

What are the 3 sections of a ROE and explain each of them:

Answer 6

• Permission: This section of the document gives explicit permission for the engagement to be carried out. This permission is essential to legally protect individuals and organisations for the activities they carry out.
• Test Scope: This section of the document will annotate specific targets to which the engagement should apply. For example, the penetration test may only apply to certain servers or applications but not the entire network.
• Rules: The rules section will define exactly the techniques that are permitted during the engagement. For example, the rules may specifically state that techniques such as phishing attacks are prohibited, but MITM (Man-in-the-Middle) attacks are okay.

Question 7

Name the 5 steps of the pentesting methodology:

Answer 7

1/ Information Gathering
2/ Enumeration/Scanning
3/ Exploitation
4/ Privilege Escalation
5/ Post-exploitation

Question 8

Explain the Information Gathering phase in the pentesting methodology:

Answer 8

This stage involves collecting as much publicly accessible information about a target/organization as possible, for example, OSINT and research.

Question 9

Explain the Enumeration/Scanning phase in the pentesting methodology:

Answer 9

This stage involves discovering applications and services running on the systems. For example, finding a web server that may be potentially vulnerable.

Question 10

Explain the Exploitation phase in the pentesting methodology:

Answer 10

This stage involves leveraging vulnerabilities discovered on a system or application. This stage can involve the use of public exploits or exploiting application logic.

Question 11

Explain the Privilege Escalation phase in the pentesting methodology, explain horizontal and vertical privilege escalation:

Answer 11

Once you have successfully exploited a system or application (known as a foothold), this stage is the attempt to expand your access to a system. You can escalate horizontally and vertically, where horizontally is accessing another account of the same permission group (i.e. another user), whereas vertically is that of another permission group (i.e. an administrator).

Question 12

Explain the Post-Exploitation phase in the pentesting methodology and what can you do during this phase (4)

Answer 12

This stage involves a few sub-stages:
1. What other hosts can be targeted (pivoting)
2. What additional information can we gather from the host now that we are a privileged user
3. Covering your tracks
4. Reporting

Question 13

What is the OSSTMM?

Answer 13

The Open Source Security Testing Methodology Manual provides a detailed framework of testing strategies for systems, software, applications, communications and the human aspect of cybersecurity. It includes methodology for:
- Telecommunications (phones, VoIP, etc.)
- Wired Networks
- Wireless communications

Question 14

What is OWASP?

Answer 14

The “Open Web Application Security Project” framework is a community-driven and frequently updated framework used solely to test the security of web applications and services.

Question 15

What is the NIST Cybersecurity Framework 1.1?

Answer 15

The NIST Cybersecurity Framework is a popular framework used to improve an organisations cybersecurity standards and manage the risk of cyber threats.

Question 16

What is the NCSC CAF? What topics are addressed?

Answer 16

The Cyber Assessment Framework (CAF) is an extensive framework of fourteen principles used to assess the risk of various cyber threats and an organization’s defences against these. The framework mainly focuses on and assesses the following topics:
- Data security
- System security
- Identity and access control
- Resiliency
- Monitoring
- Response and recovery planning

Question 17

What is ISSAF?

Answer 17

Information Systems Security Assessment Framework is a comprehensive guide when conducting a penetration test that links individual penetration testing steps with the relevant penetration testing tools (last updated in 2015 so very old)

Question 18

What is PTES?

Answer 18

Penetration Testing Execution Standard is developed to cover everything related to a penetration test and aims to provide a common language and scope for performing penetration tests such as Pre-engagement Interactions, Intelligence Gathering, Threat Modelling, Vulnerability Analysis, Exploitation, Post Exploitation and Reporting

Question 19

What is Black-Box Testing?

Answer 19

No Knowledge testing. This testing process is a high-level process where the tester is not given any information about the inner workings of the application or service.
The tester acts as a regular user testing the functionality and interaction of the application or piece of software. This testing can involve interacting with the interface, i.e. buttons, and testing to see whether the intended result is returned. No knowledge of programming or understanding of the program is necessary for this type of testing.

Question 20

What is Grey-Box Testing ?

Answer 20

Partial knowledge. This testing process is the most popular for things such as penetration testing. It is a combination of both black-box and white-box testing processes. The tester will have some limited knowledge of the internal components of the application or piece of software.

Question 21

What is White-Box Testing?

Answer 21

Full knowledge. This testing process is a low-level process usually done by a software developer who knows programming and application logic. The tester will be testing the internal components of the application or piece of software and, for example, ensuring that specific functions work correctly and within a reasonable amount of time.

Question 22

What is the Rules of Engagement (ROE)?

Answer 22

The ground rules that both the organization and the penetration tester must abide (se conformer) by

Question 23

What elements can you find in the ROE document:

Answer 23

• Executive Summary: Overarching summary of all contents and authorization within RoE document
• Purpose: Defines why the RoE document is used
• References: Any references used throughout the RoE document (HIPAA, ISO, etc.)
• Scope: Statement of the agreement to restrictions and guidelines
• Definitions: Definitions of technical terms used throughout the RoE document
• Rules of Engagement and Support Agreement: Defines obligations of both parties and general technical expectations of engagement conduct
• Provisions: Define exceptions and additional information from the Rules of Engagement
• Ground Rules: Define limitations of the red team cell’s interactions
• Points of Contact
• Authorization: Statement of authorization for the engagement