![[Pasted image 20250903144353.png]] In this stage, we want to test how far we can move manually in the entire network and what vulnerabilities we can find from the internal perspective that might be exploited. In doing so, we will again run through several phases: Pivoting Evasive Testing Information Gathering Vulnerability Assessment (Privilege) Exploitation Post-Exploitation
Testing Methods External or Internal External Penetration Test -> Pentests are often done externally to test defenses against internet-based attacks. Testing can be from our host (via VPN) or a VPS. Some clients don’t care about stealth, while other want quiet approaches to evade firewalls, IDS/IPS, or alarms. A hybrid method may also be used, starting stealthy and getting noisier to test detection. The ultimate goal is to compromise external hosts, extract sensitive data, or pivot into the internal network. ...
A penetration testing process is defined by successive steps and events performed by the penetration tester to find a path to the predefined objective. ![[Pasted image 20250903130730.png]] Pre-Engagement Pre-engagement is educating the client and adjusting the contract. All necessary tests and their components are strictly defined and contractually recorded. In a face-to-face meeting or conference call, many arrangements are made, such as: ...
Proof of Concept (PoC) or Proof of Principle is a project management term. In project management, it serves as proof that a project is feasible in principle. The criteria for this can lie in technical or business factors. Therefore, it is the basis for further work, in our case, the necessary steps to secure the corporate network by confirming the discovered vulnerabilities. In other words, it serves as a decision-making basis for the further course of action. At the same time, it enables risks to be identified and minimized. ...
![[Pasted image 20250903144505.png]] Cleanup Once testing is complete, we should perform any necessary cleanup, such as deleting tools/scripts uploaded to target systems, reverting any (minor) configuration changes we may have made, etc. We should have detailed notes of all of our activities, making any cleanup activities easy and efficient. If we cannot access a system where an artifact needs to be deleted, or another change reverted, we should alert the client and list these issues in the report appendices. Even if we can remove any uploaded files and revert changes (such as adding a local admin account), we should document these changes in our report appendices in case the client receives alerts that they need to follow up on and confirm that the activity in question was part of our sanctioned testing. ...
Let’s assume we successfully exploited the target system during the Exploitation stage. As with the Exploitation stage, we must again consider whether or not to utilize Evasive Testing in the Post-Exploitation stage. We are already on the system in the post-exploitation phase, making it much more difficult to avoid an alert. The Post-Exploitation stage aims to obtain sensitive and security-relevant information from a local perspective and business-relevant information that, in most cases, requires higher privileges than a standard user. This stage includes the following components: ...
![[Pasted image 20250903131925.png]] The entire pre-engagement process consists of three essential components: Scoping questionnaire Pre-engagement meeting Kick-off meeting Before any of these can be discussed in detail, a Non-Disclosure Agreement (NDA) must be signed by all parties. There are several types of NDAs: Type Description Unilateral NDA This type of NDA obligates only one party to maintain confidentiality and allows the other party to share the information received with third parties. Bilateral NDA In this type, both parties are obligated to keep the resulting and acquired information confidential. This is the most common type of NDA that protects the work of penetration testers. Multilateral NDA Multilateral NDA is a commitment to confidentiality by more than two parties. If we conduct a penetration test for a cooperative network, all parties responsible and involved must sign this document. Document Timing for Creation 1. Non-Disclosure Agreement (NDA) After Initial Contact 2. Scoping Questionnaire Before the Pre-Engagement Meeting 3. Scoping Document During the Pre-Engagement Meeting 4. Penetration Testing Proposal (Contract/Scope of Work (SoW)) During the Pre-engagement Meeting 5. Rules of Engagement (RoE) Before the Kick-Off Meeting 6. Contractors Agreement (Physical Assessments) Before the Kick-Off Meeting 7. Reports During and after the conducted Penetration Test
![[Pasted image 20250903102153.png]] Pre-Engagement -> Stage where the main commitments,tasks,scope, limitation, and related agreements are documented in writing. ![[Pasted image 20250903103419.png]] Information Gathering -> Information Gathering is an essential part of any assessment. Because the knowledge gained from it, the conclusions we draw and the steps we take are based on the information available. This information must be obtained from somewhere, so it is critical to know how to retrieve it and best leverage it based on our assessment goals. ...
![[Pasted image 20250903141955.png]] An analysis is a detailed examination of an event or process, describing its origin and impact, that with the help of certain precautions and actions, can be triggered to support or prevent future occurrences. Analysis Type Description Descriptive Descriptive analysis is essential in any data analysis. On the one hand, it describes a data set based on individual characteristics. It helps to detect possible errors in data collection or outliers in the data set. Diagnostic Diagnostic analysis clarifies conditions’ causes, effects, and interactions. Doing so provides insights that are obtained through correlations and interpretation. We must take a backward-looking view, similar to descriptive analysis, with the subtle difference that we try to find reasons for events and developments. Predictive By evaluating historical and current data, predictive analysis creates a predictive model for future probabilities. Based on the results of descriptive and diagnostic analyses, this method of data analysis makes it possible to identify trends, detect deviations from expected values at an early stage, and predict future occurrences as accurately as possible. Prescriptive Prescriptive analytics aims to narrow down what actions to take to eliminate or prevent a future problem or trigger a specific activity or process. However, it is essential to ask precise questions and remember what we know and do not know. At this point, we must first ask ourselves what we see and what we actually have, because what we see is not the same as what we have: ...
Advice from Cry0l1t3: The difficulty is the dimension of your success that you must decide to step into. Advice from mrb3n: Every day is a school day. Try to learn at least one new thing every single day. Advice from Dimitris: Closely monitor the ever-evolving threat landscape and try to understand/emulate the techniques, tactics, and procedures of adversaries in the wild. This way you can provide your future clients/employers with realistic engagements. ...