Notes Mod 1

1.1 Penetration Testing

Penetration testing
Penetration testing (often called "pen testing") is a controlled cybersecurity assessment
where ethical hackers simulate real-world cyberattacks against an organization’s IT
infrastructure. This includes networks, computer systems, web applications, databases,
and other digital assets. The objective is to uncover security vulnerabilities that could be
exploited by malicious attackers and provide recommendations for mitigation.

Purpose
The primary objective of penetration testing is to enhance the security posture of an
organization by identifying and addressing vulnerabilities before they can be exploited
by cybercriminals. Other purposes include:

Identifying security weaknesses: Detecting exploitable vulnerabilities in systems,

applications, and network devices.

Assessing security policies: Evaluating the effectiveness of security policies,

access controls, and intrusion detection systems.

Ensuring regulatory compliance: Meeting security standards and compliance

requirements such as ISO 27001, PCI-DSS, HIPAA, and GDPR.

Simulating real-world attacks: Understanding how an attacker might breach an

organization’s defenses and assessing the potential impact.

Improving incident response: Testing the organization's ability to detect and

respond to cyber threats.

Penetration Testing Service Delivery Models

Penetration Testing Service Delivery Models define how penetration testing services are
provided based on scope, engagement approach, and service model. These models are
categorized into three main types:

1. Human-Delivered (Manual) Penetration Testing

Notes Mod 1 1
 Definition
A traditional penetration testing model where cybersecurity professionals manually
perform security assessments. Testers simulate an attacker’s perspective to uncover
security flaws that automated tools might miss.

Key Characteristics
Conducted by skilled penetration testers with certifications like CREST, OSCP,
CEH.

Hands-on approach to security testing that provides a detailed analysis.

Focuses on real-world attack scenarios to evaluate an organization’s security

posture.

Typically performed once or at scheduled intervals rather than continuously.

Detailed reports with findings, risk assessments, and minimal remediation

guidance are provided in formats like PDF or CSV.

Process
1. Planning & Scope Definition

2. Reconnaissance & Information Gathering

3. Exploitation & Vulnerability Testing

4. Post-Exploitation & Reporting

Advantages
Identifies complex vulnerabilities that automated tools miss.

Provides contextual insights into security weaknesses.

Simulates real-world attack scenarios effectively.

Offers detailed reports with risk assessments.

Limitations
Time-consuming and expensive due to human effort.

Requires highly skilled testers, making it resource-intensive.

Notes Mod 1 2
 Not continuous, meaning vulnerabilities can emerge between tests.
2. Hybrid Penetration Testing (PTaaS)

Definition
A model that combines manual penetration testing with automated security tools,
offering an efficient and scalable approach.

Key Characteristics
Blends human expertise with automated testing tools.

Enables both continuous and point-in-time testing.

Provides a flexible and cost-effective alternative to traditional testing.

Typically offered as a subscription-based SaaS model or a self-service model.

Process
1. Automated Scanning

2. Manual Verification & Exploitation

3. Actionable Reporting & Remediation Guidance

Advantages
Faster than manual testing due to automation.

More comprehensive as it includes both human and machine analysis.

Cost-effective compared to traditional human-only penetration testing.

Can be integrated into CI/CD pipelines for DevSecOps workflows.

Limitations
Depends on the quality of the automated tools used.

May still require additional manual testing for deeper insights.

Requires experienced professionals to interpret automated results accurately.

3. Continuous Automated Penetration Testing (APT)

Notes Mod 1 3
 Definition
A fully automated penetration testing model that provides continuous security
testing to simulate real-world attacks.

Key Characteristics
Continuously scans and tests for security threats.

Provides a comprehensive view of security posture.

Suitable for large enterprises with complex IT environments.

Can test applications, cloud environments, and network infrastructure.

Process
1. Continuous Vulnerability Scanning

2. Automated Exploitation & Attack Simulation

3. Threat Intelligence Integration

4. Automated Reporting & Alerting

Advantages
Proactively detects vulnerabilities before attackers do.

Highly scalable for large IT environments.

Supports high-frequency testing (e.g., daily or weekly).

Reduces the need for manual security testing efforts.

Limitations
Cannot replace manual testing entirely—misses logical vulnerabilities.

Best used as a supplement to human-led penetration testing.

May generate false positives that need manual verification.

Each of these models offers a unique approach to identifying and mitigating security
vulnerabilities.

Comparison of Penetration Testing Service Delivery Models

Notes Mod 1 4
 Continuous
Manual Penetration Hybrid Penetration
Feature Automated
Testing Testing (PTaaS)
Penetration Testing

Combination of
Approach Fully manual Fully automated
manual & automated

Faster than manual

Speed Slow (time-consuming) Real-time
testing

Depth of Deep analysis of

Moderate Surface-level analysis
Analysis vulnerabilities

Cost High (expensive) Moderate Low (cost-efficient)

On-demand or
Frequency One-time or periodic Continuous
scheduled

Scalability Limited Moderate High

Critical security Large-scale security

Flexible security
Best Use Cases assessments, regulatory monitoring, rapid
testing, DevSecOps
compliance deployments

ROI for Penetration Testing

Key Purpose
Assess security levels, manage risks, comply with regulations, and build customer
trust.

Cost Savings
Helps avoid costs associated with data breaches and cyber-attacks.

Prevents financial losses, business disruptions, reputational damage, and legal

liabilities.

Regulatory Compliance
Aligns with standards like PCI DSS, ISO 27001, and NIST CSF.

Fulfills requirements for regular security assessments.

Strategic Benefits

Notes Mod 1 5
 Demonstrates commitment to security for stakeholders.

Builds trust with customers and partners.

Positions organizations as proactive in addressing cybersecurity threats.

Factors Influencing ROI

1. Cost of Testing: Fees for penetration testers, tools, resources, and time.

2. Cost of Remediation: Fixing vulnerabilities, downtime, and operational disruption.

3. Potential Cost Savings: Avoiding financial losses from cyberattacks.

4. Value of Customer Trust: Impact on customer attraction, retention, and attrition.

Maximizing ROI
Conduct penetration testing regularly to keep up with evolving threats.

Prioritize remediation to prevent exploitation by malicious hackers.

Choose experienced and certified penetration testers for accurate results.

Treat penetration testing as an integral part of the security strategy.

Real-World Examples of ROI

Financial Institution: Identified security flaws in an online banking platform,
preventing data breaches and financial loss.

Healthcare Provider: Strengthened security of information systems, reducing risks

to patient data and critical operations.

Software Company

: Improved security of digital services, aligning with Agile development and reducing
business risk

Types of Penetration Testing

Types of Penetration Testing

Different types of penetration testing focus on various aspects of an organization's
security. Penetration testing focuses on evaluating different aspects of an organization's
security by simulating real-world cyberattacks. Below is a detailed breakdown of

Notes Mod 1 6
 various penetration testing types, their objectives, targets, and commonly used
techniques.

1. Network Penetration Testing

Objective:

Identify vulnerabilities in an organization's network infrastructure that

could be exploited by attackers.

Test firewalls, routers, switches, VPNs, and other network components for
weaknesses.

Targets:

Misconfigured systems: Poorly configured network devices, open ports,

and unnecessary services.

Outdated protocols: Use of deprecated or insecure network

communication protocols.

Weak authentication mechanisms: Password policies, lack of multi-

factor authentication (MFA), or weak encryption.

Common Techniques:

Scanning for open ports and services: Using tools like Nmap to
discover network services and potential entry points.

Exploiting weak passwords or unpatched software: Brute-force attacks,

dictionary attacks, and exploiting known vulnerabilities in outdated
systems.

Man-in-the-Middle (MITM) attacks: Intercepting and manipulating

network traffic between clients and servers.

Denial-of-Service (DoS) attacks: Overloading network resources to

disrupt operations.

2. Web Application Penetration Testing

Objective
Identify security flaws in web applications that attackers could use to steal
data, hijack sessions, or manipulate databases.

Notes Mod 1 7
 Targets
Web servers: Hosting applications and databases.

APIs: Communication endpoints between applications.

Authentication mechanisms: Login forms, session management, and access

control.

Common Techniques
SQL Injection (SQLi): Injecting malicious SQL queries to extract or modify
database contents.

Cross-Site Scripting (XSS): Injecting scripts into web pages to execute in a

user’s browser.

Broken Authentication: Exploiting weak password policies, lack of account

lockout mechanisms, or session hijacking.

File Inclusion Vulnerabilities: Uploading or referencing malicious files to

execute arbitrary commands.

3. Wireless Penetration Testing

Objective
Evaluate the security of an organization’s wireless network infrastructure to
prevent unauthorized access and data interception.

Targets
Wi-Fi encryption protocols: WEP, WPA, WPA2, WPA3.

Unauthorized access points: Detecting rogue Wi-Fi networks that mimic

legitimate ones.

Wireless devices: Laptops, mobile devices, IoT devices.

Common Techniques
Cracking weak Wi-Fi encryption: Using tools like Aircrack-ng to break
WEP or weak WPA passwords.

Notes Mod 1 8
 Detecting unauthorized access points: Identifying rogue Wi-Fi hotspots set
up to trick users.

Performing deauthentication attacks: Disconnecting legitimate users from a

Wi-Fi network to force reconnection to a malicious access point (Evil Twin
Attack).

4. Social Engineering Penetration Testing

Objective
Assess human security awareness by attempting to deceive employees into
revealing sensitive information or granting unauthorized access.

Targets
Employees: Staff members unaware of cybersecurity threats.

Customer service personnel: Individuals who might disclose confidential

details over calls or chats.

Executives: High-level personnel targeted in whale phishing (spear phishing

attacks aimed at senior executives).

Common Techniques
Phishing emails or phone calls: Crafting emails that mimic legitimate
messages to trick employees into providing credentials or clicking malicious
links.

Impersonating an employee: Gaining unauthorized access by pretending to

be an insider (e.g., IT support).

USB drop attacks: Planting malware-infected USB drives in public places,

hoping employees will plug them into corporate computers.

5. Physical Penetration Testing

Objective
Evaluate an organization's physical security measures, including access
control systems, surveillance, and alarm mechanisms.

Notes Mod 1 9
 Targets
Office buildings and data centers: Checking if physical barriers prevent
unauthorized access.

Restricted areas: Secure rooms storing sensitive documents or IT

infrastructure.

Security guards and protocols: Evaluating response times and security

awareness.

Common Techniques
Tailgating (Piggybacking): Following an authorized employee into a secured
area without proper authentication.

Bypassing security controls: Lock picking, badge cloning, or exploiting weak

RFID authentication systems.

Planting rogue devices: Leaving keyloggers or network sniffers inside the

premises to capture sensitive data.

Strategies of Penetration Testing

Penetration testing strategies are essential to ensure a structured and effective approach
to identifying security vulnerabilities. Different strategies help in targeting various
aspects of an organization’s security posture.

1. Black Box Testing

Description: The tester has little or no prior knowledge about the target
system.

Objective: Simulates an external attack by an unknown threat actor.

Key Aspects:

No access to internal documentation or credentials.

Requires extensive reconnaissance and scanning.

Focuses on perimeter security, authentication, and access control.

Common Techniques:

Open-source intelligence gathering (OSINT)

Notes Mod 1 10
 Port scanning and service enumeration

Social engineering and phishing attacks

2. White Box Testing

Description: The tester has full knowledge of the target environment,

including source code, architecture, and internal configurations.

Objective: Simulates an insider attack or a well-informed attacker.

Key Aspects:

Access to source code and security policies.

Focuses on deep security flaws within the system.

Tests business logic vulnerabilities and insecure configurations.

Common Techniques:

Source code analysis (static and dynamic analysis)

Privilege escalation testing

Configuration audits

3. Gray Box Testing

Description: The tester has partial knowledge of the system, representing a

mix of insider and outsider threats.

Objective: Evaluates security from an authenticated user’s perspective.

Key Aspects:

Limited access to application or system information.

Tests for improper access control and privilege escalation.

Can simulate advanced persistent threats (APTs).

Common Techniques:

API security testing

Session management testing

Database security assessments

Notes Mod 1 11
 Different Methods of Penetration Testing
There are several different types of penetration testing methodologies that address how
a penetration test should be performed:

OSSTMM (Open Source Security Testing Methodology Manual):

This manual provides test cases that result in verified facts.

These facts provide actionable information that can measurably improve your
operational security.

By using the OSSTMM you no longer have to rely on general best practices,
anecdotal evidence.

It includes almost all the steps involved in a penetration test.

To download the latest version of OSSTMM, go to the following link:

https\://www.isecom.org/OSSTMM.3.pdf

OSSTMM tests the operational security of 5 channels:

Human Security: Security of human interaction and communication is

evaluated operationally as a means of testing.

Physical Security: OSSTMM tests physical security defined as any

tangible element of security that takes physical effort to operate.

Wireless Communications: Electronic communications, signals, and

emanations are all considered wireless communications that are part of the
operational security testing.

Telecommunications: Whether the telecommunication network is digital or

analog, any communication conducted over telephone or network lines are
tested in the OSSTMM.

Data Networks: Security testing of data networks includes electronic

systems and data networks that are used for communication or interaction
via cable and wired network lines.

The Test Modules:

There are four phases in the execution of this methodology:

Notes Mod 1 12
 A. Induction Phase: the Analyst begins the audit with an
understanding of the audit requirements, the scope, and the constraints
to the auditing of this scope.

B. Interaction Phase: The core of the basic security test requires

knowing the scope in relation to interactions with the targets
conveyed to interactions with assets. This phase will define the scope.

C. Inquest Phase: Much of security auditing is about the information

that the Analyst uncovers. In this phase, the various types of value or
the detriment from misplaced and mismanaged information as an
asset are brought to light.

D. Intervention Phase: focused on the resources the targets require

in the scope. These resources can be switched, changed, overloaded,
or starved to cause penetration or disruption. Assure disruptions do
not affect responses of less invasive tests. The final module, D.17, of
Alert and Log Review, is required to verify prior tests which provided
no interactivity back to the Analyst.

One Methodology: Putting all the modules together provides one

methodology to know and work with. This is one methodology which is
applicable to any and all types of security tests.

NIST (National Institute of Standards and Technology):

Four steps of the methodology, namely, planning, discovery, attack, and

reporting.

Planning phase: where how the engagement is going to be performed is

decided upon.

Discovery phase: which is divided into two parts, the first part includes
information gathering, network scanning, service identification, and OS
detection, the second part involves vulnerability assessment.

Attack phase: which is the heart of every penetration test. If you are able
to compromise a target and a new host is discovered, in case the system is
dual-homed or is connected with multiple interfaces, you would go back to
step 2, that is, discovery, and repeat it until no targets are left. It consists of
things such as “gaining access,” “escalating privileges,” “system

Notes Mod 1 13
 browsing,” and “install additional tools.” We will go through each of these
steps in detail in the following chapters.

Reporting phase: indicate that you plan something and you report it you
attack a target and report the results.

OWASP (Open Web Application Security Project):

Basically contains almost everything that you would test a web application for.

The methodology is comprehensive and is designed by some of the best web

application security researchers.

Top 10 Web Application Security Risks:

Broken Access Control: most common security bugs found in web

applications. Also known as missing authorization, occur when an
application does not correctly check for authorization or does not check
for authorization at all. This allows users to view or edit protected data
they should not be able to view or edit.

Cryptographic Failures: implementing cryptographic measures is to make

sure that the data is protected. Some common issues that fall under
cryptographic failures are:

Using HTTP to transmit sensitive data

Hard-Coded sensitive data such as API Keys

Weak Encryption being used

Improper key management

Missing Key Rotation mechanisms

Injection: happen when a user enters a malicious payload to a website’s

input field. This payload is then processed by the website and executed as
a malicious script written by the hacker. The malicious script is what
performs the actual damage to the website’s server and its data. There are
several different types of injection attacks. All of them involve a malicious
payload. The payload is entered via a form field, URL, or API
(Application Programming Interface).

