Planning and Scoping Penetration Tests

Question 1

What is Vulnerability Assessment?

Answer 1

the practice of evaluating a computer system, a network, or an application to identify potential weaknesses. It is typically performed using an automated tool, which produces a list of vulnerabilities based on known signatures. Many of these can be false positives or not actually exploitable.

Question 2

What is Penetration Testing?

Answer 2

Penetration testing, or pen testing, goes beyond simple vulnerability testing. It seeks to exploit vulnerabilities and produce evidence of success as part of its report. It often includes social engineering and testing of physical controls, as well as testing technical weaknesses.

Question 3

What occurs during the Planning phase?

Answer 3

Most recognized pen test processes include a planning phase. Depending on the authority that promulgates the process, this phase might also include identifying the scope of the engagement, documenting logistical details, and other preliminary activities that need to occur before the commencement of the pen test.
Reconnaissance In the reconnaissance phase, the tester gathers information about the target organization and systems prior to the start of the pen test. This can include both passive information gathering, such as collecting publicly available information about the organization, and deliberate acts, such as scanning ports to detect possible vulnerabilities.

Question 4

What occurs during the Scanning phase?

Answer 4

The scanning phase is generally a bit more in depth than the reconnaissance phase. This is where vulnerability assessment begins. Static and dynamic scanning tools evaluate how a target responds to intrusions.

Question 5

What occurs during the Gaining Access phase?

Answer 5

This phase is when the actual exploit begins, by applying the information gained by reconnaissance and scanning to begin to attack target systems.

Question 6

What occurs during the Maintaining Access phase?

Answer 6

In this phase, the pen testers install mechanisms allowing them to continue to access the system. This phase is also where pen testers reach deeper into the network by accessing other network systems.
Covering tracks This phase concentrates on obliterating evidence that proves an exploit occurred. It generally consists of two facets: avoiding real-time incident response efforts and avoiding post-exploit forensic liability.

Question 7

What occurs during the Analysis phase?

Answer 7

In this phase, the pen tester gathers all the information collected, identifies root causes for any vulnerabilities detected, and develops recommendations for mitigation

Question 8

What occurs during the Reporting phase?

Answer 8

The reporting phase is where the information from testing and analysis are officially communicated to the stakeholders. Although reporting requirements can vary due to customer needs or statutory regulations, most pen test reports list: • Vulnerabilities detected. • Vulnerabilities exploited. • Sensitive data accessed. • How long the pen tester had access. • Suggestions and techniques to counteract vulnerabilities.
infrastructure, the specific needs of an organization should guide the need for additional or different process stages for pen testing.

Question 9

What is Nmap?

Answer 9

An open source network scanner used for network discovery and auditing. It can discover hosts, scan ports, enumerate services, fingerprint operating systems, and run script-based vulnerability tests.

Question 10

What is Nikto?

Answer 10

An open source web server scanner that searches for potentially harmful files, checks for outdated web server software, and looks for problems that occur with some web server software versions. It is included with Kali Linux.

Question 11

What is OpenVAS

Answer 11

(Open Vulnerability Assessment System) An open source software framework for vulnerability scanning and management.

Question 12

What is SQLmap?

Answer 12

An open source database scanner that searches for and exploits SQL injection flaws. It is included with Kali Linux.

Question 13

What is Nessus?

Answer 13

A proprietary vulnerability scanner developed by Tenable Network Security. Initially open source, it scans for vulnerabilities, misconfigurations, default passwords, and susceptibility to denial of service (DoS) attacks. It can also be used for preparation for PCI DSS audits.

Question 14

What is Hashcat?

Answer 14

A free password recovery tool that is included with Kali Linux and is available for Linux, OS X, and Windows. It includes a very wide range of hashing algorithms and password cracking methods. Hashcat purports itself to be the fastest recovery tool available.

Question 15

What is Medusa?

Answer 15

A command-line-based free password cracking tool that is often used in brute force password attacks on remote authentication servers. It purports itself to specialize in parallel attacks, with the ability to locally test 2,000 passwords per minute.

