Penetration testing

What is a penetration test

• Not what you think ;)
• An attempt to evaluate the security of a given IT infrastructure
• Manual and automated

Penetration test steps

• Information Gathering
  • Info supplied by the tested organization
• Reconnaissance
  • Nmap, DNSDumpster, Shodan, etc
• Discovery and Scanning
  • Manual, scanner
• Vulnerability Assessment
• Exploitation
• Final Analysis and Review
  • Report writing
• Utilization of results

Notes?

What is the importance of a pentest?

Legality

• Rules Of Engagement

• Testing Contract

• Safe Harbour

Reporting Structure

• Title
  • Product and version
  • Testing period
  • Date of report submission
  • Testing entity
• General Information
• Disclamer
• Overview
• Findings Information
  • Severity ( and/or CVSS score)
  • Information
  • Proof-of-Concept (PoC) and/or steps to reproduce
  • Recommendations
• Overall Recommendations and/or Conclusion

Responsible report distribution

Let's test