Notes Mod 1 14
 Insecure Design: The cause of insecure design is the same as the cause of
insecure coding, which is a lack of knowledge and awareness of security
vulnerabilities. Most of the time, security is not taken as a serious issue
and is not included in the list of requirements for software development.

Security Misconfiguration: Security Misconfiguration is a broad range of

vulnerabilities such as:

Default Credentials being used

Server version disclosure

Missing security headers such as X-Frame-Options

Vulnerable and Outdated Components: The most common issue in most

web applications is using components with known vulnerabilities and out-
of-date components. Components like jQuery, Bootstrap, Angular JS, etc.,
are the most vulnerable components. These are the most used components
in web applications. They are also viral components for hackers;
vulnerabilities are more common in them due to their popularity.

Identification and Authentication Failures: Some common vulnerabilities

that fall under Identification and Authentication Failures are:

Missing Brute Force protection

Weak password policy

Missing or weak multi-factor authentication

Improper session management

Software and Data Integrity Failures: Data integrity failures lead to

security flaws. Insecure deserialization, untrusted CDN’s, insecure CI/CD
pipelines are how software fails to maintain the integrity of the data.

Security Logging and Monitoring Failures: Log monitoring is a crucial

part of any security program. It is one of the most crucial areas of log
management that helps companies detect and analyze security events in
near real-time. Yet, in 40% of organizations, log management systems
cannot detect and analyze security events in near real-time. The reason is
that log monitoring is often insufficiently customized and managed.

Notes Mod 1 15
 Server-side request forgery (SSRF): is a vulnerability when an application
makes a request to an unauthenticated, remote host and does not validate
the request correctly.

Common Areas of Penetration Testing

Penetration testing is a type of security testing that is used to assess the security of an
organization's IT infrastructure. penetration testing can be used to assess the security of
a variety of systems, including:

Network security: This type of penetration testing assesses the security of an

organization's network infrastructure, including firewalls, routers, and switches.

System software security: This type of penetration testing assesses the security of
an organization's operating systems and other system software.

Client-side application security: This type of penetration testing assesses the

security of client-side applications, such as web browsers and email clients.

Server-side application security: This type of penetration testing assesses the

security of server-side applications, such as web servers and databases.

Physical security: This type of penetration testing assesses the security of an

organization's physical premises, such as data centers and offices.

Intrusion detection: This type of penetration testing assesses the effectiveness of

an organization's intrusion detection systems.

Incident response: This type of penetration testing assesses the effectiveness of an

organization's incident response procedures.

Penetration Testing Process

The penetration testing process is a structured approach used by security professionals
to assess the security of an organization's systems, applications, and networks. It
simulates real-world cyberattacks to identify vulnerabilities and provide
recommendations for improving security. The process consists of the following key
phases:

1. Planning Phase (Pre-engagement)

This is the initial phase where the objectives, scope, and methodology of the
penetration test are defined. It involves close collaboration between the penetration
testing team and the organization to ensure a safe and effective test.

Notes Mod 1 16
 Key Activities:
Defining the Scope: Identify which systems, networks, and applications will
be tested (e.g., internal vs. external systems).

Determining the Testing Methodology: Choose the type of penetration test

(Black Box, White Box, or Gray Box testing).

Obtaining Permissions: Secure formal approval from the organization to

conduct penetration testing.

Understanding Compliance Requirements: Ensure the test aligns with legal

and regulatory requirements (e.g., GDPR, HIPAA, PCI-DSS).

Setting the Timeline and Deliverables: Establish a timeline for testing and
define the expected outcomes.

2. Discovery Phase (Reconnaissance & Enumeration)

In this phase, penetration testers gather as much information as possible about the
target systems. This helps in identifying potential attack vectors.

Key Activities:
Passive Reconnaissance: Collect publicly available information about the
target, such as domain names, IP addresses, WHOIS records, employee details,
and social media intelligence.

Active Reconnaissance: Use tools like Nmap to scan for open ports,
operating systems, and running services.

Enumeration: Identify user accounts, network shares, and system

vulnerabilities that can be exploited.