Question 16

What is THC-Hydra?

Answer 16

A free network login password cracking tool that is included with Kali Linux. It supports a number of authentication protocols.

Question 17

What is John The Ripper?

Answer 17

A free password recovery tool available for Linux, 11 versions of Unix, DOS, Win32, BeOS, and OpenVMS. It is included with Kali Linux.

Question 18

What is Cain and Abel?

Answer 18

A free password recovery tool available for Windows that is sometimes classified as malware by some antivirus software.

Question 19

What is Mimikatz?

Answer 19

An open source tool that enables you to view credential information stored on Microsoft Windows computers. It is also included with Kali Linux.

Question 20

What is Whois?

Answer 20

A protocol that queries databases that store registered users or assignees of an Internet resource, such as a domain name.

Question 21

What is Nslookup?

Answer 21

A Windows command-line utility that queries DNS and displays domain names or IP address mappings, depending on the options used.

Question 22

What is FOCA?

Answer 22

(Fingerprinting and Organization with Collected Archives) A network infrastructure mapping tool that analyzes metadata from many file types to enumerate users, folders, software and OS information, and other information.
theHarvester A tool included with Kali Linux that gathers information such as email addresses, subdomains, host names, open ports, and banners from publicly available sources.

Question 23

What is Shodan?

Answer 23

A search engine that returns information about the types of devices connected to the Internet by inspecting the metadata included in service banners.

Question 24

What is Maltego?

Answer 24

A proprietary software tool that assists with gathering open source intelligence (OSINT) and with forensics by analyzing relationships between people, groups, websites, domains, networks, and applications. A community version named Maltego Teeth is included with Kali Linux.

Question 25

What is Recon-ng?

Answer 25

A web reconnaissance tool that is written in Python and is included with Kali Linux. It uses over 80 “modules” to automate OSINT. Some of its features include: search for files, discover hosts/contacts/email addresses, snoop DNS caches, look for VPNs, look up password hashes, and perform geolocation.

Question 26

What is Aircrack-ng?

Answer 26

A suite of wireless tools, including airmon-ng, airodump-ng, aireplay-ng, and aircrack-ng. Included with Kali Linux, the suite can sniff and attack wireless connections, and crack WEP and WPA/WPA2-PSK keys.

Question 27

What is OWASP ZAP?

Answer 27

(Open Web Application Security Project Zed Attack Proxy) An open source web application security scanner.
Burp Suite An integrated platform included with Kali Linux for testing the security of web applications. Acting as a local proxy, it allows the attacker to capture, analyze, and manipulate HTTP traffic.

Question 28

What is SET?

Answer 28

(Social Engineer Toolkit) An open source pen testing framework included with Kali Linux that supports the use of social engineering to penetrate a network or system.

Question 29

What is Ncat?

Answer 29

An open source command-line tool for reading, writing, redirecting, and encrypting data across a network. Ncat was developed as an improved version of Netcat.

Question 30

What is Netcat?

Answer 30

An open source networking utility for debugging and investigating the network, and that can be used for creating TCP/UDP connections and investigating them.

Question 31

What is Wireshark?

Answer 31

An open source network protocol analyzer that is included with Kali Linux. Can be used to sniff many traffic types, re-create entire TCP sessions, and capture copies of files transmitted on the network.

Question 32

What is hping?

Answer 32

A free packet generator and analyzer for TCP/IP networks. Often used for firewall testing and advanced network testing, hping3 is included with Kali Linux.

Question 33

What is Searchsploit?

Answer 33

A tool included in the exploitdb package on Kali Linux that enables you to search the Exploit Database archive.

Question 34

What is Metasploit Framework?

Answer 34

A command-line-based pen testing framework developed by Rapid 7 that is included with Kali Linux and that enables you to find, exploit, and validate vulnerabilities. Metasploit also has GUI-based commercial and community versions.

