SlideShare une entreprise Scribd logo

Penetration testing reporting and methodology

Télécharger en tant que PPTX, PDF
Rashad Aliyev
Rashad Aliyev

This paper covering information about Penetration testing methodology, standards reporting formats and comparing reports. Explained problem of Cyber Security experts when they making penetration tests. How they doing current presentations. We will focus our work in penetration testing methodology reporting form and detailed information how to compare result and related work information.

Internet
1  sur  18
Penetration testing reporting and methodology Rashad Aliyev PhD. Lourdes Peñalver Cordoba, Spain 25.09.2015 Keywords: PenTest, Penetration Testing, Network testing, bug bounty, InfoSec, Cyber Secyrity
What is Penetration testing 2Penetration testing reporting and methodology * CEH Materials
Why Penetration testing? 3Penetration testing reporting and methodology Security Audit Vulnerability Assessment Penetration Testing A security audit just checks whether the organization is following a set of standard security policies and procedures A vulnerability assessment focuses on discovering the vulnerabilities in the information system but provides no indication if the vulnerabilities can be exploited or the amount of damage that may result from the successful exploitation of the vulnerability Penetration testing is a methodological approach to security assessment that encompasses the security audit and vulnerability assessment and demonstrates if the vulnerabilities in system can be successfully exploited by attackers
Audit vs Penetration testing? 4Penetration testing reporting and methodology Audit Penetration testing Check set of standards Find vulnerabilities - Foot printing - Exploiting Create report by standards Generate report
Types 5Penetration testing reporting and methodology • Internal, External(1) • Blackbox, Whitebox(2), Greybox(3) • Announced, Unannounced(1) • Passive, Active scans • Automated, Manual(1) 1. CEH course modules 2. A Penetration Testing Model. Federal Office for Information Security (BSI), Bonn. P14 3. Using w3af to achieve automated penetration testing by live DVD/live USB. P1-2
Methodologies 6Penetration testing reporting and methodology • Planning, Discovery, Exploiting, Reporting* • Preparation, Anonymity, Foot Printing, Analysis, Exploiting, Reporting, Advisory** • Preparation, Reconnaissance, Analysis of Information / Risks, Active Intrusion Attempts, Final Analysis / Clean-Up*** • Planning, Discovery, Attack, Reporting**** * A. Bechtsoudis, N. S. Aiming at Higher Network Security Through Extensive Penetration Tests IEEE Latin America Transactions, 2012, 10, 1752 - 1756 ** Parvin Ami, A. H. Seven Phrase Penetration Testing Model International Journal of Computer Applications, 2012, 59, 16-20 ***Study A Penetration Testing Model Federal Office for Information Security (BSI), 2003 **** Scarfone, K. A.; Souppaya, M. P.; Cody, A. & Orebaugh, A. D. SP 800-115. Technical Guide to Information Security Testing and Assessment National Institute of Standards and Technology, National Institute of Standards & Technology, 2008
Used Methodology 7Penetration testing reporting and methodology Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access.* --- * SANS Institute, Penetration Testing: Assessing Your Overall Security Before Attackers Do
The Problem 8Penetration testing reporting and methodology × Format × Compare × Systematize There are not a standard format for penetration testing There are not a system for comparing if you have 2 different reports. There are not a method to help us to do reports and generating one
Report format - Styles American Psychological Association (APA) Style[1] Page design, Document Control, List of Report Content, Executive Summary, Methodology, Detail findings, References, Appendices, Glossary [2] A Cover Sheet, The Executive Summary, Summary of Vulnerabilities, Test Team Details, List of the Tools Used, A copy of the original scope of work, The main body of the report, Final delivery [3] [1] Thomas Wilhelm. Professional Penetration Testing. Syngress, 2009. [2] Mansour A Alharbi. Writing a penetration testing report. SANS Institute, April 2010. [3] Mike Sheward. The art of writing penetration test reports. January 2012. Penetration testing reporting and methodology
Report format – Our Idea – For top management • Title page • Executive Summary – For technical workers • Title page • Executive Summary • Test Team Details • Summary of Vulnerabilities • References, • Glossary Penetration testing reporting and methodology
Idea 11Penetration testing reporting and methodology Reporting - Generate Report - Compare Reports Exploiting - Send attack result Foot printing - Upload scan result - Send bug - View results Planning - Penetration tests 01 02 03 04
Site for Penetration testing 12 Planning Foot printing Exploiting www.penteston.com Penetration testing reporting and methodology - - - Reporting-
01. Planning 13Penetration testing reporting and methodology Test name Scope of Work Contract or NDA Conduct (Whitebox, Greybox, Blackbox) Type (Internal, External, Application-layer, Network-layer) Team detail 01 02 03 04 05 06
02. Foot Printing 14Penetration testing reporting and methodology - Multiple alerTs - From one of scanners - Upload file Foot Printing - Manual send alert - Detailed information about alert Scan resport Alert
03. Exploiting 15Penetration testing reporting and methodology Alert Level - Low, Medium or High level of alert Detailed information about alert 01 02
04. Reporting & Compare Detailed report for developers Short key information's for managers Report for managers Archive Staff For compare reports Compare Style Penetration testing reporting and methodology 16
Future Work 17 Open beta testing Start analyzing for new features Get new features In process In process In process In process Penetration testing reporting and methodology Finish small works on project
Rashad Aliyev Universitat Politècnica de València rashad@aliev.info @alievinfo Thank you www.penteston.com

