1 00:00:06,180 --> 00:00:08,600 - [Instructor] The process of completing a penetration test 2 00:00:08,600 --> 00:00:11,040 will vary on many different factors. 3 00:00:11,040 --> 00:00:12,210 And of course, the technology 4 00:00:12,210 --> 00:00:14,379 and how you will actually hire 5 00:00:14,379 --> 00:00:16,840 the scope of that engagement. 6 00:00:16,840 --> 00:00:18,940 For example, in some cases, 7 00:00:18,940 --> 00:00:19,920 actually you may be hired 8 00:00:19,920 --> 00:00:22,230 just to look at one application 9 00:00:22,230 --> 00:00:24,070 and one application itself. 10 00:00:24,070 --> 00:00:25,450 And in other cases, 11 00:00:25,450 --> 00:00:27,530 you actually looking at the whole organization, right? 12 00:00:27,530 --> 00:00:30,200 So some best testing engagements 13 00:00:30,200 --> 00:00:33,780 will last just a couple of weeks or a few days. 14 00:00:33,780 --> 00:00:35,920 And other ones, in some cases, 15 00:00:35,920 --> 00:00:39,860 actually may endure for a longer period of time. 16 00:00:39,860 --> 00:00:42,800 I'm talking about months, in some cases. 17 00:00:42,800 --> 00:00:43,670 There are also different 18 00:00:43,670 --> 00:00:45,220 penetration testing engagements, right? 19 00:00:45,220 --> 00:00:46,790 So you may be doing penetration testing 20 00:00:46,790 --> 00:00:49,570 for a customer or for your client. 21 00:00:49,570 --> 00:00:53,100 You may be hired by organization on an ongoing basis. 22 00:00:53,100 --> 00:00:54,700 You're actually doing pen testing 23 00:00:54,700 --> 00:00:56,930 across a very, very large enterprise, 24 00:00:56,930 --> 00:00:59,460 and different sections of that enterprise. 25 00:00:59,460 --> 00:01:01,840 And in some cases, especially you know, 26 00:01:01,840 --> 00:01:03,249 a sister team of mine, 27 00:01:03,249 --> 00:01:05,390 they actually do penetration testing 28 00:01:05,390 --> 00:01:07,230 just specifically finding vulnerabilities 29 00:01:07,230 --> 00:01:11,789 in products and services of a very large company. 30 00:01:11,789 --> 00:01:14,210 So having said that, you know, of course 31 00:01:14,210 --> 00:01:17,860 there's a lot of different dependencies 32 00:01:17,860 --> 00:01:20,130 that you will encounter in this. 33 00:01:20,130 --> 00:01:22,680 The networks and system being evaluated many times 34 00:01:22,680 --> 00:01:24,610 are very high, complex. 35 00:01:24,610 --> 00:01:26,580 And subsequently, you know 36 00:01:26,580 --> 00:01:29,580 you can actually define it, very large scope. 37 00:01:29,580 --> 00:01:32,240 And again, we're gonna go into scoping a little bit later, 38 00:01:32,240 --> 00:01:33,840 throughout the presentation. 39 00:01:33,840 --> 00:01:37,560 But why do we need to actually follow a methodology? 40 00:01:37,560 --> 00:01:39,410 Right, for pen testing, right? 41 00:01:39,410 --> 00:01:43,710 Now, when performing and penetration testing for a customer, 42 00:01:43,710 --> 00:01:44,880 for example, 43 00:01:44,880 --> 00:01:48,380 you must show that the methods you want to use 44 00:01:48,380 --> 00:01:51,650 for the testing are actually, you know, true, 45 00:01:51,650 --> 00:01:54,660 that you actually have done a good methodology before. 46 00:01:54,660 --> 00:01:55,493 And not only that, 47 00:01:55,493 --> 00:01:59,130 but allows you to organize your work 48 00:01:59,130 --> 00:02:01,080 to then, you know, follow through. 49 00:02:01,080 --> 00:02:01,913 But at the end of the day, 50 00:02:01,913 --> 00:02:04,020 there are many different penetration testing 51 00:02:04,020 --> 00:02:05,963 methodologies out there, right? 