Penetration Testing Execution Standard

Reporting
1. Executive-Level Reporting
  1. Business Impact
  2. Customization
  3. Talking to the business
  4. Affect bottom line
  5. Strategic Roadmap
  6. Maturity model
  7. Appendix with terms for risk rating
  8. Timeline of attack / Gant chart of timeline
  9. Quantifying the risk
    1. Evaluate incident frequency
      1. probable event frequency
      2. estimate threat capability (from 3 - threat modeling)
      3. Estimate controls strength (6)
      4. Compound vulnerability (5)
      5. Level of skill required
      6. Level of access required
    2. Estimate loss magnitude per incident
      1. Primary loss
      2. Secondary loss
      3. Identify risk root cause analysis
      4. Root Cause is never a patch
      5. Identify Failed Processes
    3. Derive Risk
      1. Threat
      2. Vulnerability
      3. Overlap
2. Technical Reporting
  1. Identify systemic issues and technical root cause analysis
  2. Pentest metrics
    1. # of systems in scope
    2. # of scenarios in scope
    3. # of processes in scope
    4. # of times detected
    5. # of vulns/host
    6. % of scope systems exploited
    7. % of succesful scenarios
    8. % of time / phase
    9. (to be expanded)
  3. Technical Findings
    1. Description
    2. Screen shots
      1. Ensure all PII is correctly redacted
    3. Request/Response captures
    4. PoC examples
      1. Ensure PoC code provides benign validation of the flaw
  4. Reproducible Results
    1. Test Cases
    2. Fault triggers
  5. Incident response and monitoring capabilities
    1. Intelligence gathering
      1. Reverse IDS
      2. Pentest Metrics
    2. Vuln. Analysis
    3. Exploitation
    4. Post-exploitation
    5. Residual effects (notifications to 3rd parties, internally, LE, etc...)
  6. Common elements
    1. Methodology
    2. Objective(s)
    3. Scope
    4. Summary of findings
    5. Appendix with terms for risk rating
3. Deliverable
  1. Preliminary results
  2. Review of the report with the customer
  3. Adjustments to the report
  4. Final report
  5. Versioning of Draft and Final Reports
  6. Presentation
    1. Technical
    2. Management Level
  7. Workshop / Training
    1. Gap Analysis (skills/training)
  8. Exfiltarted evidence, and any other raw (non-proprietary) data gathered.
  9. Remediation Roadmap
    1. Triage
    2. Maturity Model
    3. Progression Roadmap
    4. Long-term Solutions
    5. Defining constraints
  10. Custom tools developed
Pre Engagement Interaction
1. Scoping
  1. How to scope
  2. Metrics for time estimation
    1. Estimating project as a whole
    2. Additional support based on hourly rate
  3. Questionaires
    1. Questions for Business Unit Managers
    2. Questions for Systems Administrators
    3. Questions for Help Desk
    4. General Employee Questions
  4. Scope Creep
    1. Specify Start and End Dates
    2. Letter of Amendment (LOA)
      1. LOA - Based on Scope Size, but not overall project direction
      2. LOA - Based on vulnerabilities found during the engagement
      3. LOA - Based on change in the direction of the overall project
    3. Tie back to goals section
  5. Specify IP ranges and Domains
    1. Validate Ranges
  6. Dealing with Third Parties
    1. Cloud services
    2. ISP
    3. Web Hosting
    4. MSSPs
    5. Countries where servers are hosted
  7. Define Acceptable Social Engineering Pretexts
  8. DoS Testing
  9. Payment Terms
    1. Net 30
    2. Half Upfront
    3. Interest
    4. Recurring
      1. Monthly
      2. Quarterly
      3. Semi-Annual
  10. Delphi Scoping
    1. you actually work with the target in iterations... gotta break my noodle on how to get it in here
2. Goals
  1. Identifying goals
    1. primary
    2. secondary
  2. Business analysis
    1. Defining a company's security maturity
  3. Needs analysis
3. Testing terms and definitions
  1. Pentesting Terms Glossary
4. Establish lines of communication
  1. Emergency Contact information
  2. Incident Reporting process
    1. Incident Definiton
    2. Incident Threshold
  3. Status Report Frequency
  4. Establish a Primary POC
  5. PGP and other alternatives (Encryption is not an "option")
  6. Define communication parameters with external 3rd parties (hosting, ...)
5. Rules of Engagement
  1. Timeline
    1. Defining Roadblocks and Gates
    2. Work Breakdown Structure
    3. Assign Responsibilities of the team
    4. When things go wrong - or delayed, how to cope with scope creep, or the client has to pause the pentest
  2. Locations
  3. Exploitation Control (free-form, coordinated, formally monitored...)
  4. Disclosure of Sensitive Information
    1. PII
    2. Credit Card Information
    3. PHI
    4. Other: We cannot contain Security to PII and PHI. Examples: BoA and Wikileaks, Dell, Intel and the Aurora attacks.
  5. Evidence Handling
  6. Regular Status Meetings
    1. Plans
    2. Progress
    3. Problems
  7. Time of the day to test
  8. Dealing with shunning
  9. Permission to Attack
6. Capabilities and Technology in Place
  1. Incident response and monitoring
    1. Ability to detect and respond to information gathering
    2. Ability to detect and respond to footprinting
    3. Ability to detect and respond to scanning and vuln analysis
    4. Ability to detect and respond to infiltration (attacks)
    5. Ability to detect and respond to data aggregation
    6. Ability to detect and respond to data exfiltration
7. Protect yourself
  1. Preparing your Testing System
    1. Encryption
    2. Validate Firewall Rules
    3. Results Scrubbed From Previous Tests
  2. Pre Engagement Checklist
  3. Packet capture
  4. Post Engagement Checklist
Post-Exploitation
1. Infrastructure analysis
  1. netstat etc to see who connections to and from
  2. ipconfig etc to find all interfaces
  3. VPN detection
  4. route detection, including static routes
  5. neighbourhood network/OS X browser (mdns? or bonjour)
  6. Network Protocols in use
  7. Proxies in use
    1. Network Level
    2. Application Level
  8. network layout (net view /domain)
2. High value/profile targets
3. Pillaging
  1. Video Cameras
  2. Data exfiltration through available channels
    1. identify web servers
    2. identify ftp servers
    3. DNS and ICMP tunnels
    4. VoIP channels
    5. Physical channels (printing, garbage disposal, courier)
    6. Fax (on multifunction printers)
  3. Locating Shares
  4. Audio Capture
    1. VoIP
    2. Microphone
  5. High Value Files
  6. Database enumeration
    1. Checking for PPI
    2. card data
    3. passwords/user accounts
  7. Wifi
    1. Steal wifi keys
    2. Add new Wifi entries with higher preference then setup AP to force connection
    3. Check ESSIDs to identify places visited
  8. Source Code Repos
    1. SVN
    2. Git
    3. CVS
    4. MS Sourcesafe
    5. WebDAV
  9. Identify custom apps
  10. Backups
    1. Locally stored backup files
    2. Central backup server
    3. Remote backup solutions
    4. Tape storage
4. Business impact attacks
  1. What makes the biz money
  2. Steal It
  3. Sabotage / Modification
    1. Change Pricing
    2. Change Scientific Process Results
    3. Modify Engineering Designs
5. Further penetration into infrastructure
  1. Botnets
    1. Mapping connectivity in/out of every segment
    2. Lateral connectivity
  2. Pivoting inside
    1. Linux Commands
    2. Windows Commands
    3. Token Stealing and Reuse
    4. Password Cracking
    5. Wifi connections to other devices
    6. Password Reuse
    7. Keyloggers
    8. User enumeration
      1. From Windows DC or from individual machines
      2. Linux passwd file
      3. MSSQL Windows Auth users
      4. Application-specific users
  3. Check History/Logs
    1. Linux
      1. Check ssh known hosts file
      2. Log files to see who connects to the server
      3. .bash_history and other shell history files
