Planning a pen test

- Now, one of the nice things that CompTIA did when they designed the PenTest objectives is they designed them in a logical flow. So you can literally start with the first objective and work your way through linearly in numerical order through the end of the exam, and that's the way you're probably going to encounter most of the issues in a real penetration test. So to start, what exactly is planning and scoping? It could actually have a subtitle, and that subtitle is "Get permission." Remember, a penetration test is all about pretending to attack a system. So you're really attacking a system, but you're really just kidding. You're pretending. How do you explain that you're just pretending? The answer to that is you go to the system and the environment's owner and you get permission to be the bad guy. You do that through written permission. If you don't have written permission, you actually could be liable for any damages and lots of bad things can potentially happen, so it's important that you always get permission and you start that process in the planning process. So we want to plan out our activities, make sure that every activity is authorized, and we also want to scope the engagement. Scoping the engagement is knowing how much work we have to do to complete that engagement. Additionally, we also want to make sure that we don't do extra work. This is important for several reasons. Number one, we may end up doing extra work and impacting other systems we didn't intend to, but from the provider standpoint, you may end up doing extra work for free, because remember, you're only getting paid to do the work within scope. So it's very important that you plan well and scope, and you have to watch out for that scope changing. This is something we often in project management refer to as scope creep. Now, scope creep means that you have a series of tasks already defined, and one of the owners or somebody else associated with the project team will come in and go, "Oh, well you're already scanning this system. "Why don't you scan the one next to it? "It's real simple, just a little extra effort." And that may be true, and it may not take a lot of extra effort, but generally speaking, when you add any additional tasks to your scope, it starts getting bigger and bigger and bigger and you end up having a lot of extra stuff, and that's what we refer to as scope creep. So watch out for scope creep. It will affect you if you're not careful to make sure that you stop it in its tracks. Alright, so how do we start planning a pen test? We start off with a strategy of project management, and there's lots of places that we can figure out how to manage a project. I would highly recommend that you look into reputable project management certifications. If you're already managing projects, you might want to pursue one of those certifications. CompTIA, of course, has their Project certification. That gives you an idea of how you can structure a project. But how do we structure a penetration testing project? One place to start can be the Penetration Testing Execution Standard. So, let's take a quick look and go to their website and briefly look at this wonderful resource. So here we're looking at the pentest-standard.org website, and this website is a gold mine of information on how standard pen tests are organized. So if you look at the very top level page, we see that there are main sections. I believe there's seven main sections of a pen test, pre-engagement interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. Now, the PenTest exam is not based solely on this approach, but this approach really matches the approach that's used in PenTest , so we're going to use this just as a high level. I would recommend that you spend some time going to this website and clicking on each one of these, and it helps you structure the activities of what do we do before the test starts? How do I figure out what I want to attack? How do I determine which types of attacks to carry out, and then how do I analyze the data, and finally, how do I communicate that to my client? Those are the steps, and no matter what standard you use, they're probably going to be very similar to this one we see at pentest-standard.org. So why is planning such a big deal? It clearly is the very first entry in the objective list for this exam. So why is it such a big deal? Because if you don't plan, you're just going to be running a bunch of tests and that's not going to help anything. Each section of a pen test is extremely important. We just saw one way of looking at a pen test broken into seven sections, and each step is crucially important. If you skip one, you're going to miss something. By missing something, you might actually miss an exploit that exists, you just didn't test for it, or you might have not set your scope properly, so you're doing too little or too much work. So no matter what step you skip, you're going to skip an important piece of the overall project. So remember that as a pen tester, you're not a real attacker. You're just pretending to be an attacker. An attacker is trying to harm the client or to extract information, whereas the pen tester is trying to avoid harm to the client. In fact, you're trying to help the client. So attackers are probably going to skip the first step, which is all the activities that occur prior to an exploit, in other words, all the planning. They'll do some planning, but it's a different type of planning. And they'll probably skip the last two steps or definitely the last step. The last two steps are post-exploitation activities, and the last one of course is reporting. Well, attackers are not going to care about creating a report. In post-exploitation, we're going to circle back later in the in our course and talk about that. There are a few things that attackers really are going to do, like they're going to clean up their tracks, but by and large, the pen tester would focus more on steps one and then the last two than attackers would. Remember that regardless of the section, there's lots of options. It's very unusual to conduct a penetration test the same way for two separate clients. The environments are different, the corporate structures are different, so don't be locked into one series of steps. Make sure that you understand the importance of each step. and within the step, you have lots of different options within each section. One of the reasons it's so important to plan well is because in penetration testing, it's very easy to waste time. You can spin your wheels and you can run all these tests that don't give you any good data back, so you constantly want to be attempting to only execute tests that are the most important and the most productive when it comes to really good information, so you learn to do that through experience. Once again, that's why experience is so important in this exam. You've got to have done the work before you actually sit for this exam, and you'll learn as you do it over and over again what types of tests and what types of environments are going to waste your time. So planning is important. You want to avoid wasting time. That means you're more productive, so that's the idea behind it. And finally, I keep talking about project management skills. Crucially, crucially important because a penetration test is a project. It has a specific starting point, it has a specific ending point, and it has a specific set of goals and deliverables, so it's a classic project. If you manage projects well, you're going to be more productive, you're going to have higher quality, and you're going to create a repeatable process, and that's the idea for planning and scoping a penetration test well.