Question 35

What is a MSA?

Answer 35

Master service agreement (MSA) is an agreement that establishes precedence and guidelines for any business documents that are executed between two parties. It can be used to cover recurring costs and foreseen additional charges during a project without the need for an additional contract.

Question 36

What is an NDA?

Answer 36

Non-disclosure agreement (NDA) is a business document that stipulates the parties will not share confidential information, knowledge, or materials with unauthorized third parties.

Question 37

What is a SOW?

Answer 37

Statement of work (SOW) is a business document that defines the highest level of expectations for a contractual arrangement. It typically includes a list of deliverables, responsibilities of both parties, payment milestones and schedules, and other terms. Because this document details what the client is paying for, it has a direct impact on team activities. It also can be used by the pen test team to charge for out-of-scope requests and additional client-incurred costs.

Question 38

Written authorization documents help control the amount of ___ incurred by the pen tester.

Answer 38

Liability

Question 39

What do most written authorization documents include?

Answer 39

• Who the proper signing authority is, or who can authorize that the pen testing can take place. This includes a statement that the undersigned is a signing authority for the organization. • Who is authorized to perform the pen test. • What specific networks, hosts, and applications can be tested. • The time period that the authorization is active.

Question 40

What are Export restrictions?

Answer 40

In the United States, export controls regulate the shipment or transfer of certain items outside of the US. These items can include software, technology, services, and other controlled items. Other nations might have similar restrictions to the sharing of certain items outside their borders

Question 41

How do Local and national governmental restrictions affect the PenTest?

Answer 41

It is highly probable that governmental restrictions control the use of technology and tools used during the pen testing process. This includes not only the technology and tools, but also the information gathered by the testers and even the actual process of exploiting computer systems, such as port scanning.

Question 42

How do Corporate/Organizational policies affect the PenTest?

Answer 42

Many companies and organizations now have specific policies that regulate pen testing activities, so you will need to be aware of any particular restrictions adopted by the company or organization that is undergoing pen testing.

Question 43

Before embarking on the pen test process, it is imperative that you ___ for the engagement.

Answer 43

Plan

Question 44

What is the goal of a pen test plan?

Answer 44

The goal of a pen test plan is to clearly define the parameters of the pen test engagement.

Question 45

What are WSDL and/or WADL Web Services Description Language and Web Application Description Language files?

Answer 45

XML documents that describe SOAP-based or RESTful web services.

Question 46

What is a SOAP project file?

Answer 46

A file that enables you to test SOAP-based web services. These files often are created from the information in a WSDL file or service.

Question 47

What is SDK documentation?

Answer 47

Documentation for a collection of development tools that support the creation of applications for a certain platform.

Question 48

What is Swagger documentation?

Answer 48

The REST API equivalent of a WSDL document.

Question 49

What is a XSD file?

Answer 49

A document that defines the structure and data types for an XML schema.

Question 50

What are Sample application requests?

Answer 50

Like test code or code snippets, sample app requests can assist pen testers in gaining access to resources.

Question 51

What are architectural diagrams?

Answer 51

Visual representation of an application’s architecture can reveal points of weakness in the app’s construction, while network maps can help identify those hosts that might be good potential access points.

Question 52

What is Confidentiality of findings?

Answer 52

During the course of any pen test, it is assumed that there is a great possibility of sensitive information being discovered by the testing team. To further reinforce the SOW and any other legal documentation in effect, the client is very likely to include confidentiality provisions within the engagement plan. This helps to ensure that the information discovered during the pen test is shared only with the appropriate entities.

Question 53

What is knowns vs. unknowns?

Answer 53

Although most resources and requirements will be known at the onset of the engagement, others might arise during the actual performance of the pen test. A comprehensive pen test plan will recognize this and include language that allows for some adjustment during the process.

Question 54

___ often drives the scope of the penetration test

Answer 54

Budget

Question 55

A comprehensive pen test plan should not only include what should be tested, but it should also describe anything that is specifically ___ from the test engagement.