52 00:02:05,963 --> 00:02:08,370 Methodologies for testing mobile applications, 53 00:02:08,370 --> 00:02:10,202 networking infrastructure devices, 54 00:02:10,202 --> 00:02:12,840 testing wireless networks, and so on. 55 00:02:12,840 --> 00:02:15,230 But a few things that I want to, 56 00:02:15,230 --> 00:02:19,652 or a few methodologies that I want to highlight to you, 57 00:02:19,652 --> 00:02:23,903 is the Penetration Testing Execution Standard, or PTES, 58 00:02:23,903 --> 00:02:28,300 and that's actually defined in different distinct faces. 59 00:02:28,300 --> 00:02:31,700 Pre-engagement interactions, intelligence gathering. 60 00:02:31,700 --> 00:02:34,720 So that means you are doing reconnaissance, 61 00:02:34,720 --> 00:02:37,270 both passive and active reconnaissance 62 00:02:37,270 --> 00:02:39,050 and we're gonna cover all these concepts 63 00:02:39,050 --> 00:02:40,306 throughout the course. 64 00:02:40,306 --> 00:02:42,410 You also do threat modeling 65 00:02:42,410 --> 00:02:45,060 after you find, you know, 66 00:02:45,060 --> 00:02:47,610 all the specific details, whether it's active 67 00:02:47,610 --> 00:02:50,070 or in the passive reconnaissance exercise. 68 00:02:50,070 --> 00:02:51,750 And then once you actually do the threat modeling, 69 00:02:51,750 --> 00:02:53,630 you actually do the vulnerability analysis. 70 00:02:53,630 --> 00:02:56,120 You move into the exploitation phase. 71 00:02:56,120 --> 00:02:59,520 And in some cases, you may not be allowed, 72 00:02:59,520 --> 00:03:03,010 depending on the scope on doing post exploitation. 73 00:03:03,010 --> 00:03:05,800 But in most cases you may actually be able to do 74 00:03:05,800 --> 00:03:09,600 a mimic true attacker, and do post exploitation. 75 00:03:09,600 --> 00:03:13,080 And that means moving laterally or doing pivoting, 76 00:03:13,080 --> 00:03:16,860 compromising other systems, extra trading data, 77 00:03:16,860 --> 00:03:18,180 maintaining persistence, 78 00:03:18,180 --> 00:03:19,760 and doing command and control. 79 00:03:19,760 --> 00:03:22,150 And all these concepts you're gonna learn 80 00:03:22,150 --> 00:03:24,010 throughout the presentation 81 00:03:24,010 --> 00:03:26,190 and throughout this course. 82 00:03:26,190 --> 00:03:27,860 Once you finish, you know, 83 00:03:27,860 --> 00:03:30,540 your post exploitation and, you know, 84 00:03:30,540 --> 00:03:32,900 conclude your assessment, 85 00:03:32,900 --> 00:03:34,960 then you move into the reporting phase. 86 00:03:34,960 --> 00:03:37,280 And of course, that's what you get hired for 87 00:03:37,280 --> 00:03:40,680 is to actually create a report for your client. 88 00:03:40,680 --> 00:03:45,150 And that report must also have a few other things. 89 00:03:45,150 --> 00:03:47,030 That report should have mitigations, 90 00:03:47,030 --> 00:03:48,878 it should have recommendations, 91 00:03:48,878 --> 00:03:52,392 and also a method of rating 92 00:03:52,392 --> 00:03:55,310 how severe are the vulnerabilities, 93 00:03:55,310 --> 00:03:57,320 and the risks of those vulnerabilities. 94 00:03:57,320 --> 00:04:00,070 And we actually gotta be covering that in detail 95 00:04:00,070 --> 00:04:02,020 whenever we talk about, you know, 96 00:04:02,020 --> 00:04:06,000 best practices of penetration testing reports. 97 00:04:06,000 --> 00:04:09,410 Now there are a few other penetration testing 98 00:04:09,410 --> 00:04:11,270 or I will say methodologies 99 00:04:11,270 --> 00:04:13,750 for security testing out there. 100 00:04:13,750 --> 00:04:17,290 One of the most popular as well, 101 00:04:17,290 --> 00:04:18,630 basically is a document created 102 00:04:18,630 --> 00:04:21,880 by the National Institute of Standards and Technology 103 00:04:21,880 --> 00:04:24,010 for the purpose of providing organizations 104 00:04:24,010 --> 00:04:25,830 with guidelines on planning 105 00:04:25,830 --> 00:04:28,850 and conducting any information security testing. 106 00:04:28,850 --> 00:04:30,040 If you look at the document, 107 00:04:30,040 --> 00:04:32,250 they actually have four different phases, 108 00:04:32,250 --> 00:04:34,530 but they pretty much align 109 00:04:34,530 --> 00:04:37,250 with the penetration testing execution standard, right. 110 00:04:37,250 --> 00:04:39,730 They just concise it in few others. 111 00:04:39,730 --> 00:04:42,860 You also have the Open Source Security Testing 112 00:04:42,860 --> 00:04:47,860 Methodology Manual, or the OSSTMM, for short. 113 00:04:47,960 --> 00:04:50,680 And one of my favorite ones, 114 00:04:50,680 --> 00:04:54,660 especially whenever it comes to penetration testing 115 00:04:54,660 --> 00:04:58,850 for web applications is the OWASP penetration testing, 116 00:04:58,850 --> 00:05:02,190 or the testing methodology, right? 117 00:05:02,190 --> 00:05:05,500 And I'm actually highlighting these. 118 00:05:05,500 --> 00:05:07,380 We actually gonna be covering a lot 119 00:05:07,380 --> 00:05:11,000 of these concepts on methodologies throughout the course. 120 00:05:11,000 --> 00:05:14,490 So, but these are amazing references 121 00:05:14,490 --> 00:05:16,550 for you to become familiar with. 122 00:05:16,550 --> 00:05:19,100 Now that I mentioned a few of the methodologies, 123 00:05:19,100 --> 00:05:20,480 you know I want to also share with you 124 00:05:20,480 --> 00:05:22,470 some of the most common terms used 125 00:05:22,470 --> 00:05:25,160 for the types of penetration testing 126 00:05:25,160 --> 00:05:26,920 that we actually see today, right? 127 00:05:26,920 --> 00:05:29,060 And you may be testing a web application, 128 00:05:29,060 --> 00:05:30,810 as I mentioned to you, 129 00:05:30,810 --> 00:05:34,050 just focusing on that specific application 130 00:05:34,050 --> 00:05:35,765 or several applications, 131 00:05:35,765 --> 00:05:37,830 perhaps a cloud service. 132 00:05:37,830 --> 00:05:40,470 And you do this by actually not only looking at 133 00:05:40,470 --> 00:05:43,188 the traditional application itself, 134 00:05:43,188 --> 00:05:45,600 like the front end and the back end of the database, 135 00:05:45,600 --> 00:05:48,660 but we also look at things 136 00:05:48,660 --> 00:05:52,355 that are a little bit more modern, like APIs 137 00:05:52,355 --> 00:05:55,500 single sign on, and how authentication is actually done, 138 00:05:55,500 --> 00:05:57,640 like open ID, and some other ones. 139 00:05:57,640 --> 00:06:01,210 We will be covering that later in the course. 140 00:06:01,210 --> 00:06:03,680 Now you also can take a little bit different approach 141 00:06:03,680 --> 00:06:05,448 of testing infrastructure devices 142 00:06:05,448 --> 00:06:07,610 and even testing the security devices 143 00:06:07,610 --> 00:06:10,189 that are supposed to protect your network. 144 00:06:10,189 --> 00:06:13,560 You also do testing of wireless networks 145 00:06:13,560 --> 00:06:14,560 and in some cases, actually, 146 00:06:14,560 --> 00:06:16,610 you're just hired to do that, 147 00:06:16,610 --> 00:06:19,252 just to test the wireless infrastructure 148 00:06:19,252 --> 00:06:21,408 of an organization. 149 00:06:21,408 --> 00:06:26,070 You may also be hired to test just a physical facility. 150 00:06:26,070 --> 00:06:31,070 So a physical assessment for that organization. 151 00:06:31,720 --> 00:06:35,550 That means that can you use social engineering, 152 00:06:35,550 --> 00:06:39,800 and bypass security, you know, 153 00:06:39,800 --> 00:06:41,550 physical security implementations, 154 00:06:41,550 --> 00:06:44,240 like, you know just a normal guard or gates, 155 00:06:44,240 --> 00:06:45,600 or, you know, badges, 156 00:06:45,600 --> 00:06:47,080 you can clone badges and so on. 157 00:06:47,080 --> 00:06:49,230 Right, so there are many organizations 158 00:06:49,230 --> 00:06:52,050 that actually that they have individuals 159 00:06:52,050 --> 00:06:54,917 just focused on physical penetration testing. 