      4. MySQL History
      5. syslog
    2. Windows
      1. Event Logs
      2. Recent opened files
    3. Browsers
      1. favourites
      2. stored passwords
      3. stored cookies
      4. browsing history
      5. browser cache files
6. Cleanup
  1. Ensure documented steps of exploitation
  2. Ensure proper cleanup
  3. Remove Test Data
  4. Leave no trace
  5. Proper archiving and encryption of evidence to be handed back to customer
  6. Restore database from backup where necessary
7. Persistance
  1. Autostart Malware
  2. Reverse Connections
  3. Rootkits
    1. User Mode
    2. Kernel Based
  4. C&C medium (http, dns, tcp, icmp)
  5. Backdoors
  6. Implants
  7. VPN with creds
  8. Introduction of Vulnerabilities
    1. Web App Source Modification
      1. Remove Input Validation
      2. Add Extra functionality
    2. Downgrade application version
    3. Reintroduce default account/pwd
    4. Re-enable disabled accounts
Intelligence Gathering
1. Target selection
  1. Admin
  2. High Level Employee
  3. Random Employee
  4. Employee w/ specific access
    1. Engineer
    2. Secretary
    3. Developer
    4. Network Engineer
    5. Accounting
    6. Human Resources
    7. Procurement
    8. Sales
2. OSINT
  1. Corporate
    1. Physical
      1. Locations
      2. owner
      3. land/tax records
      4. shared/individual
      5. timezones
      6. Pervasiveness
      7. Relationhips
    2. Logical
      1. Business Partners
      2. Competetiors
      3. touchgraph
      4. Hoovers profile
      5. Product line
      6. Market Verticle
      7. Marketing accounts
      8. Meetings
      9. signifigant company dates
      10. Board meetings
      11. holidays
      12. anniversarys
      13. product/service launch
      14. job openings
      15. Charity affiliations
    3. Org chart
      1. Position identification
      2. Tansactions
      3. Affiliates
    4. Electronic
      1. Document/metadata leakage
      2. marketing communications
      3. Assets
      4. Network blocks owned
      5. mail addresses
      6. external infrastructure profile
      7. Technologies used
      8. purchase agreements
      9. Remote access
      10. application usage
      11. defense technologies
      12. human capability
    5. Financial
      1. Reporting
      2. market analysis
      3. trade capital
      4. value history
  2. Individual
    1. Employee
      1. History
      2. EDGAR (SEC) data
      3. court records
      4. political donations
      5. professional licenses or registries
      6. SocNet Profile
      7. Metadata leakage
      8. tone
      9. frequency
      10. location awareness
      11. bing map apps
      12. foursquare
      13. google latitude
      14. yelp
      15. Social Media
      16. Facebook / openbook
      17. Linkedin
      18. Xing
      19. twitter
      20. blogger / blogspot
      21. MySpace
      22. wordpress
      23. livejournal
      24. foursquare
      25. yahoo
      26. google profile
      27. Gowalla
      28. entitycube
      29. picasa
      30. Flickr
      31. yfrog
      32. twitpic
      33. PicFog
      34. DeviantArt
      35. aim
      36. irc
      37. icq
      38. qq
      39. JUST USE NAMECHK or something likeit
      40. wikipedia
      41. google groups / newsgroups
      42. Internet Footprint
      43. Email addresses
      44. Usernames/Handles
      45. Personal Domain Names
      46. Static IPs
      47. Bloggosphere
      48. Active updates
      49. physical
      50. logical
      51. Physical location
      52. active
      53. passive
      54. Mobile footprint
      55. Phone #
      56. Device type
      57. Use
      58. Installed applications
      59. owner/administrator
      60. For Pay Information
      61. Background Checks
      62. For Pay Linked-In
      63. LEXIS/NEXIS
      64. Other
3. Covert gathering
  1. on-location gathering
    1. Physical security inspections
    2. wireless scanning / RF frequency scanning
    3. Employee behavior training inspection
    4. accessible/adjacent facilities (shared spaces)
    5. dumpster diving
    6. types of equipment in use
  2. offsite gathering
    1. Datacenter locations
