The VX-Files
The VX-Files
  • README.txt
  • For updates, questions, suggestions or just chatting: @malcrvz
  • Download your own local copy or check my other libre projects: Github/malcrvz
  • πŸ“•Cybersecurity Theory
    • Index
      • Malware types
        • Viruses, worms and Trojans
        • Backdoors, Rootkits and Spyware
        • Botnets, DDoS and Spammer
        • Ransomware
        • Scareware and Adware/PUP/PUA
        • Downloaders and Launchers
        • Hacktool
        • APT - Advanced Persistent Threat
      • Social engineering techniques
        • Phishing
        • Pretexting
        • Baiting
        • Quid pro quo
        • Tailgating
      • Cryptography
        • Hash functions
        • Symmetric, Asymmetric and Hybrid cryptography
        • Digital signatures & Digital certificates
        • TLS Protocol
      • Pentesting methodology & Techniques
        • CIA Triad - Confidentiality, Integrity & Availability
        • The methodology steps
        • Pre-Engagement
        • Information Gathering
          • HTTP status codes
          • robots.txt
        • Vulnerability Assessment
        • Exploitation
          • Password cracking
        • Post-Exploitation & Persistence
          • Types of Shells
        • Privilege Escalation & Lateral Movement
        • Reporting & Remediation
  • 🐧Linux Essentials
    • Index
      • 1, 0, bits, Bytes: Units of digital information
      • User management
      • Packet management
      • Privileges & sudo
      • Passwd & Shadow files
      • Managing files, links and regex
      • find
      • Terminal/TTY
      • SSH
  • πŸͺŸWindows Essentials
    • Index
      • CLI user management
      • CMD File management
  • 🌍Networking Essentials
    • Index
      • Windows CLI IP management
      • Linux IP management
      • Linux CLI Wi-Fi connection
  • πŸ•ΈοΈNetwork Pentesting
    • Tools
      • 1. Pre-Engagement
        • OpenVPN
      • 2. Information gathering
        • cURL & wget
        • Nmap
        • arp
        • Netcat
        • whatweb
      • 3. Vulnerability assessment
        • smbclient
      • 4. Exploitation
        • Metasploit
        • Hashcat
        • John the Ripper
      • 5. Post-Exploitation & Persistence
        • SSH
      • 6. Privilege escalation & Lateral movement
        • Possible privilege escalation vectors - Auto-enumeration scripts
      • 7. Reporting & Remediation
    • Techniques
      • Upgrade reverse shell to interactive
      • Transferring files to/from remote victim
      • Possible privilege escalation vectors - Manual checklist
    • Resources
      • Manufacturer default passwords lists
        • IP Cameras
      • Get Shells
  • πŸ’‰Web App pentesting
    • Tools
      • CeWL
      • Gobuster
      • whatweb
    • Techniques
      • Command injection
    • Resources
      • Reverse Shells
      • Bind Shells
  • πŸ“‘Wireless pentesting
    • Tools
    • Techniques
    • Resources
  • πŸ”“On-Premises Pentesting
    • Tools
    • Techniques
      • Removing Linux user passwords
      • Removing Windows user passwords
    • Resources
  • πŸ’½Disks & Forensics
    • Index
      • Getting a disk ready
      • Inodes & Sectors
      • Recover deleted files
      • BUILDING - Secure file deletion
  • πŸ•·οΈBash scripts
    • coming soon
  • ⚑PowerShell Scripts
    • coming soon
  • 🟩HTB Walkthroughs
    • coming soon
  • πŸ΄β€β˜ οΈExternal Resources
    • Schools
    • Books & Wikis
    • Utilities
    • Interactive cheat sheets
    • Wordlists
Powered by GitBook
On this page
  • Pre-Engagement
  • Information Gathering
  • Vulnerability Assessment
  • Exploitation
  • Post-Exploitation & Persistence
  • Privilege Escalation & Lateral Movement
  • Reporting & Remediation
  1. Cybersecurity Theory
  2. Index
  3. Pentesting methodology & Techniques

The methodology steps

When performing a pentest you will always follow these steps or similar ones, each group may have it's own nomenclature or number of steps, but in the end is always almost the same. Obviously is not obligatory to follow and some are done in parallel, but not having an organized plan with protocols will surely end in chaos, confusion and errors, also slowing your work too much.

Pre-Engagement

The first step, before starting the technical work, where you talk with the client and define the type, the scope and objectives of the pentest. Both have to reach a written agreement. It may sound boring but it's crucial to establish rules, constraints, limitations, obtain proper authorization and legal permissions, NDAs, etc. This step will define how far you can go and will mark the whole direction of all the next steps. Without having a very clear map of the job to do you can waste hours and even end up having legal problems.

Information Gathering

Depending on the type of assessment be it white, grey or black box, you will have to gather more or less information about the target, such as domains names, IP addresses, network infrastructure... In this step you think of nmap but there is OSINT techniques too, its key to gather data about employees, organization structure, potential human vulnerabilities, etc... This step will mostly be ongoing and parallel to the others until the end of the job.

White box: the pentester has complete and detailed knowledge of the internal architecture, design and source code of the client. The test will not simulate a real attack from the outside but the analysis will be much more detailed and thorough, reviewing each configuration. On the other hand it is much more expensive, long and it can give the client a false sense of security because it may not reflect the real world, as for example an external attacker usually won't need the full source code to find a vulnerability. Black box: the opposite of white box, with little to no information of the client, maybe just the name, the pentester simulates a real attack from the outside and tests the detection and response of its defense systems. While it's the closer to a real attack, it may overlook some important vulnerabilities. Grey box: a combination between white and black box, pentesters are given a limited amount of information. Its usually used for a focused pentesting on a specific part of the infrastructure. For example a pentester may be given a low level account and he has to try to escalate privileges. It can also simulate attacks from an insider.

Vulnerability Assessment

This step though very close to the next one, has an specific aim: to validate the existence of vulnerabilities and classifying them. Here the pentester uses various automated scan tools to do a first look on the most common and possible vulnerabilities, then uses this information to manually investigate further and if found, prioritizes them based on the severity and potential impact on the security of the target.

Exploitation

Once the vulnerabilities are found, the pentester, very carefully, has to actually exploit them and demonstrate(not doing real damage, obviously) the real-world impact this attack could have. For this pentesters may use automated exploitation frameworks like the famous Metasploit or manually craft exploits for the specific occasion. It may involve too attempting password attacks and finding credentials that could be compromised.

Post-Exploitation & Persistence

Now the system is exploited and the pentester gained access, its time to establish a foothold in the target. To see if we can come back easily, to open a backdoor and come back again. For this the pentester will use various tools and backdoor scripts to try to stay hidden from the detection systems as long as possible. This is crucial since even if you fix an exploit, if the bad actor already breached in and created a backdoor, it will not need to exploit again, having detection systems on what data is going out of the company infrastructure is as crucial as what data is trying to get in.

Privilege Escalation & Lateral Movement

Usually when a pentester compromises a system its from a low privileged user account, because they are usually the easiest, but also limited. If the admin did a good work they won't have access to important data and it may seem like it was all for nothing, but that's where privilege escalation and lateral movement step enters.

Entering through the door ( or maybe more like through the broken window ;-) ) it's a big part, but not the end, privilege escalation is in fact one of the most important parts of the whole pentesting! Once inside we must see "what can we do with whats given" and try to reach as far as we can (or as we were told in the agreement) until we get the ultimate result of full control of the system or even the network, AKA root. For this we may need to find the credentials of the admin account or just an exploit to act like it.

Privilege escalation is focused on obtaining the root/admin account parting from a low-privileged user on a system (escalation, going up!). Lateral movement is focused on checking how many of the network systems/credentials the attacker can access, control or exploit, while also trying to zig-zag our way into a privilege escalation (lateral, going sideways!). Both techniques feed on each other.

Reporting & Remediation

Once the work is done and the agreement ended its time for the paperwork! While it's not the part that everyone necessarily enjoys the most, its what the client truly paid for. The pentester has to deliver a document for the technical team of the client, explaining all its findings and a technical guide on how to remediate them. And usually another is written in a more user friendly way for the high profile staff of the company, AKA the CEO. Both of course are full confidential and need to be protected with care, specially until the vulnerabilities are patched. While its reflected as the last step, its usually started at the beginning and done in parallel with all the other steps, this offers the possibility to add screenshots of the process and alleviates the hard work at the end as most of it is already done.

Last updated 1 year ago

Check the page for a more practical way to understand it

Public real pentest reports .

πŸ“•
Possible vectors
link