160 00:06:54,917 --> 00:06:58,310 Now another one is of course, social engineering, right? 161 00:06:58,310 --> 00:07:00,490 And a lot of the compromises nowadays 162 00:07:00,490 --> 00:07:03,200 actually start with some type of social engineering attack. 163 00:07:03,200 --> 00:07:06,239 We will be covering this in detail 164 00:07:06,239 --> 00:07:08,147 later in the course. 165 00:07:08,147 --> 00:07:11,559 But of course, you know, in some examples, 166 00:07:11,559 --> 00:07:13,271 or in some engagements, 167 00:07:13,271 --> 00:07:17,180 you may be hire just to do social engineering 168 00:07:17,180 --> 00:07:19,081 or to combine social engineering 169 00:07:19,081 --> 00:07:23,740 with technical penetration testing capabilities. 170 00:07:23,740 --> 00:07:25,839 Now that I'm talking about technical, 171 00:07:25,839 --> 00:07:30,421 there's a few methods that you also hear out there. 172 00:07:30,421 --> 00:07:33,320 One is called black box testing. 173 00:07:33,320 --> 00:07:35,470 Another one is called white box. 174 00:07:35,470 --> 00:07:38,400 And the third one is called gray box testing. 175 00:07:38,400 --> 00:07:41,430 And basically a black box testing 176 00:07:41,430 --> 00:07:44,950 is whenever you as a tester, 177 00:07:44,950 --> 00:07:48,020 have a very, very limited amount of information, 178 00:07:48,020 --> 00:07:50,170 in some cases, no information at all, 179 00:07:50,170 --> 00:07:51,610 about your victim, right? 180 00:07:51,610 --> 00:07:53,217 About the systems that you actually 181 00:07:53,217 --> 00:07:56,321 may be attacking or assessing. 182 00:07:56,321 --> 00:07:58,130 Now, in that case, of course, 183 00:07:58,130 --> 00:08:01,640 at least you have to know some type of scope and permission, 184 00:08:01,640 --> 00:08:04,590 but your client or your organization 185 00:08:04,590 --> 00:08:06,730 may not give you a lot of information. 186 00:08:06,730 --> 00:08:09,560 So you have to do a lot of reconnaissance for you. 187 00:08:09,560 --> 00:08:11,450 And that's whenever, you know, of course 188 00:08:11,450 --> 00:08:12,640 things get interesting, 189 00:08:12,640 --> 00:08:15,733 especially around scope in some cases. 190 00:08:16,670 --> 00:08:18,640 Now you also have the concept 191 00:08:18,640 --> 00:08:21,310 of a white box penetration tester. 192 00:08:21,310 --> 00:08:22,730 And that's whenever you have 193 00:08:22,730 --> 00:08:24,570 a significant amount of information 194 00:08:24,570 --> 00:08:25,970 about the organization, 195 00:08:25,970 --> 00:08:28,410 the infrastructure, the applications, 196 00:08:28,410 --> 00:08:30,440 in some cases, you even have access 197 00:08:30,440 --> 00:08:34,387 to the source code of applications system designs, 198 00:08:34,387 --> 00:08:37,920 documentation, engineering documentations, 199 00:08:37,920 --> 00:08:39,800 and even documentations about APIs 200 00:08:39,800 --> 00:08:43,320 like swagger files and WSDL files. 201 00:08:43,320 --> 00:08:45,860 And we're gonna be covering all this later 202 00:08:45,860 --> 00:08:47,410 in the presentation as well. 203 00:08:47,410 --> 00:08:50,290 Right, but that's is what is a white box testing. 204 00:08:50,290 --> 00:08:51,390 Now a gray box, 205 00:08:51,390 --> 00:08:54,990 and you may be already figuring this out already. 206 00:08:54,990 --> 00:08:57,590 You know, it's a permutation between the two, right? 207 00:08:57,590 --> 00:08:59,320 So somewhere of a hybrid approach 208 00:08:59,320 --> 00:09:03,100 between black and white box testing methodologies, 209 00:09:03,100 --> 00:09:05,509 where you actually have some information, 210 00:09:05,509 --> 00:09:07,470 but not a full documentation 211 00:09:07,470 --> 00:09:09,130 of the network infrastructure 212 00:09:09,130 --> 00:09:12,160 or not access to source code, for example