Penetration Testing Standards

It is normal for the quality of a product to differ from service provider to service provider. Naturally, this also applies to penetration tests. We have already mentioned that a penetration test should identify at least all low hanging fruits. The foundation for this is provided by testing with a standardised procedure. A concrete procedure is needed to achieve reproducible results and to ensure that no obvious vulnerabilities go undetected. Generally speaking, there are no specifications for this, only guidelines. A professionally performed penetration test is therefore based on so-called penetration testing standards.

And for those of you who previously had the pleasure of working with a standard, good luck remembering the contents. Standards make for excellent bedtime reading, as you might imagine. Our job is to derive our own process from all the penetration testing standards. The more serious we are in undertaking this task, the more meaningful the results of a penetration test will be. Potential clients are also interested in our methodology, which we can then present convincingly. The technical implementation and the commands, however, remain our “trade secret“, which differentiate us from other pentesters.

All of us already have some hacker spirit within us: To target a particular company like Dubius Payment Ltd. for attacking, we need to know our objectives first. In our case, that would be the network ranges. In addition to that, we will require information about the servers and the accessible services contained therein in order to identify and exploit vulnerabilities. This gives us a general idea on how to proceed. But which technologies do we need to review in detail?

In the “A Penetration Testing Model“ chapter 6.5, the BSI describes modules for information gathering and active intrusion attempts. These are also referenced in the OSSTMM. The OSSTMM (Open Source Security Testing Methodology) is a publicly available guide for carrying out security tests. A pioneer in the security of web applications, on the other hand, is the non-profit organisation Open Web Application Security Project (OWASP). In the OWASP Testing Guide, the vulnerabilities that should be investigated in a web application are examined. Furthermore, the OWASP TOP 10 project lists the ten most common vulnerabilities in web applications.

Basically, the procedure depends on the selected IT system. For example, we cannot apply the same process to examine the IT Infrastructure of mobile applications, as other vulnerabilities must be observed in this case.

Using the penetration testing standards, create your own procedure to successfully take over the networks of Dubius Payment Ltd. When documented in an organised manner, your procedure may be used as a checklist for the subsequent penetration test. Besides cherrytree, Obsidian or MarkText, do you have your own tool for keeping notes?

 1. Information gathering 
    (a) Collect user names of the company
     -> LinkedIn, Facebook 
    (b) Identify network areas 
     -> [Command] 
 2.Service enumeration 
     (a) [..]

Further materials

• A Penetration Testing Model from BSI
• OSSTMM from ISECOM
• OWASP Testing Guide from OWASP
• OWASP Top 10 from OWASP