Hello everybody,
In this post we will explain the methodology to be followed during machine and lab troubleshooting:
Pentesting is a series of simulated attacks targeting a system with the sole purpose of finding and fixing vulnerabilities so that they cannot be exploited. These audits begin by gathering information about organisations, employees, users, systems and devices from open access sources. Finally, a report is generated that indicates whether the attack will be successful, why, and what information or access the information contained in the attack will receive.
A pentesting is usually divided in several phases, between 5 and 7, following a methodology, in order to be able to structure the information obtained in the most appropriate way possible:
Scope
It is the first step before carrying out the audit, where the pentester meets with the client to discuss the scope of the audit:
Purpose or scope
Different types of tests and attacks are offered to find the faults according to the requirements of the client.
Types of audit
- Black box: the pentester does not know any customer data and acts outside the customer’s network.
- Grey box: the pentester acts as a client or user of the company where the audit is performed.
- White box: the pentester acts as an internal user and has access to all the client’s systems.
Legal commitments
The pentester must sign an agreement with the client stating that he will not provide any information found and agreeing to access only the systems indicated by the client, as the actions of the auditor could compromise the functioning of the systems and access to personal content.
Reconnaissance
This phase will depend on the type of audit established:
Black box
The pentester should obtain as much information as possible from open and accessible sources, usually through OSINT (Open-Source Intelligence) techniques.
Grey/white box
The pentester shall list all available services on the agreed systems to attack them in the following phases.
Vulnerability assessment
In this phase, all potential vulnerabilities in the audited systems should be searched for and identified. This can be done through the use of weak or default passwords, outdated service vulnerabilities or incorrect configurations that allow normal users to perform highly privileged tasks.
Intrusion
After discovering the vulnerabilities available in the system, an action plan is developed to attempt to gain access to the system, defining techniques and tools to be used to exploit the vulnerabilities.
Post-Exploitation
After gaining access as a user with low privileges (if this happens), the pentester will try to gain administration permissions to install a backdoor to gain persistence on the systems.
Collection and removal of “fingerprints”.
After the execution of the vulnerabilities, a clean-up of the compromised systems must be performed, from scripts and/or binaries or other types of files used temporarily. Furthermore, the system configuration must also be restored to its state prior to the original audit and the backdoor must be removed.
Report
In this last phase, two types of reports must be produced:
Technical report
Where all the vulnerabilities found and the possible solutions to these are reported in a descriptive way, this report is addressed to the client’s technical team.
Executive report
It is informed in a commercial way, identifying risks and the obtained results, so that the client can decide the points to repair or identify that risks can assume, focused to the economic and directive part of the client.
Greetings.