As we all know, penetration testing follows a standard. There are various standards, such as the Open Web Application Security Project (OWASP), the Open Source Security Testing Methodology Manual (OSSTMM), the Information Systems Security Assessment Framework (ISSAF), and so on. Most of them follow the same methodology, but the phases have been named differently. We will take a look at each of them in the following sections and cover the Penetration Testing Execution Standards (PTES) in detail.
Pentesting 101
OWASP
OWASP is a worldwide not-for-profit charitable organization that focuses on improving the security of software.
It's a community of like-minded professionals who release software and knowledge-based documentation on application security, covering such subjects as:
- Information gathering
- Configuration and deployment management testing
- Identity management testing
- Authentication testing
- Authorization testing
- Session management testing
- Input validation testing
- Error handling
- Cryptography
- Business logic testing
- Client-side testing
Open Source Security Testing Methodology Manual (OSSTMM)
As mentioned on their official website, this is a peer-reviewed manual of security testing and analysis, providing verified facts. These facts provide actionable information that can measurably improve your operational security.
The OSSTMM includes the following key sections:
- Operational security metrics
- Trust analysis
- Work flow
- Human security testing
- Physical security testing
- Wireless security testing
- Telecommunications security testing
- Data networks security testing
- Compliance regulations
- Reporting with the Security Test Audit Report (STAR)
Information Systems Security Assessment Framework (ISSAF)
ISSAF is not very active, but the guide it has provided is quite comprehensive. It aims to evaluate the information security policy and process of an organization with regard to its compliance with IT industry standards, along with laws and regulatory requirements. The current version of ISSAF is 0.2.
The stages that it covers can be found at https://www.owasp.org/index.php/Penetration_testing_methodologies.
Penetration Testing Execution Standard (PTES)
This standard is the most widely used standard and covers almost everything related to pentesting.
PTES is divided into the following seven phases:
- Pre-engagement interactions
- Intelligence gathering
- Threat modeling
- Vulnerability analysis
- Exploitation
- Post-exploitation
- Reporting
Let's take a brief look at what each of these phases involves.
Pre-engagement interactions
These actions involve multiple processes to be carried out before an activity kicks off, such as defining the scope of the activity, which usually involves mapping the network IPs, web applications, wireless networks, and so on.
Once the scoping is done, lines of communication are established across both the vendors and the incident reporting process is finalized. These interactions also include status updates, calls, legal processes, and the start and end dates of the project.
Intelligence gathering
This is a process that is used to gather as much as information as possible about the target. This is the most critical part of pentesting, as the more information we have, the more attack vectors we can plan to perform the activity. In case of a whitebox activity, all this information is already provided to the testing team.
Threat modeling
Threat modeling model depends on the amount of information gathered. Depending on that, the activity can be divided and then performed using automated tools, logical attacks, and so on. The following diagram illustrates an example of a mindmap of a threat model:
Vulnerability analysis
This is a process of discovering flaws that can be used by an attacker. These flaws can be anything ranging from open ports/service misconfiguration to an SQL injection. There are lots of tools available that can help in performing a vulnerability analysis.
These include Nmap, Acunetix, and Burp Suite. We can also see new tools being released every few weeks.
Exploitation
This is a process of gaining access to the system by evading the protection mechanism on the system based on the vulnerability assessment. Exploits can be public, or a zero day.
Post-exploitation
This is a process where the goal is to determine the criticality of the compromise and then maintain access for future use. This phase must always follow the rules of the engagement that is protecting the client and protecting ourselves (covering the tracks as per the activity's requirements).
Reporting
This is one of the most important phases, as the patching of all the issues totally depends on the details presented in the report. The report must contain three key elements:
- Criticality of the bug
- Steps of reproduction of the bug
- Patch suggestions
In summary, the pentest life cycle phases are presented in the following diagram:
