Penetration test Study Guide

📖 Core Concepts Penetration Test – an authorized simulated cyber‑attack to discover exploitable weaknesses. Purpose – identify vulnerabilities, gauge exploitability, and guide remediation priority. Test Types – Network (external & internal), Wireless, Web Application, Social Engineering, Remediation Verification. Methodology Frameworks – OSSTMM, PTES, NIST SP 800‑115, ISSAF, OWASP Testing Guide. Legal/Ethical – Must have written authorization; contracts define scope, rules of engagement, liability. Standard Phases – Reconnaissance → Scanning → Gaining Access → Maintaining Access → Covering Tracks → Reporting. Risk Classification – Combine Impact (confidentiality, integrity, availability, business) with Likelihood (ease of exploit, mitigations) into a risk matrix (High/Medium/Low). Regulatory Drivers – PCI‑DSS 11.4, NIST SP 800‑53 CA‑8 require periodic or change‑driven testing. Emerging Models – PTaaS (cloud‑delivered on‑demand testing) and CTEM (continuous exposure management). --- 📌 Must Remember Pen‑test = authorized attack; without consent it’s illegal hacking. External tests start from the Internet; Internal tests assume attacker is already on the LAN. OSSTMM focuses on operational security controls; PTES emphasizes scoping, intelligence, exploitation, reporting. NIST SP 800‑115 = technical guide for information security testing. Risk Matrix = Impact × Likelihood → High/Medium/Low rating. PCI‑DSS 11.4 → annual external & internal tests + after significant changes. NIST SP 800‑53 CA‑8 → regular pen testing as part of risk management. PTaaS = testing as a cloud service; still needs scope definition and reporting. CTEM = shift from periodic tests to continuous identification & validation of exposures. --- 🔄 Key Processes Reconnaissance – collect OSINT (whois, DNS, public docs). Scanning – run tools (e.g., Nmap) to map open ports, services, OS fingerprints. Gaining Access – exploit discovered flaws (Metasploit modules, custom payloads). Maintaining Access – create persistence (scheduled tasks, web shells). Covering Tracks – clear logs, hide artifacts. Reporting – Executive summary (business impact). Technical details (vulnerability description, proof‑of‑concept, CVSS). Remediation recommendations. Risk matrix classification. Anderson’s Six‑Step Attack Sequence: Find vulnerability → 2. Design attack → 3. Test attack → 4. Seize a line in use → 5. Enter the attack → 6. Exploit for info recovery. --- 🔍 Key Comparisons External vs Internal Network Testing External: from Internet, focuses on perimeter defenses. Internal: assumes attacker inside LAN, targets trust relationships. Wireless vs Web Application Testing Wireless: radio‑frequency protocols (Wi‑Fi, Bluetooth), looks for weak encryption, rogue APs. Web App: OWASP Top 10, injection, auth flaws, session management. PTaaS vs Traditional Consulting PTaaS: on‑demand, cloud platform, scalable, often subscription‑based. Consulting: bespoke scope, on‑site engagement, higher upfront cost. Recon vs Scanning Recon: passive info gathering, no interaction with target. Scanning: active probing, identifies open services/ports. Risk Matrix vs Simple “High/Low” Rating Matrix: two‑dimensional (Impact × Likelihood) gives more nuance. Simple rating: may ignore likelihood, leading to mis‑prioritization. --- ⚠️ Common Misunderstandings Scanning = Exploitation – Scanning only discovers; exploitation is a separate phase. All Pen‑tests are illegal – Illegal only when performed without explicit authorization. High impact = high likelihood – Impact and likelihood are independent; a critical flaw may be hard to exploit. PTaaS eliminates reporting – Even PTaaS must deliver a formal report with risk classification. One tool covers everything – Nmap discovers ports; Nessus scans vulnerabilities; Metasploit exploits; each has a specific role. --- 🧠 Mental Models / Intuition Red Team Drill – Treat the test like a rehearsal for a real attack; follow the attacker’s mindset step‑by‑step. 2‑D Risk Plane – Visualize risk as a grid: top‑right = highest priority (high impact, high likelihood). “Footprint → Surface → Exploit” – First map the footprint (recon), then enumerate the surface (scanning), finally exploit weaknesses. --- 🚩 Exceptions & Edge Cases Regulatory Variance – Some sectors (e.g., healthcare) may require HIPAA‑specific testing beyond PCI/NIST. Social Engineering Scope – Must be explicitly included in the contract; otherwise it’s a breach of ethics. Tool Limitations – Encrypted traffic may hide services from Nmap; need packet capture (Wireshark) or credentialed scanning. Continuous Threat Exposure Management – May require integration with SIEM/EDR for real‑time validation, not just periodic scans. --- 📍 When to Use Which Network Test – Use Nmap + Nessus when assessing infrastructure connectivity. Web App Test – Deploy OWASP ZAP/Burp Suite for crawling and testing OWASP Top 10. Wireless Test – Apply Aircrack‑ng suite when evaluating Wi‑Fi encryption and rogue APs. Social Engineering – Choose phishing simulations only when client consent includes human‑factor testing. Remediation Verification – Re‑run the same scanner or exploit module after fixes to confirm closure. --- 👀 Patterns to Recognize Open ports 22 (SSH), 23 (Telnet), 80/443 (HTTP/HTTPS), 3389 (RDP) often indicate high‑value entry points. Default or weak credentials on services → immediate “low‑hanging fruit”. Unpatched SMB (e.g., EternalBlue) → classic ransomware entry vector. Repeated use of SQL injection patterns in web forms → OWASP‑A1. Presence of out‑of‑date libraries (e.g., jQuery 1.x) → known client‑side vulnerabilities. --- 🗂️ Exam Traps “Pen‑testing is always illegal” – Wrong; legality hinges on written authorization. “All findings are high risk” – Incorrect; risk must consider both impact and likelihood. “PTaaS provides fully automated remediation” – PTaaS supplies testing; remediation still requires human effort. “NIST SP 800‑115 is a compliance law” – It is a technical guide, not a legal requirement. “If a vulnerability is in a database, it is automatically exploitable” – Exploitability depends on configuration, patch level, and mitigation controls. ---