Ethical Hacking and Penetration Testing Guide
Yüklə 22,44 Mb. Pdf görüntüsü
|
|
Methodology
We have discussed a wide variety of methodologies and standards of penetration testing, such as OSSTMM, NIST, and OWASP. I would also like to include the methodology that was followed Introduction to Hacking ◾ 15 for conducting the penetration test; though its inclusion in the report is optional, it could add great value to your penetration report. In a scenario where you have been asked to follow a certain standard, talking about the methodology and its steps is a good idea. The following is a screenshot from one of our penetration testing reports where the NIST methodology was followed in order to conduct the penetration test. Notice that we include the flowchart on how the methodology works and explain each step precisely. Planning Discovery Attack Additional discovery Reporting Methodology Nist penetration test methodology The NIST is an international standard for penetration testing; the methodology has been divided into following phases: Planning – In this phase, we plan how the assessments would be carried out. Discovery – In this phase, the targets discovery, target enumeration, and vulnerability assessments are performed. Reporting–In the reporting phase the vulnerabilities that were discovered are documented. Attacking–In the attacking phase, the vulnerabilities that were found in the previous phase are attempted to be exploited. Once a system is exploited, an attempt to escalate privileges is made, the attacking phase contains two more steps, namely, system browsing and “Installing Additional Tools”. During this process if a new target is discovered we move back towards the discovery phase. RHAinfoSec utilized the NIST methodology in this engagement against the targets within the foonetworks. The methodology focuses on assessing the security posture of the target network in order to create an effective and better security posture. Yüklə 22,44 Mb. Dostları ilə paylaş:
|