    2. Network provisioning/provider
4. HUMINT (if applicable)
  1. Key employees
  2. Partners/Suppliers
  3. Social Engineering
5. Footprinting
  1. External Footprinting
    1. Identifying Customer Ranges
      1. whois lookup
      2. bgp looking glasses
      3. subsidiaries
      4. third party identification and right to audit
      5. Verification with customer
      6. Newsgroup Headers
      7. Mailing List Headers
      8. Robtex
    2. Passive Reconnaissance
      1. Search Engine Hacking
      2. Google
      3. Yahoo
      4. Bing
      5. Manual browsing
      6. shodan
    3. Active Footprinting
      1. Port Scanning
      2. Banner Grabbing
      3. Zone Transfers
      4. SMTP Bounce Back
      5. Web Application Language Mapping
      6. PHP, ASP, easy targets
      7. Banner Grabbing
      8. SNMP Sweeps
      9. Forward/Reverse DNS
      10. DNS Bruting
      11. Website Mirroring
      12. Robots.txt Harvesting
    4. Establish target list
      1. Mapping versions
      2. Identifying patch levels
      3. Looking for weak web applications
      4. Identify lockout threshold
      5. Error Based
      6. Identify weak ports for attack
      7. Outdated Systems
      8. Virtualization platforms vs VMs
      9. Storage infrastructure
  2. Internal Footprinting
    1. Active Footprinting
      1. Port Scanning
      2. SNMP Sweeps
      3. Zone Transfers
      4. SMTP Bounce Back
      5. Forward/Reverse DNS
      6. Banner Grabbing
      7. VoIP mapping
      8. extensions
      9. special mailboxes
      10. authentication
      11. Arp Discovery
      12. DNS discovery
    2. Passive Reconnaissance
      1. Packet Sniffing
      2. Broadcast Traffic Anaysis
      3. ARP
      4. NetBios
      5. Other UDP
    3. Establish target list
      1. Mapping versions
      2. Identifying patch levels
      3. Looking for weak web applications
      4. Identify lockout threshold
      5. Error Based
      6. Identify weak ports for attack
      7. Outdated Systems
      8. Virtualization platforms vs VMs
      9. Storage infrastructure
6. Identify protection mechanisms
  1. Network protections
    1. "simple" packet filters
    2. Traffic shaping devices
    3. DLP systems
    4. Encryption/tunneling
  2. Host based protections
    1. stack/heap protections
    2. whitelisting
    3. AV/Filtering/Behavioral analysis
    4. DLP systems
  3. Application level protections
    1. Identify application protections
    2. Encoding options
    3. Potential Bypass Avenues
    4. Whitelisted pages
  4. Storage Protection
    1. HBA - Host Level
      1. LUN Masking
    2. Storage Controller
      1. iSCSI CHAP Secret
Exploitation
1. Precision strike
  1. Well researched attack vector
2. Ensure countermeasure bypass
  1. AV
    1. Encoding
    2. Packing
    3. Whitelist Bypass
    4. Process Injection
    5. Purely Memory Resident
  2. Human
  3. HIPS
  4. DEP
  5. ASLR
  6. VA + NX (Linux)
  7. w^x (OpenBSD)
  8. WAF
  9. Stack Canaries
3. Customized exploitation avenue
  1. Best attack for the organization: Possibly move to Precision Strike
  2. Zero day angle
    1. Fuzzing
      1. Dumb Fuzzing
      2. "intelligent" Fuzzing
      3. Code Coverage
    2. Reversing
      1. Deadlisting
      2. Live Reversing
      3. Dealing with Symbol Striping
    3. Traffic Analysis
      1. Protocol Analysis
      2. Reviewing RFCs
      3. Reviewing Development Documentation
      4. Protocol Reversing
  3. Public exploit customization
    1. Changing Memory locations in Existing Exploits
    2. Important for Foreign Pentests
    3. Altering payload
    4. Rewriting shellcode
    5. Add protection bypasses (DEP, ASLR, etc.)
  4. Physical access
    1. Human angle, our pretext
    2. PC access (custom boot CD/USB)
    3. USB
      1. Autorun
      2. Teensy
    4. Firewire
    5. RFID
      1. sniffing
      2. Brute-Force
      3. Replay Attacks
    6. MITM
      1. SSL Strip
      2. Print jobs
      3. Extracting of cleartext protocols
      4. Downgrading attacks
      5. ...
    7. Routing protocols
      1. CDP
      2. HSRP
      3. VSRP
      4. DTP
      5. STP
      6. OSPF
      7. RIP
      8. ...