Vulnerability Scanning: Use automated tools like Nessus, OpenVAS, or

Nikto to detect known vulnerabilities.

3. Attack Phase (Exploitation)

During this phase, penetration testers actively attempt to exploit vulnerabilities to
gain access to the target system. The goal is to test real-world attack scenarios
while avoiding damage to the system.

Key Activities:

Notes Mod 1 17
 Gaining Initial Access: Exploiting identified vulnerabilities using tools like
Metasploit, SQLmap, and Burp Suite.

Privilege Escalation: Attempting to gain administrative or root access to

critical systems.

Lateral Movement: Expanding access within the network by compromising

additional systems.

Persistence: Establishing a backdoor or maintaining access to simulate an

advanced persistent threat (APT).

Exfiltration & Impact Analysis: Assessing how much sensitive data an

attacker could steal and the potential impact of a breach.

4. Reporting Phase
Once the test is complete, a detailed report is created, outlining the findings, risks,
and recommendations. This report is presented to the organization to help them
mitigate vulnerabilities.

Key Components of the Report:

Executive Summary: High-level overview for management.

Technical Details: Specific vulnerabilities found, how they were exploited,

and their impact.

Risk Assessment: Categorization of vulnerabilities based on severity (Critical,

High, Medium, Low).

Proof of Concept (PoC): Demonstrations of successful exploits.

Mitigation Recommendations: Steps to remediate each identified issue.

Final Debriefing: Discussing findings with stakeholders and providing

security best practices.

Penetration Testing Phases

The seven phases of penetration testing provide a structured and systematic
approach to assessing security. Each phase plays a crucial role in identifying, exploiting,
and mitigating vulnerabilities. Let’s explore them in detail:

Notes Mod 1 18
 1. Pre-engagement (Planning and Preparation)
This initial phase defines the scope, rules of engagement, and objectives of the
penetration test. It ensures that the testing process is conducted in a safe, legal, and
efficient manner.

Key Activities:
Defining scope (systems, networks, applications to be tested).

Selecting the type of penetration test (Black Box, Gray Box, or White Box).

Identifying testing constraints (e.g., time limits, restricted areas).

Addressing legal and compliance requirements (GDPR, HIPAA, PCI-DSS).

Acquiring formal authorization from stakeholders.

2. Reconnaissance (Information Gathering)

Also known as OSINT (Open Source Intelligence), this phase involves collecting
valuable information about the target system to identify potential attack vectors.

Key Activities:
Passive Reconnaissance: Gathering publicly available data (e.g., WHOIS records,
social media, company websites).

Active Reconnaissance: Scanning for open ports, services, and configurations

using tools like Nmap.

Social Engineering: Identifying weak points through phishing, pretexting, or

impersonation.

3. Vulnerability Analysis
In this phase, testers analyze the gathered information to identify security weaknesses
in the target environment.

Key Activities:

Notes Mod 1 19
 Scanning for known vulnerabilities using tools like Nessus, OpenVAS, or Burp
Suite.

Checking for misconfigurations in web applications, databases, and cloud

environments.

Identifying weak credentials or password policy flaws.

Mapping attack paths to determine how an attacker might move through the
network.

4. Exploitation (Attacking the System)

This phase involves actively attempting to exploit vulnerabilities to gain
unauthorized access.

Key Activities:
Using tools like Metasploit, SQLmap, Hydra to exploit weaknesses.

Exploiting web application flaws (e.g., SQL Injection, Cross-Site Scripting).

Cracking passwords to gain further access.

Deploying custom exploits for unpatched vulnerabilities.

Capturing sensitive data (if permitted in scope).

⚠️ Note: The goal is not to cause damage but to assess real-world security risks.
5. Post-Exploitation (Maintaining Access)
If the penetration tester gains access, they simulate what a real attacker would do after
breaching the system.

Key Activities:
Privilege Escalation: Gaining admin/root-level access.

Lateral Movement: Expanding access to other systems.

Data Exfiltration: Checking if critical data can be stolen.

Notes Mod 1 20
 Persistence Mechanisms: Attempting to plant backdoors or maintain access (if
allowed).

6. Reporting (Documentation & Analysis)

A comprehensive report is prepared detailing the findings, risks, and remediation
steps.

Key Components of the Report:

Executive Summary for non-technical stakeholders.

Technical Analysis with detailed exploit descriptions.

Proof of Concept (PoC) to demonstrate successful attacks.

Risk Ratings (Critical, High, Medium, Low).

Recommendations to fix vulnerabilities.

Legal and Compliance Considerations.

A final debrief is conducted with the organization's security team.

7. Clean-Up & Remediation

Once testing is complete, all traces of penetration testing activities must be removed,
and security patches must be applied.

Key Activities:
Removing malicious payloads, backdoors, scripts, and tools.

Resetting compromised credentials.

Applying patches and fixes for identified vulnerabilities.

Conducting follow-up tests to confirm fixes are effective.

Providing security best practices to the organization.

Penetration Testing Methodologies

There are several different types of penetration testing methodologies that address how
a penetration test should be performed:

Notes Mod 1 21
 OSSTMM (Open Source Security Testing Methodology Manual):

This manual provides test cases that result in verified facts.

These facts provide actionable information that can measurably improve your
operational security.

By using the OSSTMM you no longer have to rely on general best practices,
anecdotal evidence.

It includes almost all the steps involved in a penetration test.

To download the latest version of OSSTMM, go to the following link:

https\://www.isecom.org/OSSTMM.3.pdf

OSSTMM tests the operational security of 5 channels:

Human Security: Security of human interaction and communication is

evaluated operationally as a means of testing.

Physical Security: OSSTMM tests physical security defined as any

tangible element of security that takes physical effort to operate.

Wireless Communications: Electronic communications, signals, and

emanations are all considered wireless communications that are part of the
operational security testing.

Telecommunications: Whether the telecommunication network is digital or

analog, any communication conducted over telephone or network lines are
tested in the OSSTMM.

Data Networks: Security testing of data networks includes electronic

systems and data networks that are used for communication or interaction
via cable and wired network lines.

The Test Modules:

There are four phases in the execution of this methodology:

A. Induction Phase: the Analyst begins the audit with an

understanding of the audit requirements, the scope, and the constraints
to the auditing of this scope.

B. Interaction Phase: The core of the basic security test requires

knowing the scope in relation to interactions with the targets

Notes Mod 1 22
 conveyed to interactions with assets. This phase will define the scope.

C. Inquest Phase: Much of security auditing is about the information

that the Analyst uncovers. In this phase, the various types of value or
the detriment from misplaced and mismanaged information as an
asset are brought to light.

D. Intervention Phase: focused on the resources the targets require

in the scope. These resources can be switched, changed, overloaded,
or starved to cause penetration or disruption. Assure disruptions do
not affect responses of less invasive tests. The final module, D.17, of
Alert and Log Review, is required to verify prior tests which provided
no interactivity back to the Analyst.

One Methodology: Putting all the modules together provides one

methodology to know and work with. This is one methodology which is
applicable to any and all types of security tests.

NIST (National Institute of Standards and Technology):

Four steps of the methodology, namely, planning, discovery, attack, and

reporting.

Planning phase: where how the engagement is going to be performed is

decided upon.

Discovery phase: which is divided into two parts, the first part includes
information gathering, network scanning, service identification, and OS
detection, the second part involves vulnerability assessment.

Attack phase: which is the heart of every penetration test. If you are able
to compromise a target and a new host is discovered, in case the system is
dual-homed or is connected with multiple interfaces, you would go back to
step 2, that is, discovery, and repeat it until no targets are left. It consists of
things such as “gaining access,” “escalating privileges,” “system
browsing,” and “install additional tools.” We will go through each of these
steps in detail in the following chapters.

Reporting phase: indicate that you plan something and you report it you
attack a target and report the results.

OWASP (Open Web Application Security Project):

Notes Mod 1 23
 Basically contains almost everything that you would test a web application for.

The methodology is comprehensive and is designed by some of the best web

application security researchers.

Top 10 Web Application Security Risks:

Broken Access Control: most common security bugs found in web

applications. Also known as missing authorization, occur when an
application does not correctly check for authorization or does not check
for authorization at all. This allows users to view or edit protected data
they should not be able to view or edit.

Cryptographic Failures: implementing cryptographic measures is to make

sure that the data is protected. Some common issues that fall under
cryptographic failures are:

Using HTTP to transmit sensitive data

Hard-Coded sensitive data such as API Keys

Weak Encryption being used

Improper key management

Missing Key Rotation mechanisms

Injection: happen when a user enters a malicious payload to a website’s

input field. This payload is then processed by the website and executed as
a malicious script written by the hacker. The malicious script is what
performs the actual damage to the website’s server and its data. There are
several different types of injection attacks. All of them involve a malicious
payload. The payload is entered via a form field, URL, or API
(Application Programming Interface).

Insecure Design: The cause of insecure design is the same as the cause of
insecure coding, which is a lack of knowledge and awareness of security
vulnerabilities. Most of the time, security is not taken as a serious issue
and is not included in the list of requirements for software development.

Security Misconfiguration: Security Misconfiguration is a broad range of

vulnerabilities such as:

Notes Mod 1 24
 Default Credentials being used

Server version disclosure

Missing security headers such as X-Frame-Options

Vulnerable and Outdated Components: The most common issue in most

web applications is using components with known vulnerabilities and out-
of-date components. Components like jQuery, Bootstrap, Angular JS, etc.,
are the most vulnerable components. These are the most used components
in web applications. They are also viral components for hackers;
vulnerabilities are more common in them due to their popularity.

Identification and Authentication Failures: Some common vulnerabilities

that fall under Identification and Authentication Failures are:

Missing Brute Force protection

Weak password policy

Missing or weak multi-factor authentication

Improper session management

Software and Data Integrity Failures: Data integrity failures lead to

security flaws. Insecure deserialization, untrusted CDN’s, insecure CI/CD
pipelines are how software fails to maintain the integrity of the data.

Security Logging and Monitoring Failures: Log monitoring is a crucial

part of any security program. It is one of the most crucial areas of log
management that helps companies detect and analyze security events in
near real-time. Yet, in 40% of organizations, log management systems
cannot detect and analyze security events in near real-time. The reason is
that log monitoring is often insufficiently customized and managed.

Server-side request forgery (SSRF): is a vulnerability when an application

makes a request to an unauthenticated, remote host and does not validate
the request correctly.

Characteristics of a Good Penetration Test

Based on the information available, here's a breakdown of characteristics that contribute
to a good penetration test:

Notes Mod 1 25
 Key Characteristics:

Defined Scope:

A good penetration test begins with a clearly defined scope. This includes
specifying the systems, networks, and applications to be tested, as well as the
limitations of the test.

Realistic Attack Scenarios:

The test should simulate real-world attack scenarios to accurately assess the
organization's security posture. This involves using the same tools and
techniques that malicious actors would use.

Thorough Vulnerability Assessment:

A good penetration test goes beyond simply identifying vulnerabilities. It also

involves analyzing the potential impact of those vulnerabilities and providing
recommendations for remediation.

Comprehensive Reporting:

The penetration test should produce a detailed report that outlines the findings
of the test, including the vulnerabilities that were found, the steps that were
taken to exploit them, and recommendations for remediation.

Ethical Conduct:

Penetration testers must adhere to strict ethical guidelines. This includes

obtaining proper authorization before conducting any tests and protecting the
confidentiality of sensitive information.

Skilled Testers:

It is very important that the penetration testers are skilled. The testers must
have up to date knowledge of current threats, and how to test for them.

Clear Communication:

Good communication is needed between the penetration testing team and the
organization being tested. This helps to ensure that the testing is conducted
smoothly and that the organization understands the findings of the test.

Additional Considerations:

Notes Mod 1 26
 Regular Testing:

Penetration testing should be conducted on a regular basis to ensure that the

organization's security posture remains strong.

Remediation:

The organization should take steps to remediate the vulnerabilities that are
found during the penetration test.

By adhering to these characteristics, organizations can ensure that their penetration tests
are effective in identifying and mitigating security risks.

Notes Mod 1 27