Introduction

Before diving into the technical, hands-on aspects of ethical hacking, it’s important to first understand the responsibilities of a penetration tester and the processes involved in conducting penetration tests (pentests). These tests focus on identifying vulnerabilities in a client’s application or system.

Cybersecurity is increasingly relevant in every area of life, as we often hear about hacks or data breaches in the news. It affects everyone, from individuals needing strong password policies to protect their emails, to businesses and organizations that must safeguard their devices and data from potential threats.

A penetration test, or pentest, is an ethical method used to evaluate and analyze the security measures in place to protect such assets and information. This process involves using the same tools, techniques, and methods that a malicious actor might use, making it somewhat similar to a security audit.

As noted by Security Magazine, there are over 2,200 cyberattacks daily—equivalent to one attack every 39 seconds. This underscores the importance of cybersecurity and penetration testing in today’s digital world.

Computer Forensics Study Notes

OSCP Study Notes

The Ethics of Penetration Testing

The legal and ethical landscape of cybersecurity, particularly in penetration testing, is often a complex and controversial area. Terms like “hacking” and “hacker” typically evoke negative perceptions, largely due to their portrayal in popular culture and the actions of a few malicious individuals. This makes the idea of legally accessing a computer system seem counterintuitive — so what exactly makes it legal?

A penetration test is, by definition, an authorized evaluation of a system’s security, approved by the system’s owners. The legality of such tests is straightforward: anything outside the agreed-upon scope is considered unauthorized and illegal.

Before any penetration test begins, the penetration tester and the system owner have a formal discussion to define the scope. This includes agreeing on the specific tools, techniques, and systems that will be tested. This agreement establishes the boundaries within which the test will be conducted and ensures legal compliance.

Companies offering penetration testing services must also operate within legal frameworks and industry standards. For instance, the UK’s National Cyber Security Centre (NCSC) has the CHECK accreditation program, which ensures that only accredited companies can legally conduct penetration tests on public sector and critical national infrastructure (CNI) systems.

While legality is clear-cut, ethics often presents a more nuanced challenge. Ethics involves the moral evaluation of right and wrong, and some actions, though legal, may conflict with a penetration tester’s personal values.

Penetration testers may encounter ethically ambiguous situations, such as accessing sensitive data within a database or executing a phishing attack on an employee to assess human vulnerabilities. While these actions are legal if part of the agreed scope, they may still feel ethically uncomfortable.

Hackers are often categorized into three “hats” based on their ethical stance and motivations:

  1. White hats – Ethical hackers who operate within legal and moral boundaries, typically performing authorized penetration tests.
  2. Black hats – Malicious hackers who engage in illegal activities for personal gain.
  3. Gray hats – Individuals who may engage in unauthorized activities but without malicious intent, often walking a fine line between ethical and unethical behavior.

Understanding the ethical and legal distinctions in cybersecurity is critical for penetration testers, as they must navigate both legality and personal ethics in their work.

Rules of Engagement (ROE)

The Rules of Engagement (ROE) is a critical document created at the start of a penetration testing engagement. It sets the guidelines and boundaries for how the penetration test will be conducted. This document typically contains three main sections, each responsible for outlining essential aspects of the test to ensure that both legal and ethical parameters are respected.

Here’s an explanation of the typical sections included in an ROE document:

  1. Scope:
    • What will be tested? This section outlines the specific systems, applications, or networks that are in scope for the penetration test. It defines what is fair game and what is off-limits. Defining the scope prevents any accidental testing of systems that are not authorized and ensures that the testing team focuses on relevant areas.
  2. Rules and Limitations:
    • How will testing be conducted? This section defines the methodologies, techniques, and tools that can be used during the engagement. It also includes any restrictions, such as testing only during certain hours to avoid business disruption or avoiding certain types of tests like Denial of Service (DoS) attacks. This ensures that the test is conducted in a safe and controlled manner.
  3. Reporting and Communication:
    • How will results be shared? This section details how findings will be reported and how communication between the penetration testing team and the client will occur throughout the engagement. It may specify timelines for interim reports, the format for the final report, and who will be notified in case a critical vulnerability is found during the test.

These sections collectively determine how the penetration test will be carried out, ensuring that all parties understand and agree on the boundaries, tools, and goals of the engagement.

For more in-depth examples of ROE documents, the SANS Institute provides a comprehensive template that can be accessed online. It’s an excellent resource for seeing how these elements are structured in practice.

Penetration Testing Methodologies

Penetration tests can target a broad range of systems, applications, and objectives, making each test unique. There is no universal approach that fits all scenarios. The specific steps a penetration tester follows during an engagement are referred to as the methodology, and an effective methodology is one that is tailored to the situation.

For example, the steps taken to assess the security of a web application would be vastly different from those used to test the security of a network. A well-designed methodology takes into account the specific target, its environment, and the particular vulnerabilities that might be present.

Here are some common types of penetration testing, each requiring a unique methodology:

  1. Web Application Penetration Testing:
    • Focuses on testing the security of a web-based application. The methodology might include techniques like identifying input validation issues, testing for SQL injection vulnerabilities, or assessing authentication mechanisms.
  2. Network Penetration Testing:
    • Involves analyzing the security of internal or external networks. The steps here could include port scanning, network mapping, vulnerability scanning, and attempting to exploit services or devices that are exposed on the network.
  3. Wireless Penetration Testing:
    • This focuses on the security of wireless networks, testing for weak encryption protocols, insecure configurations, or rogue access points.
  4. Social Engineering Penetration Testing:
    • Aims to test an organization’s human defenses by attempting phishing attacks, pretexting, or other tactics to manipulate individuals into revealing sensitive information.

In each case, the penetration tester must select tools and techniques that align with the specific context of the test. An adaptable, situation-specific methodology ensures that the engagement is both effective and relevant to the security goals of the organization.

OSSTMM

The Open Source Security Testing Methodology Manual (OSSTMM) offers a comprehensive framework of testing strategies that cover various aspects of cybersecurity, including systems, software, applications, and even the human element. This methodology is designed to assess the security of how these components interact and communicate, ensuring a thorough evaluation of potential vulnerabilities.

Key areas of focus in the OSSTMM include:

  1. Telecommunications:
    • This section covers the security of communication systems such as phones, Voice over IP (VoIP), and other telecommunications technologies. The methodology assesses how data is transmitted, checking for vulnerabilities in communication protocols, insecure configurations, and potential eavesdropping risks.
  2. Wired Networks:
    • The methodology addresses the security of wired network infrastructures, including network devices, firewalls, routers, and switches. It focuses on identifying weaknesses in network configurations, traffic routing, data encryption, and unauthorized access points within a physical network setup.
  3. Wireless Communications:
    • This part of the methodology tests the security of wireless communication technologies, such as Wi-Fi, Bluetooth, and other wireless protocols. The methodology evaluates the strength of encryption, authentication mechanisms, and potential exposure to unauthorized access or attacks, such as rogue access points and wireless sniffing.

By using the OSSTMM framework, penetration testers can systematically test the communication pathways and interactions between systems, ensuring a holistic approach to security.

OWASP

The Open Web Application Security Project (OWASP) is a community-driven framework specifically designed for testing the security of web applications and services. This framework is widely recognized and frequently updated to reflect the evolving landscape of web security threats.

OWASP’s primary goal is to help organizations identify and mitigate common security vulnerabilities in web applications. A key resource produced by OWASP is the OWASP Top Ten, which is a regularly updated report that highlights the most critical security risks faced by web applications. This report not only lists these vulnerabilities but also provides:

  1. Descriptions of the Vulnerabilities:
    • A detailed explanation of each vulnerability, such as SQL injection, cross-site scripting (XSS), or broken access control, along with how they can manifest in a web application.
  2. Testing Approaches:
    • OWASP provides guidelines on how to detect and test for these vulnerabilities, using various tools and techniques. These approaches help penetration testers identify weaknesses within web applications.
  3. Remediation Recommendations:
    • For each vulnerability, OWASP outlines best practices and methods for fixing or mitigating the risks. These recommendations include improving coding practices, implementing proper authentication and authorization controls, and ensuring secure communication.

The OWASP framework is an essential tool for developers, security professionals, and penetration testers alike, as it focuses solely on securing web applications and services. The constantly evolving nature of OWASP’s reports and resources ensures that organizations can stay up to date with the latest threats and security practices in the world of web security.

NIST Cybersecurity Framework 1.1

The Cyber Assessment Framework (CAF) is a comprehensive tool designed to assess the risks posed by various cyber threats and evaluate an organization’s defenses against them. It is structured around fourteen key principles and is specifically aimed at organizations providing “vitally important services and activities,” such as critical infrastructure, banking, and other essential sectors.

The CAF helps organizations ensure their systems are robust against potential cyber threats by focusing on several critical areas:

  1. Data Security:
    • This principle evaluates how well an organization protects its data, particularly sensitive or critical information, from unauthorized access, loss, or corruption. It examines data handling processes, encryption practices, and the security measures in place to safeguard data throughout its lifecycle.
  2. System Security:
    • The framework assesses the security of an organization’s IT systems, including hardware, software, and network infrastructure. It looks at vulnerabilities within systems and ensures that they are protected against cyber attacks, unauthorized access, and other threats.
  3. Identity and Access Control:
    • This aspect focuses on how the organization manages user identities and access to systems. It assesses whether appropriate mechanisms are in place to ensure only authorized personnel can access critical systems and data. This includes evaluating password policies, multi-factor authentication, and access control systems.
  4. Resiliency:
    • Resiliency refers to the organization’s ability to continue operating effectively, even in the face of a cyber incident. This principle assesses the strength of business continuity plans, system redundancies, and the organization’s overall capacity to withstand and recover from disruptions.
  5. Monitoring:
    • Monitoring involves the ongoing tracking of network activity, systems, and data to detect suspicious behavior or security incidents in real-time. The CAF assesses how well an organization monitors its systems for potential threats and how it handles alerts and events that could signal a breach.
  6. Response and Recovery Planning:
    • This principle evaluates the organization’s preparedness for responding to a cyber incident. It focuses on how well-developed and tested its incident response and recovery plans are, including the ability to minimize damage, recover lost data, and restore normal operations swiftly after an attack.

The CAF is a vital tool for organizations that operate critical services, helping them to identify potential weaknesses in their cybersecurity posture and implement effective strategies to manage and mitigate risks.

Scopes of Penetration Testing

Black-Box Testing

In Black-Box Testing, the tester has no knowledge of the internal structure, workings, or code of the application or service being tested. The tester interacts with the application as an ordinary user would, focusing on functionality and the user interface, such as clicking buttons and verifying whether the application responds as expected. Since no programming or deep system knowledge is required, the tester evaluates the system purely from an external perspective.

This type of testing can significantly extend the time spent during the information gathering and enumeration phase, as the tester needs to discover the application’s attack surface without any prior insight into its inner workings.


Grey-Box Testing

Grey-Box Testing combines elements of both black-box and white-box testing, making it a popular approach for penetration testing. In this method, the tester is given partial knowledge of the internal structure of the application, but they still interact with the system in a manner similar to black-box testing. The tester uses this limited knowledge to better understand the system’s behavior and potential vulnerabilities, enabling more focused testing and problem resolution.

This approach saves time compared to black-box testing, as the partial knowledge allows for more efficient identification of vulnerabilities. Grey-box testing is particularly useful for systems with well-hardened attack surfaces, where the extra insight into the application helps pinpoint weaknesses more effectively.


White-Box Testing

White-Box Testing is a thorough and detailed testing process, typically carried out by someone with programming knowledge and a deep understanding of the application’s internal structure. The tester evaluates the software’s internal components, such as code, logic, and specific functions, to ensure everything operates correctly and efficiently.

Unlike black-box testing, the tester in a white-box scenario has complete knowledge of the system, making it a more time-consuming but comprehensive process. This method ensures the entire attack surface is thoroughly validated, providing a higher level of assurance that the system is secure and functioning as expected.

Room Answers | TryHackMe Pentesting Fundamentals

You are given permission to perform a security audit on an organisation; what type of hacker would you be?
White Hat

You attack an organisation and steal their data, what type of hacker would you be?
Black Hat

What document defines how a penetration testing engagement should be carried out?

Rules of Engagement

What stage of penetration testing involves using publicly available information?

Information Gathering

If you wanted to use a framework for pentesting telecommunications, what framework would you use? Note: We’re looking for the acronym here and not the full name.

OSSTMM

What framework focuses on the testing of web applications?

OWASP

You are asked to test an application but are not given access to its source code – what testing process is this?

Black Box

You are asked to test a website, and you are given access to the source code – what testing process is this?

White Box

Watch Also

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles