penetration testing reporting and methodology
TRANSCRIPT
![Page 1: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/1.jpg)
Penetration testing reporting and methodology
Rashad AliyevPhD. Lourdes Peñalver
Cordoba, Spain25.09.2015
Keywords: PenTest, Penetration Testing, Network testing, bug bounty, InfoSec, Cyber Secyrity
![Page 2: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/2.jpg)
2
What is Penetration testing
Penetration testing reporting and methodology * CEH Materials
![Page 3: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/3.jpg)
3
Why Penetration testing?
Penetration testing reporting and methodology
Security Audit
Vulnerability Assessment
Penetration Testing
A security audit just checks whether the organization is following a set of standard security policies and procedures
A vulnerability assessment focuses on discovering the vulnerabilities in the information system but provides no indication if the vulnerabilities can be exploited or the amount of damage that may result from the successful exploitation of the vulnerability
Penetration testing is a methodological approach to security assessment that encompasses the security audit and vulnerability assessment and demonstrates if the vulnerabilities in system can be successfully exploited by attackers
![Page 4: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/4.jpg)
4
Audit vs Penetration testing?
Penetration testing reporting and methodology
Audit Penetration testing
Check set of standards Find vulnerabilities
- Foot printing
- Exploiting
Create report by standards Generate report
![Page 5: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/5.jpg)
5
Types
Penetration testing reporting and methodology
• Internal, External(1)
• Blackbox, Whitebox(2), Greybox(3)
• Announced, Unannounced(1)
• Passive, Active scans• Automated, Manual(1)
1. CEH course modules2. A Penetration Testing Model. Federal Office for Information Security (BSI), Bonn. P143. Using w3af to achieve automated penetration testing by live DVD/live USB. P1-2
![Page 6: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/6.jpg)
6
Methodologies
Penetration testing reporting and methodology
• Planning, Discovery, Exploiting, Reporting*
• Preparation, Anonymity, Foot Printing, Analysis, Exploiting, Reporting, Advisory**
• Preparation, Reconnaissance, Analysis of Information / Risks, Active Intrusion Attempts, Final Analysis / Clean-Up***
• Planning, Discovery, Attack, Reporting****
* A. Bechtsoudis, N. S. Aiming at Higher Network Security Through Extensive Penetration Tests IEEE Latin America Transactions,
2012, 10, 1752 - 1756
** Parvin Ami, A. H. Seven Phrase Penetration Testing Model International Journal of Computer Applications, 2012, 59, 16-20
***Study A Penetration Testing Model Federal Office for Information Security (BSI), 2003
**** Scarfone, K. A.; Souppaya, M. P.; Cody, A. & Orebaugh, A. D. SP 800-115. Technical Guide to Information Security Testing and
Assessment National Institute of Standards and Technology, National Institute of Standards & Technology, 2008
![Page 7: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/7.jpg)
7
Used Methodology
Penetration testing reporting and methodology
Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access.*---* SANS Institute, Penetration Testing: Assessing Your Overall Security Before Attackers Do
![Page 8: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/8.jpg)
8
The Problem
Penetration testing reporting and methodology
×Format
×Compare
×Systematiz
e
There are not a standard format for penetration testing
There are not a system for comparing if you have 2 different reports.
There are not a method to help us to do reports and generating one
![Page 9: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/9.jpg)
Report format - StylesAmerican Psychological Association (APA) Style[1]
Page design, Document Control, List of Report Content, Executive Summary, Methodology, Detail findings, References, Appendices, Glossary [2]
A Cover Sheet, The Executive Summary, Summary of Vulnerabilities, Test Team Details, List of the Tools Used, A copy of the original scope of work, The main body of the report, Final delivery [3]
[1] Thomas Wilhelm. Professional Penetration Testing. Syngress, 2009.[2] Mansour A Alharbi. Writing a penetration testing report. SANS Institute, April 2010.[3] Mike Sheward. The art of writing penetration test reports. January 2012.
Penetration testing reporting and methodology
![Page 10: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/10.jpg)
Report format – Our Idea– For top management
• Title page• Executive Summary
– For technical workers• Title page• Executive Summary• Test Team Details• Summary of Vulnerabilities• References,• Glossary
Penetration testing reporting and methodology
![Page 11: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/11.jpg)
11
Idea
Penetration testing reporting and methodology
Reporting- Generate Report- Compare Reports
Exploiting - Send attack result
Foot printing- Upload scan result- Send bug- View results
Planning - Penetration tests
01
02
03
04
![Page 12: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/12.jpg)
12
Site for Penetration testing
Planning
Foot printing
Exploiting
www.penteston.com
Penetration testing reporting and methodology
-
-
-
Reporting-
![Page 13: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/13.jpg)
13
01. Planning
Penetration testing reporting and methodology
Test name
Scope of Work
Contract or NDA
Conduct (Whitebox, Greybox, Blackbox)
Type (Internal, External, Application-layer, Network-layer)
Team detail
010203040506
![Page 14: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/14.jpg)
14
02. Foot Printing
Penetration testing reporting and methodology
- Multiple alerTs- From one of scanners- Upload file
Foot Printin
g
- Manual send alert- Detailed information about alert
Scan resport Alert
![Page 15: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/15.jpg)
15
03. Exploiting
Penetration testing reporting and methodology
Alert Level - Low, Medium or High level of alert
Detailed information about alert
01
02
![Page 16: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/16.jpg)
16
04. Reporting & CompareDetailed report for developers
Short key information's for managers
Report for managers
Archive
Staff
For compare reportsCompare
Style
Penetration testing reporting and methodology
![Page 17: Penetration testing reporting and methodology](https://reader035.vdocument.in/reader035/viewer/2022062310/589ff23c1a28ab46598b4e7d/html5/thumbnails/17.jpg)
17
Future Work
Open beta testing Start analyzing for new features
Get new features
In
process
In
process
In
process
In
process
Penetration testing reporting and methodology
Finish small works on project