How to do a serious pentest.

Started by Stolas, October 18, 2012, 10:47:29 AM

Previous topic - Next topic

Stolas

In this how to I am going to describe how to do a serious pentest in a short time span (two weeks).
The reason I write this is since I think a lot of people really "don't get" it.
A lot of people #even professionals# are completely dependent on third-party tools, a lot of "pentest" companies use Nessus, import this to the MSF launch a bunch of exploits.
Get some shells and call it quits. And if metasploit fails a lot of people just leave it be.

Therefor I feel smug enough to tell everybody how to do it proper in a short time span, just two weeks.
First we determine the parts of a pentest, these are:
- Legal
- Reconisance
- Attack
- Maintaining Access
- Reporting

All of them are important. And remember, NEVER do something before the previous step is completed.

First you need to get legal in order. Best way of doing this is get a lawyer to do all of this.
And don't even show your face or let them hear your voice. You're going to need these to con the CEO, CISO and Secratary.
Get everything in writing, put the original in your safe and make copies to always have with you when you are 'on the job' this is so you can actually escape if you get caught.
If you don't have this contract on you might have a very nasty evening with law officials.
Consult with your lawyer if it's required you'll need to inform local law enforcement in the area where you are doing this attack.
I assume the contract and initial payment is made on Monday #day 0#. 

Reconisance
[[  Will be added if people are interested in this  ]]

Attack
[[  Will be added if people are interested in this  ]]
[[
    Here I'll go on about a serious attack factor. More so than Nessus->MSF->Shell.
    I'll examine the attack factors in this part, these are.
    User -> Social Engineer your way in.
    Application -> 0day attack, and 0day development in a short time span.
    Network -> Gaining access and escalate
    Physical -> Lock pick, look at video cameras
]]

Maintaining Access
[[  Will be added if people are interested in this  ]]

Reporting
[[  Will be added if people are interested in this  ]]


I've just written the first part of this as I need to get my echo stroked before I finish this write-up.
I hope people are interested in a writeup like this, and if so. I'll gladly finish this write-up.

- Stolas
Whenever you think you can or can't your right.

ostendali

Feel free to write up whatever you'd like....
Recently we have been contacted by Pentest Magazine (pentestmag.com) and they've asked to us for a dedicated edition oof magazine entirely on backbox, we did and it has been published in september number...i mention this because all was based on real case of pentesting....
I am not sure if you can get free copy from pentestmag.com, but no harm to try....

break0x90

Stolas,

i think that your thread would be very interesting in all of its steps. I'm not a professional pen tester but i'm very interested to understand ad to know how a serious pen tester works.. specially the reporting methods/standards ;)

weVeg

In this book [1] is very well reported all needed step for pen test, stolas if you need a help we can write a little tut with "4 hands" . I've made a little summary of the book, if you want pm me =)
i think that you have had a great idea!
Bye

[1] Penetration_Tester_Open_Source_Toolkit_3rd-[Jeremy_Faircloth]-(2011)
una voce libera รจ sempre liberatrice
under_r00t

Stolas

Quote from: break0x90 on October 18, 2012, 02:37:48 PM
I think that your thread would be very interesting in all of its steps.

Thanks thats exactly what I wanted to hear. You've stroked my Ego.
I'll continue writing this with atleast one more part. (w00tw00t), I've contacted WeVeg about adding two hands.

Cheers,
- Stolas
Whenever you think you can or can't your right.

break0x90

ok thanks !
i will waiting the rest !!!!

@weVeg..... maybe..... have you the ebook ? in case pm me !!

joker__

Great job, Stolas. This is a really nice way for learning&teaching.Many thanks for the time you're dedicating on it.
We're waiting for the sequel^^

joker__
joker__
http://piecesofsheets.wordpress.com/ [soon in english]

Stolas

#7
Small Update,

I've communicated with weVeg over PM's about this.
We are going to finish this work together. Although due to the fact that we don't have an easy way of communicating the initialisation of this is quite slow.

Writing this is something I do between work and hacking code. So the writing speed might be limited. Although I really hope that when weVeg and I have found a stable way of communicating it will speed-up a lot.

Also, during the evenin' times I am often either Playing Chess, Shooting Demons (Doom]|[) on my PS3, Hacking code (Some openSource projects) or spending time with my Girl.

I hope I've made it clear that I am working on it, but it might not be that fast. Most of this I write while traveling to and from work, during lunch etc etc.

Also, my Employer has recently shot IRC on our network =(
This is due to some anti-botting we have enforced. So, I can only communicate with weVeg with PM.


Hope to write a small next part soon. It might not be in chronological order, as I really want to add the part about the acctual attack before the dull reporting and reconisance fase =P

Cheers,
 - Stolas
Whenever you think you can or can't your right.

zerohat

#8
This topic is well covered in the pentest community and doesn't need another kind of 'interpretation'!

-from an technical point of view, the right place would be: PTES, http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines
-from an methodology point of view, the right place would be: OSSTMM, http://www.isecom.org/research/osstmm.html
..and of course, real skills on all OSI-layers (so don't try to be the l33t tester in everything, impossible - be smart and use other folks skillset!)


The most key part always missing in most pentest activities (and mentioned thousand times in the community):
-serious documentation & reporting which is readable by the average it-folks!

...BTW: I really miss that dradis framework (http://dradisframework.org/) is not installed by default in blackbox! This is one of the best documentation tool
you can find for distributed pentest teams (simple, fast & flexible)



...so long, zerohat
old'school security guy...

Stolas

Well, that is (like said on IRC (I really should have posted it here)) the reason why I did quit writing this.
Just read the PTES. The reason I started is as the PTES is VERY VERY thick material for newbs. ;)

But yea, PTES is the way to go.
Whenever you think you can or can't your right.