In this lesson, I'm going to talk about pentesting. What is penetration testing and how is it a process rather than a set of tools that you need to look at? NIST 800-15 defines what an information security assessment is. The document says, an information security assessment is the process of determining how effectively an entity being assessed e.g. a host, system, network, procedure, person, known as the assessment object, meets specific security objects. In other words, pentesting or penetration testing is the process of attacking information assets at the request of a system or service owner while being authorized by someone in authority over the system. So, that's my definition of it. Pentesting is a process. It's not a set of tools. In my opinion, pentesting, the methodology, is so much more important than any tools that you're going to use. Tools come and go and that's why, looking at the process as a whole, instead of tools that you're going to use, is the most important thing. So, if you're taking a certification, if the focus is on the tools rather than the actual process, then you may need to think about which certification that you're looking at. There's plenty of jobs out there right now for computer industry experts, but those people have certain certifications in penetration testing. If they're not looking at the methodology and they're only looking at the tools, they can't switch from tool to tool because tools change. So, exploitation of a system or penetration of the assets is a very small part of the entire process. That's why, if you're focusing on the tools, you're going to fall behind and you're not going to do a very good job of pentesting because you're not focusing on the methodology. You're only focused on how can the tools provide me the information that I need. There are tools and frameworks out there. NIST 800-15 is the technical guide to information security testing and assessment. It covers three different phases: planning, execution and post-execution. In my opinion, there's a lot more methodology. But, the NIST 800-15 goes into, even though it says three steps, all the methodology steps are in just those three, but the penetration testing and execution standard or PTES really outlines out all the steps at once. And says, the seven are pre-engagement, interactions, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation and reporting. Now, when we cover the majority of the penetration testing methodology, we're going to specifically focus on intelligence gathering, vulnerability analysis, exploitation and reporting as well. The first thing that we're going to do is discovery and reconnaissance. This is looking at what our target is. How do I go about looking at what do I need to compromise? How am I going to compromise the system by gathering all the information about the system? And, that also goes into enumeration. How am I looking at this process objectively and looking at each one of these steps in order? And, have I done my reconnaissance well-enough? Vulnerability or threat discoveries is the next one. And, how do I use the information that I've learned in the reconnaissance or discovery phase in order to come up with the vulnerabilities and threats that I'm going to use in my next step which is exploitation? Exploitation should be a very streamlined process. And we'll talk about that here in a video or two, where, if you've done the discovery, reconnaissance, enumeration, and threat discovery, your exploitation should be very streamlined. Record keeping and reporting is your final process, where you're going to record what you've done or the steps that you've taken. Now, there's two types of pentesting out there. There's black box and there's crystal box. Black box means that you know nothing about the system. It's maybe just an IP address or maybe it's a computer somebody gives you, says break into this. The test may be harder because you don't have any knowledge of the system, the methodology and the recon becomes very important as the process in this case. Crystal box testing, you know something or everything about the system. It's a clear box. You can see inside exactly what it's doing. The test may be easier since you know where to start. However, if you're using a lot of tools to attempt to compromise or exploit that system or that asset, you may end up with false negatives since you think you know everything about that system. In my experience, crystal box testing is much easier to do, but that's only if you follow the process. So, some things to watch out for in the entire pentesting process. Number one, you need to communicate. You need to communicate with everybody that you're going to be interacting with. You need to be communicating with the system owners or the service owners. You need to have authorization. Make sure you have authorization. This above all else. Reporting. Make sure that your report is not only detailed for any executive management but also needs to be for anyone that needs to understand what you are doing as a whole. Anything that you've changed. Any system that you've touched. Recon is important. Recon helps you understand what you are trying to attack. And then finally, be aware of the fallout. There can be fallout if you're not following the methodology or you're not following the tools as they should be followed. Now, if you're using a lot of tools, the tools create a lot of noise. So, watch out for that as well.
