penetration testing reporting and methodology

Penetration testing reporting and methodology

Rashad AliyevPhD. Lourdes Peñalver

Cordoba, Spain25.09.2015

Keywords: PenTest, Penetration Testing, Network testing, bug bounty, InfoSec, Cyber Secyrity

2

What is Penetration testing

Penetration testing reporting and methodology * CEH Materials

3

Why Penetration testing?


Security Audit

Vulnerability Assessment

Penetration Testing

A security audit just checks whether the organization is following a set of standard security policies and procedures

A vulnerability assessment focuses on discovering the vulnerabilities in the information system but provides no indication if the vulnerabilities can be exploited or the amount of damage that may result from the successful exploitation of the vulnerability

Penetration testing is a methodological approach to security assessment that encompasses the security audit and vulnerability assessment and demonstrates if the vulnerabilities in system can be successfully exploited by attackers

4

Audit vs Penetration testing?


Audit Penetration testing

Check set of standards Find vulnerabilities

- Foot printing

- Exploiting

Create report by standards Generate report

5

Types


• Internal, External(1)

• Blackbox, Whitebox(2), Greybox(3)

• Announced, Unannounced(1)

• Passive, Active scans• Automated, Manual(1)

1. CEH course modules2. A Penetration Testing Model. Federal Office for Information Security (BSI), Bonn. P143. Using w3af to achieve automated penetration testing by live DVD/live USB. P1-2

6

Methodologies


• Planning, Discovery, Exploiting, Reporting*

• Preparation, Anonymity, Foot Printing, Analysis, Exploiting, Reporting, Advisory**

• Preparation, Reconnaissance, Analysis of Information / Risks, Active Intrusion Attempts, Final Analysis / Clean-Up***

• Planning, Discovery, Attack, Reporting****

* A. Bechtsoudis, N. S. Aiming at Higher Network Security Through Extensive Penetration Tests IEEE Latin America Transactions,

2012, 10, 1752 - 1756

** Parvin Ami, A. H. Seven Phrase Penetration Testing Model International Journal of Computer Applications, 2012, 59, 16-20

***Study A Penetration Testing Model Federal Office for Information Security (BSI), 2003

**** Scarfone, K. A.; Souppaya, M. P.; Cody, A. & Orebaugh, A. D. SP 800-115. Technical Guide to Information Security Testing and

Assessment National Institute of Standards and Technology, National Institute of Standards & Technology, 2008

7

Used Methodology


Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access.*---* SANS Institute, Penetration Testing: Assessing Your Overall Security Before Attackers Do

8

The Problem


×Format

×Compare

×Systematiz

e

There are not a standard format for penetration testing

There are not a system for comparing if you have 2 different reports.

There are not a method to help us to do reports and generating one

Report format - StylesAmerican Psychological Association (APA) Style[1]

Page design, Document Control, List of Report Content, Executive Summary, Methodology, Detail findings, References, Appendices, Glossary [2]

A Cover Sheet, The Executive Summary, Summary of Vulnerabilities, Test Team Details, List of the Tools Used, A copy of the original scope of work, The main body of the report, Final delivery [3]

[1] Thomas Wilhelm. Professional Penetration Testing. Syngress, 2009.[2] Mansour A Alharbi. Writing a penetration testing report. SANS Institute, April 2010.[3] Mike Sheward. The art of writing penetration test reports. January 2012.


Report format – Our Idea– For top management

• Title page• Executive Summary

– For technical workers• Title page• Executive Summary• Test Team Details• Summary of Vulnerabilities• References,• Glossary


11

Idea


Reporting- Generate Report- Compare Reports

Exploiting - Send attack result

Foot printing- Upload scan result- Send bug- View results

Planning - Penetration tests

01

02

03

04

12

Site for Penetration testing

Planning

Foot printing

Exploiting

www.penteston.com


-

-

-

Reporting-

13

01. Planning


Test name

Scope of Work

Contract or NDA

Conduct (Whitebox, Greybox, Blackbox)

Type (Internal, External, Application-layer, Network-layer)

Team detail

010203040506

14

02. Foot Printing


- Multiple alerTs- From one of scanners- Upload file

Foot Printin

g

- Manual send alert- Detailed information about alert

Scan resport Alert

15

03. Exploiting


Alert Level - Low, Medium or High level of alert

Detailed information about alert

01

02

16

04. Reporting & CompareDetailed report for developers

Short key information's for managers

Report for managers

Archive

Staff

For compare reportsCompare

Style


17

Future Work

Open beta testing Start analyzing for new features

Get new features

In

process

In

process

In

process

In

process


Finish small works on project

Rashad AliyevUniversitat Politècnica de Valè[email protected]@alievinfo

Thank you

www.penteston.com

penetration testing reporting and methodology

Internet