    8. VLAN Hopping
    9. Other hardware (keystroke loggers, etc)
  5. Proximity access (WiFi)
    1. Attacking the Access Point
      1. Crypto Implementation Attacks
      2. Vulnerabilties in Access Points: Summon Paul Asadorian
      3. Cracking Passwords
      4. 802.1x
      5. WPA-PSK
      6. WPA2-PSK
      7. WPA2-Enterprise
      8. WPA-Enterprise
      9. Ham Radio Surveillance
      10. LEAP
      11. EAP-Fast
      12. WEP
    2. Attacking the User
      1. Karmetasploit Attacks
      2. Attacking DNS Requests
      3. Bluetooth
      4. Personalized Rogue AP
      5. Attacking Ad-Hoc Networks
      6. RFID/Prox Card
    3. Spectrum Analysis
      1. FCC Business Frequency Search
      2. 802.11
      3. 802.11 Wireless collection tools
      4. Previously-collected data (WiGLE)
      5. UHF/VHF/etc.
      6. Microwave
      7. Satellite
      8. Guard Radio Frequencies
      9. Wireless Headset Frequencies
  6. DoS / Blackmail angle
  7. Web
    1. SQLi
    2. XSS
    3. CSRF
    4. Information Leakage
    5. Rest of OWASP top 10
  8. Non-Traditional Exploitation
    1. Business Process Flaws
    2. Configuration / Implementation Errors
    3. Trust Relationships
    4. AirGap Hopping
      1. Ethernet Over Powerline
      2. Hardware Implants
      3. Signaling Channels
      4. Physics
      5. Light (LED Signaling)
      6. Audio
      7. Emanations
      8. Van Eck
4. Detection bypass
  1. FW/WAF/IDS/IPS Evasion
  2. Human Evasion
  3. DLP Evasion
5. Derive control resistance to attacks
6. Exploit Testing
  1. Reproduce Environment for exploit testing/developement
7. Type of Attack
  1. Client Side
    1. Phishing (w/pretext)
  2. Service Side
  3. Out of band
Threat modelling
1. Business asset analysis
  1. This goes beyond PII, PHI and Credit Cards
  2. Define and bound Organizational Intelectual Property
  3. Keys To Kingdom
    1. Trade Secrets
    2. Research & Development
    3. Marketing Plans
    4. Corporate Banking/Credit Accounts
    5. Customer Data
      1. PII
      2. PHI
      3. Credit Card Numbers
    6. Supplier Data
    7. Critical Employees
      1. Executives
      2. Middle Managers
      3. Admins
      4. Engineers
      5. Technicians
      6. HR
      7. Executive Assistants
2. Business process analysis
  1. Technical infrastructure used
  2. Human infrastructure
  3. 3rd party usage
3. Threat agents/community analysis
  1. Internal Users
    1. Executives
    2. Middle Management
    3. Administrators
      1. Network Admins
      2. System Admins
      3. Server Admins
    4. Developers
    5. Engineers
    6. Technicians
  2. Competitors
  3. Nation States
  4. Organized Crime
  5. Weekend Warriors
4. Threat capability analysis
  1. Analysis of tools in use
  2. Availability to relevant exploits/payloads
  3. Communication mechanisms (encryption, dropsites, C&C, bulletproof hosting)
5. Finding relevant news of comparable Organizations being compromised
Vulnerability Analysis
1. Testing
  1. Active
    1. Automated
      1. Network/General Vuln Scanners
      2. Port based
      3. Service based
      4. banner grabbing
      5. Web Application Scanners
      6. General application flaw scanner
      7. directory listing/bruteforcing
      8. webserver version/vuln identification
      9. methods
      10. network vulnerability scanners
      11. vpn
      12. ipv6
      13. Voice Network scanners
      14. War Dialing
      15. VoIP
    2. Manual Direct Connection
    3. obfucsacted
      1. Multiple Exit Nodes
      2. Ids Evasion
      3. Variable Speed
      4. Variable scope
  2. Passive
    1. Automated
      1. Metadata analysis from Intel phase
      2. Traffic monitoring (p0f etc)
    2. Manual
      1. direct connections
2. Validation
  1. Correlation between scanners
  2. Manual testing/protocol specific
    1. VPN
      1. Fingerprinting
    2. Citrix
      1. Enumeration
    3. DNS
    4. Web
    5. Mail
  3. Attack avenues
    1. Creation of attack trees
  4. Isolated lab testing
  5. Visual confirmation
    1. Manual connection w/review
3. Research
  1. Public Research
    1. exploit-db
    2. Google Hacking
    3. Exploit sites
    4. Common/default passwords
    5. Vendor specific advisories
  2. Private Research
    1. Setting up a replica environment
    2. Testing configurations
    3. Identifying potential avenues
    4. Disassembly and code analysis