Pentesting Fundamentals TryHackMe

Mohammadaassif
8 min readJan 3, 2022

--

Learn the important ethics and methodologies behind every pentest

A new interesting topic is Pentesting Fundamentals and what are things inside these topics, let try this.

Task 1 What is Penetration Testing?

Before teaching you the technical hands-on aspects of ethical hacking, you’ll need to understand more about what a penetration tester’s job responsibilities are and what processes are followed in performing pentests (finding vulnerabilities in a client's application or system).

The importance and relevancy of cybersecurity are ever-increasing and can be in every walk of life. News headlines fill our screens, reporting yet another hack or data leak.

Cybersecurity is relevant to all people in the modern world, including a strong password policy to protect your emails or to businesses and other organizations needing to protect both devices and data from damages.

A Penetration test or pentest is an ethically-driven attempt to test and analyze the security defenses to protect these assets and pieces of information. A penetration test involves using the same tools, techniques, and methodologies that someone with malicious intent would use and is similar to an audit.

According to Security Magazine, a cybersecurity industry magazine, there are over 2,200 cyber attacks every day — 1 attack every 39 seconds.

Answer the questions below

Read me!

No Answer Needed

Task 2 Penetration Testing Ethics

The battle of legality and ethics in cybersecurity, let alone penetration testing is always controversial. Labels like “hacking” and “hacker” often hold negative connotations, especially in pop culture, thanks to a few bad apples. The idea of legally gaining access to a computer system is a challenging concept to grasp — after all, what makes it legal exactly?

Recall that a penetration test is an authorized audit of a computer system’s security and defenses as agreed by the owners of the systems. The legality of penetration is pretty clear-cut in this sense; anything that falls outside of this agreement is deemed unauthorized.

Before a penetration test starts, a formal discussion occurs between the penetration tester and the system owner. Various tools, techniques, and systems to be tested are agreed on. This discussion forms the scope of the penetration testing agreement and will determine the course the penetration test takes.

Companies that provide penetration testing services are held against legal frameworks and industry accreditation. For example, the National Cyber Security Centre (NCSC) has the CHECK accreditation scheme in the UK. This check means that only “[CHECK] approved companies can conduct authorized penetration tests of public sector and CNI systems and networks.” (NCSC).

Ethics is the moral debate between right and wrong; where an action may be legal, it may go against an individual’s belief system of right and wrong.

Penetration testers will often be faced with potentially morally questionable decisions during a penetration test. For example, they are gaining access to a database and being presented with potentially sensitive data. Or they are, perhaps, performing a phishing attack on an employee to test an organization’s human security. If that action has been agreed upon during the initial stages, it is legal — however ethically questionable.

Hackers are sorted into three hats, where their ethics and motivations behind their actions determine what hat category they are placed into. Let’s cover these three in the table below:

Rules of Engagement (ROE)

The ROE is a document that is created at the initial stages of a penetration testing engagement. This document consists of three main sections (explained in the table below), which are ultimately responsible for deciding how the engagement is carried out. The SANS institute has a great example of this document which you can view online here.

Answer the questions below

You are given permission to perform a security audit on an organization; what type of hacker would you be?

Ans=White Hat

You attack an organization and steal their data, what type of hacker would you be?

Ans=Black Hat

What document defines how a penetration testing engagement should be carried out?

Ans=Rules of Engagement

Task 3 Penetration Testing Methodologies:

Penetration tests can have a wide variety of objectives and targets within scope. Because of this, no penetration test is the same, and there are no one-case fits all as to how a penetration tester should approach it.

The steps a penetration tester takes during an engagement is known as the methodology. A practical methodology is a smart one, where the steps taken are relevant to the situation at hand. For example, having a methodology that you would use to test the security of a web application is not practical when you have to test the security of a network.

Before discussing some different industry-standard methodologies, we should note that all of them have a general theme of the following stages:

OSSTMM

The Open Source Security Testing Methodology Manual provides a detailed framework of testing strategies for systems, software, applications, communications and the human aspect of cybersecurity.

The methodology focuses primarily on how these systems, applications communicate, so it includes a methodology for:

  1. Telecommunications (phones, VoIP, etc.)
  2. Wired Networks
  3. Wireless communications

OWASP

The “Open Web Application Security Project” framework is a community-driven and frequently updated framework used solely to test the security of web applications and services.

The foundation regularly writes reports stating the top ten security vulnerabilities a web application may have, the testing approach, and remediation.

NIST Cybersecurity Framework 1.1

The NIST Cybersecurity Framework is a popular framework used to improve an organisations cybersecurity standards and manage the risk of cyber threats. This framework is a bit of an honourable mention because of its popularity and detail.

The framework provides guidelines on security controls & benchmarks for success for organisations from critical infrastructure (power plants, etc.) all through to commercial. There is a limited section on a standard guideline for the methodology a penetration tester should take.

NCSC CAF

The Cyber Assessment Framework (CAF) is an extensive framework of fourteen principles used to assess the risk of various cyber threats and an organisation’s defences against these.

The framework applies to organisations considered to perform “vitally important services and activities” such as critical infrastructure, banking, and the likes. The framework mainly focuses on and assesses the following topics:

  • Data security
  • System security
  • Identity and access control
  • Resiliency
  • Monitoring
  • Response and recovery planning

Answer the questions below

What stage of penetration testing involves using publicly available information?

Ans=Information Gathering

If you wanted to use a framework for pentesting telecommunications, what framework would you use? Note: We’re looking for the acronym here and not the full name.

Ans=OSSTMM

What framework focuses on the testing of web applications?

Ans=OWASP

Task 4 Black box, White box, Grey box Penetration Testing

There are three primary scopes when testing an application or service. Your understanding of your target will determine the level of testing that you perform in your penetration testing engagement. In this task, we’ll cover these three different scopes of testing.

Black-Box Testing

This testing process is a high-level process where the tester is not given any information about the inner workings of the application or service.

The tester acts as a regular user testing the functionality and interaction of the application or piece of software. This testing can involve interacting with the interface, i.e. buttons, and testing to see whether the intended result is returned. No knowledge of programming or understanding of the programme is necessary for this type of testing.

Black-Box testing significantly increases the amount of time spent during the information gathering and enumeration phase to understand the attack surface of the target.

Grey-Box Testing

This testing process is the most popular for things such as penetration testing. It is a combination of both black-box and white-box testing processes. The tester will have some limited knowledge of the internal components of the application or piece of software. Still, it will be interacting with the application as if it were a black-box scenario and then using their knowledge of the application to try and resolve issues as they find them.

With Grey-Box testing, the limited knowledge given saves time, and is often chosen for extremely well-hardened attack surfaces.

White-Box Testing

This testing process is a low-level process usually done by a software developer who knows programming and application logic. The tester will be testing the internal components of the application or piece of software and, for example, ensuring that specific functions work correctly and within a reasonable amount of time.

The tester will have full knowledge of the application and its expected behaviour and is much more time consuming than black-box testing. The full knowledge in a White-Box testing scenario provides a testing approach that guarantees the entire attack surface can be validated.

Answer the questions below

You are asked to test an application but are not given access to its source code — what testing process is this?

Ans=Black Box

You are asked to test a website, and you are given access to the source code — what testing process is this?

Ans=White Box

Task 5 Practical: ACME Penetration Test

ACME has approached you for an assignment. They want you to carry out the stages of a penetration test on their infrastructure. View the site (by clicking the green button on this task) and follow the guided instructions to complete this exercise.

We want to follow some steps to get the flag.

Click Next and we move on to the information gathering step

One person, the Linkedin profile is shown here with email disclosed

After the enumeration step, I collected their IP and made a scan

Answer the questions below

Complete the penetration test engagement against ACME’s infrastructure.

Ans=THM{PENTEST_COMPLETE}

--

--

Mohammadaassif
Mohammadaassif

Written by Mohammadaassif

CTF player | Cyber Security Enthusiast |CEH-11

No responses yet