Introduction to Hacking
◾
15
for conducting the penetration test; though its inclusion in the report is optional, it could add
great value to your penetration report. In a scenario where you have been asked to follow a certain
standard, talking about the methodology and its steps is a good idea.
The following is a screenshot from one of our penetration testing reports where the NIST
methodology was followed in order to conduct the penetration test. Notice that we include the
flowchart on how the methodology works and explain each step precisely.
Planning
Discovery
Attack
Additional discovery
Reporting
Methodology
Nist penetration test methodology
The NIST is an international standard for penetration testing; the methodology has been
divided into following phases:
Planning – In this phase, we plan how the assessments would be carried out.
Discovery – In this phase, the targets discovery, target enumeration, and vulnerability
assessments are performed.
Reporting–In the reporting phase the vulnerabilities that were discovered are documented.
Attacking–In the attacking phase, the vulnerabilities that were found in the previous phase
are attempted to be exploited. Once a system is exploited, an attempt to escalate privileges
is made, the attacking phase contains two more steps, namely, system browsing and “Installing
Additional Tools”. During this process if a new target is discovered we move back towards the
discovery phase.
RHAinfoSec utilized the NIST methodology in this engagement against the targets within
the foonetworks. The methodology focuses on assessing the security posture of the target
network in order to create an effective and better security posture.
Dostları ilə paylaş: