Pen Testing Techniques

The Rules of Engagement (RoE) of penetration testing refer to the scope, parameters, and rules of reporting of a given testing activity.

Penetration Testing is the process of identifying an organization’s vulnerabilities, and providing recommendations on how to fix them by breaking into the organization’s environment. Professional penetration testing is always done with written permission from the system owner.

There are three different attack profiles that may be encountered when penetration testing: white-box, gray-box, and black-box. These represent different levels of visibility into an environment.

White-Box penetration testing is done with full knowledge of the environment, simulating attacks from knowledgeable insiders. This type of testing can also be used to follow up on discoveries made during other types of penetration testing activities.

Grey-Box penetration testing is done with partial knowledge of the environment, simulating an attacker with some insider knowledge. They require some reconnaissance on the part of the penetration testing effort.

Black-Box penetration testing is done with no knowledge of the environment, simulating an external attack. The penetration tester can only obtain information through reconnaissance, passive & active system scanning, social engineering, etc.

Lateral Movement is when an attacker pivots from an already compromised host to gain control over other hosts.

Privilege Escalation is the exploitation of a vulnerability to increase one’s access in the environment.

Typically, the goal of privilege escalation techniques is to gain root or administrator access of a system, network, or domain.

Persistence is an attacker’s ability to maintain access after an initial attack.

Pivoting is when an attacker uses the access gained in the exploitation phase to repeat phases of a pen testing attack and attack other things.

Bug Bounties are created by organizations to incentivize people to discover bugs or vulnerabilities in software, websites, etc. with a monetary reward. Reward sizes typically increase with the severity of the bug found.

In penetration testing, some exercises may use two competing teams. These teams fall into one of the following categories: red-team, blue-team, or purple-team.

• The red-team is offensive (think: penetration testers).
• The blue-team is defensive (think: threat hunters).
• A purple-team exercise includes red and blue teams.

Active Reconnaissance involves actively interacting with the target. Meanwhile, Passive Reconnaissance does NOT involve actively interacting with the target.

In Cybersecurity, reconnaissance refers to when an attacker interacts with a victim’s system in order to gain more information about a victim or their system.

Sometimes reconnaissance refers to when pen-testers are trying to gain more information about a system. While pen-testers have good intentions and are often employed by the company they’re performing reconnaissance on, they may act like attackers during this process.

Some common tools & techniques used for active reconnaissance are social engineering, drones/unmanned aerial vehicle (UAV), “War flying”, “War driving”, Footprinting, or using Open Source Intelligence (OSINT).

OSINT (Open-Source Intelligence) is reconnaissance that uses publicly available information. OSINT relies heavily on social media platforms and search engines to find information.

Footprinting is the process of determining what software a network host is running. Tools like Nmap might be used for this.

War Driving is a hybrid digital/physical reconnaissance technique where an attacker will drive around scanning for wifi networks from their vehicle. In penetration testing, this can be used to create maps of network coverage, and search for insecure networks.

War Flying is a hybrid digital/physical technique where an attacker will fly a drone around scanning for wifi networks. This is essentially war driving, but using a drone instead of a car.