Answer 55

Excluded

Question 56

What are the rules of engagement?

Answer 56

A document or section of a document that outlines how the pen testing is to be conducted. They describe the expectations of the client and the rights and limitations of the test team.

Question 57

What is the Timeline portion of the rules of engagement?

Answer 57

The timeline of a pen test engagement is a clear enumeration of the tasks that are to be performed as part of the engagement, and the individuals or teams responsible for performing those tasks. As the engagement progresses, stakeholders can use the timeline as a progress indicator, and adjust it as needed during the engagement to account for any unexpected events. The timeline is often shared with stakeholders in a Gantt chart format.

Question 58

What is the Location portion of the rules of engagement?

Answer 58

The location of the test team in relation to the client organization needs to be agreed upon. Depending on factors such as how many locations an organization occupies, whether or not remote installations are in different nations, and what sort of remote technology is available to access multiple locations, the parties should agree and record the amount of travel required, if any, to conduct the pen test.

Question 59

What is the Temporal restrictions for testing in the rules of engagement?

Answer 59

The location of the test team in relation to the client organization needs to be agreed upon. Depending on factors such as how many locations an organization occupies, whether or not remote installations are in different nations, and what sort of remote technology is available to access multiple locations, the parties should agree and record the amount of travel required, if any, to conduct the pen test.

Question 60

What is the Test boundaries of the rules of engagement?

Answer 60

What’s being tested, and what is not? Define the acceptable actions, such as social engineering and physical security tasks If invasive attacks, such as DoS attacks, are part of the testing, are there any restrictions on their use?

Question 61

What is the Transparency of testing portion of the rules of engagement?

Answer 61

At the client organization, who will know about the pen testing? For the test team, what information will be provided prior to the start of the engagement?

Question 62

What occurs during the Reconnaissance phase?

Answer 62

In the reconnaissance phase, the tester gathers information about the target organization and systems prior to the start of the pen test. This can include both passive information gathering, such as collecting publicly available information about the organization, and deliberate acts, such as scanning ports to detect possible vulnerabilities.

Question 63

What is Impact Analysis?

Answer 63

When planning a test, the pen test team will advise the client on potential impacts to different types of systems. This will be informed by target type, criticality to the business, and testing approach. The analysis should also allow for unforeseen impacts. Both sides must work together to manage the risk ahead of time, as well as have clear communication protocols and remediation plans in place to minimize any impact that may actually occur. There should be clear triggers, escalation procedures, and timelines for alerting the other side in case of an incident. Depending on the client’s risk appetite, some systems may get more attention and faster response than others.

Question 64

What is remediation?

Answer 64

The implementation of a solution for a given vulnerability.

Question 65

What is a Remediation timeline?

Answer 65

When taken into consideration with impact analysis, organizations can choose to address the highest-risk issues first, or they might decide to address issues that can be quickly or inexpensively resolved. There might also be issues that an organization could decide not to address, and thus accept the risk associated with those vulnerabilities.

Question 66

What is a Point In Time Assessment Clause?

Answer 66

This clause should state that the pen test results have a limited life cycle and are not to be interpreted as a security guarantee. In fact, even one configuration change could cause the pen test report to be outdated. When an organization schedules periodic pen tests with the same or even different testing teams, any repercussions from configuration changes can be identified and remedied.

Question 67

What does a comprehensiveness clause detail?

Answer 67

The boundaries with regard to scope, price, and time frame. It can also acknowledge that not every vulnerability might be found during an engagement.

Question 68

Guidelines for Planning Pen Test Engagements?

Answer 68

Consider the following guidelines as you plan your pen test engagements: • Be sure that you understand the target audience. • Identify the resources and requirements that will govern and facilitate the pen test engagement. • Determine any budget restrictions that might affect the engagement. • Document any technical constraints that will affect the engagement. • Clearly define the rules of engagement. • Develop impact analysis and remediation timelines. • Identify any disclaimers that will affect the engagement.