Recommandé

Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 

Recommandé

Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainSuwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat IntelligenceDeepak Kumar (D3)
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 
pentration testing.pdf
pentration testing.pdfpentration testing.pdf
pentration testing.pdfRamya Nellutla
 
Itis pentest slides hyd
Itis pentest slides hydItis pentest slides hyd
Itis pentest slides hydRama krishna
 

Contenu connexe

Tendances

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to CybersecurityKrutarth Vasavada
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanningamiable_indian
 

Tendances (20)

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
 

Similaire à Penetration testing reporting and methodology

pentration testing.pdf
pentration testing.pdfpentration testing.pdf
pentration testing.pdfRamya Nellutla
 
Itis pentest slides hyd
Itis pentest slides hydItis pentest slides hyd
Itis pentest slides hydRama krishna
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
AUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEWAUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEWcscpconf
 
The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.Expeed Software
 
Web Investigation Through Penetration Tests.pptx
Web Investigation Through Penetration Tests.pptxWeb Investigation Through Penetration Tests.pptx
Web Investigation Through Penetration Tests.pptxEntertainmentMedley
 
CohenNancyPresentation.ppt
CohenNancyPresentation.pptCohenNancyPresentation.ppt
CohenNancyPresentation.pptmypc72
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationObika Gellineau
 
A Brief Introduction to Penetration Testing
A Brief Introduction to Penetration TestingA Brief Introduction to Penetration Testing
A Brief Introduction to Penetration TestingEC-Council
 
Phases of Penetration Tetsing - EC-Council.org
Phases of Penetration Tetsing - EC-Council.orgPhases of Penetration Tetsing - EC-Council.org
Phases of Penetration Tetsing - EC-Council.orgSmithaKashyap1
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET Journal
 
PRACTICAL APPROACH FOR SECURING WINDOWS ENVIRONMENT: ATTACK VECTORS AND COUNT...
PRACTICAL APPROACH FOR SECURING WINDOWS ENVIRONMENT: ATTACK VECTORS AND COUNT...PRACTICAL APPROACH FOR SECURING WINDOWS ENVIRONMENT: ATTACK VECTORS AND COUNT...
PRACTICAL APPROACH FOR SECURING WINDOWS ENVIRONMENT: ATTACK VECTORS AND COUNT...IJNSA Journal
 
Demystifying Penetration Testing: A Comprehensive Guide for Security Enhancement
Demystifying Penetration Testing: A Comprehensive Guide for Security EnhancementDemystifying Penetration Testing: A Comprehensive Guide for Security Enhancement
Demystifying Penetration Testing: A Comprehensive Guide for Security Enhancementcyberprosocial
 
Open Source Security Testing Methodology Manual - OSSTMM by Falgun Rathod
Open Source Security Testing Methodology Manual - OSSTMM by Falgun RathodOpen Source Security Testing Methodology Manual - OSSTMM by Falgun Rathod
Open Source Security Testing Methodology Manual - OSSTMM by Falgun RathodFalgun Rathod
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRhys A. Mossom
 

Similaire à Penetration testing reporting and methodology (20)

pentration testing.pdf
pentration testing.pdfpentration testing.pdf
pentration testing.pdf
 
Itis pentest slides hyd
Itis pentest slides hydItis pentest slides hyd
Itis pentest slides hyd
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
AUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEWAUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEW
 
The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.
 
Web Investigation Through Penetration Tests.pptx
Web Investigation Through Penetration Tests.pptxWeb Investigation Through Penetration Tests.pptx
Web Investigation Through Penetration Tests.pptx
 
CohenNancyPresentation.ppt
CohenNancyPresentation.pptCohenNancyPresentation.ppt
CohenNancyPresentation.ppt
 
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentationIntroduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
Introduction to Penetration testing - GDG DevFest Caribbean 2021 presentation
 
A Brief Introduction to Penetration Testing
A Brief Introduction to Penetration TestingA Brief Introduction to Penetration Testing
A Brief Introduction to Penetration Testing
 
Phases of Penetration Tetsing - EC-Council.org
Phases of Penetration Tetsing - EC-Council.orgPhases of Penetration Tetsing - EC-Council.org
Phases of Penetration Tetsing - EC-Council.org
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Experience Sharing on School Pentest Project
Experience Sharing on School Pentest ProjectExperience Sharing on School Pentest Project
Experience Sharing on School Pentest Project
 
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
 
PRACTICAL APPROACH FOR SECURING WINDOWS ENVIRONMENT: ATTACK VECTORS AND COUNT...
PRACTICAL APPROACH FOR SECURING WINDOWS ENVIRONMENT: ATTACK VECTORS AND COUNT...PRACTICAL APPROACH FOR SECURING WINDOWS ENVIRONMENT: ATTACK VECTORS AND COUNT...
PRACTICAL APPROACH FOR SECURING WINDOWS ENVIRONMENT: ATTACK VECTORS AND COUNT...
 
Demystifying Penetration Testing: A Comprehensive Guide for Security Enhancement
Demystifying Penetration Testing: A Comprehensive Guide for Security EnhancementDemystifying Penetration Testing: A Comprehensive Guide for Security Enhancement
Demystifying Penetration Testing: A Comprehensive Guide for Security Enhancement
 
Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)
 
Open Source Security Testing Methodology Manual - OSSTMM by Falgun Rathod
Open Source Security Testing Methodology Manual - OSSTMM by Falgun RathodOpen Source Security Testing Methodology Manual - OSSTMM by Falgun Rathod
Open Source Security Testing Methodology Manual - OSSTMM by Falgun Rathod
 
Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
 
RAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolioRAMNSS_2016_service_porfolio
RAMNSS_2016_service_porfolio
 

Plus de Rashad Aliyev

Media və PR fəaliyyət istiqamətləri
Media və PR fəaliyyət istiqamətləriMedia və PR fəaliyyət istiqamətləri
Media və PR fəaliyyət istiqamətləriRashad Aliyev
 
Təqdmat bacarıqları
Təqdmat bacarıqlarıTəqdmat bacarıqları
Təqdmat bacarıqlarıRashad Aliyev
 
Su Kaynakları Mühendisliğinde Sayısal Zorluklar - Dr. Özgür Beşer
Su Kaynakları Mühendisliğinde Sayısal Zorluklar - Dr. Özgür BeşerSu Kaynakları Mühendisliğinde Sayısal Zorluklar - Dr. Özgür Beşer
Su Kaynakları Mühendisliğinde Sayısal Zorluklar - Dr. Özgür BeşerRashad Aliyev
 
Introduction to Information security
Introduction to Information securityIntroduction to Information security
Introduction to Information securityRashad Aliyev
 
Analyzing Vulnerability Databases
Analyzing Vulnerability DatabasesAnalyzing Vulnerability Databases
Analyzing Vulnerability DatabasesRashad Aliyev
 
Capture The Flag - Azerbaijan
Capture The Flag - AzerbaijanCapture The Flag - Azerbaijan
Capture The Flag - AzerbaijanRashad Aliyev
 
İnformasiya təhlükəsizliyi
İnformasiya təhlükəsizliyiİnformasiya təhlükəsizliyi
İnformasiya təhlükəsizliyiRashad Aliyev
 
İnformasiya təhlükəsizliyi
İnformasiya təhlükəsizliyiİnformasiya təhlükəsizliyi
İnformasiya təhlükəsizliyiRashad Aliyev
 
Rashad Aliyev - İnternetdə qazanc
Rashad Aliyev - İnternetdə qazancRashad Aliyev - İnternetdə qazanc
Rashad Aliyev - İnternetdə qazancRashad Aliyev
 
Rashad Aliyev - Hackathons
Rashad Aliyev - HackathonsRashad Aliyev - Hackathons
Rashad Aliyev - HackathonsRashad Aliyev
 
Tofiq Mammadov - ecaHack
Tofiq Mammadov - ecaHackTofiq Mammadov - ecaHack
Tofiq Mammadov - ecaHackRashad Aliyev
 

Plus de Rashad Aliyev (15)

Media və PR fəaliyyət istiqamətləri
Media və PR fəaliyyət istiqamətləriMedia və PR fəaliyyət istiqamətləri
Media və PR fəaliyyət istiqamətləri
 
Təqdmat bacarıqları
Təqdmat bacarıqlarıTəqdmat bacarıqları
Təqdmat bacarıqları
 
Git sistemi
Git sistemiGit sistemi
Git sistemi
 
Su Kaynakları Mühendisliğinde Sayısal Zorluklar - Dr. Özgür Beşer
Su Kaynakları Mühendisliğinde Sayısal Zorluklar - Dr. Özgür BeşerSu Kaynakları Mühendisliğinde Sayısal Zorluklar - Dr. Özgür Beşer
Su Kaynakları Mühendisliğinde Sayısal Zorluklar - Dr. Özgür Beşer
 
Rəqəmsal Zəka
Rəqəmsal ZəkaRəqəmsal Zəka
Rəqəmsal Zəka
 
Introduction to Information security
Introduction to Information securityIntroduction to Information security
Introduction to Information security
 
Analyzing Vulnerability Databases
Analyzing Vulnerability DatabasesAnalyzing Vulnerability Databases
Analyzing Vulnerability Databases
 
Capture The Flag - Azerbaijan
Capture The Flag - AzerbaijanCapture The Flag - Azerbaijan
Capture The Flag - Azerbaijan
 
İnformasiya təhlükəsizliyi
İnformasiya təhlükəsizliyiİnformasiya təhlükəsizliyi
İnformasiya təhlükəsizliyi
 
İnformasiya təhlükəsizliyi
İnformasiya təhlükəsizliyiİnformasiya təhlükəsizliyi
İnformasiya təhlükəsizliyi
 
Penteston
PentestonPenteston
Penteston
 
Rashad Aliyev - İnternetdə qazanc
Rashad Aliyev - İnternetdə qazancRashad Aliyev - İnternetdə qazanc
Rashad Aliyev - İnternetdə qazanc
 
Teqdimat
TeqdimatTeqdimat
Teqdimat
 
Rashad Aliyev - Hackathons
Rashad Aliyev - HackathonsRashad Aliyev - Hackathons
Rashad Aliyev - Hackathons
 
Tofiq Mammadov - ecaHack
Tofiq Mammadov - ecaHackTofiq Mammadov - ecaHack
Tofiq Mammadov - ecaHack
 

Dernier

Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"growthgrids
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...meghakumariji156
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Balliameghakumariji156
 

Dernier (20)

Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 

Penetration testing reporting and methodology

  • 1. Penetration testing reporting and methodology Rashad Aliyev PhD. Lourdes Peñalver Cordoba, Spain 25.09.2015 Keywords: PenTest, Penetration Testing, Network testing, bug bounty, InfoSec, Cyber Secyrity
  • 2. What is Penetration testing 2Penetration testing reporting and methodology * CEH Materials
  • 3. Why Penetration testing? 3Penetration testing reporting and methodology Security Audit Vulnerability Assessment Penetration Testing A security audit just checks whether the organization is following a set of standard security policies and procedures A vulnerability assessment focuses on discovering the vulnerabilities in the information system but provides no indication if the vulnerabilities can be exploited or the amount of damage that may result from the successful exploitation of the vulnerability Penetration testing is a methodological approach to security assessment that encompasses the security audit and vulnerability assessment and demonstrates if the vulnerabilities in system can be successfully exploited by attackers
  • 4. Audit vs Penetration testing? 4Penetration testing reporting and methodology Audit Penetration testing Check set of standards Find vulnerabilities - Foot printing - Exploiting Create report by standards Generate report
  • 5. Types 5Penetration testing reporting and methodology • Internal, External(1) • Blackbox, Whitebox(2), Greybox(3) • Announced, Unannounced(1) • Passive, Active scans • Automated, Manual(1) 1. CEH course modules 2. A Penetration Testing Model. Federal Office for Information Security (BSI), Bonn. P14 3. Using w3af to achieve automated penetration testing by live DVD/live USB. P1-2
  • 6. Methodologies 6Penetration testing reporting and methodology • Planning, Discovery, Exploiting, Reporting* • Preparation, Anonymity, Foot Printing, Analysis, Exploiting, Reporting, Advisory** • Preparation, Reconnaissance, Analysis of Information / Risks, Active Intrusion Attempts, Final Analysis / Clean-Up*** • Planning, Discovery, Attack, Reporting**** * A. Bechtsoudis, N. S. Aiming at Higher Network Security Through Extensive Penetration Tests IEEE Latin America Transactions, 2012, 10, 1752 - 1756 ** Parvin Ami, A. H. Seven Phrase Penetration Testing Model International Journal of Computer Applications, 2012, 59, 16-20 ***Study A Penetration Testing Model Federal Office for Information Security (BSI), 2003 **** Scarfone, K. A.; Souppaya, M. P.; Cody, A. & Orebaugh, A. D. SP 800-115. Technical Guide to Information Security Testing and Assessment National Institute of Standards and Technology, National Institute of Standards & Technology, 2008
  • 7. Used Methodology 7Penetration testing reporting and methodology Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access.* --- * SANS Institute, Penetration Testing: Assessing Your Overall Security Before Attackers Do
  • 8. The Problem 8Penetration testing reporting and methodology × Format × Compare × Systematize There are not a standard format for penetration testing There are not a system for comparing if you have 2 different reports. There are not a method to help us to do reports and generating one
  • 9. Report format - Styles American Psychological Association (APA) Style[1] Page design, Document Control, List of Report Content, Executive Summary, Methodology, Detail findings, References, Appendices, Glossary [2] A Cover Sheet, The Executive Summary, Summary of Vulnerabilities, Test Team Details, List of the Tools Used, A copy of the original scope of work, The main body of the report, Final delivery [3] [1] Thomas Wilhelm. Professional Penetration Testing. Syngress, 2009. [2] Mansour A Alharbi. Writing a penetration testing report. SANS Institute, April 2010. [3] Mike Sheward. The art of writing penetration test reports. January 2012. Penetration testing reporting and methodology
  • 10. Report format – Our Idea – For top management • Title page • Executive Summary – For technical workers • Title page • Executive Summary • Test Team Details • Summary of Vulnerabilities • References, • Glossary Penetration testing reporting and methodology
  • 11. Idea 11Penetration testing reporting and methodology Reporting - Generate Report - Compare Reports Exploiting - Send attack result Foot printing - Upload scan result - Send bug - View results Planning - Penetration tests 01 02 03 04
  • 12. Site for Penetration testing 12 Planning Foot printing Exploiting www.penteston.com Penetration testing reporting and methodology - - - Reporting-
  • 13. 01. Planning 13Penetration testing reporting and methodology Test name Scope of Work Contract or NDA Conduct (Whitebox, Greybox, Blackbox) Type (Internal, External, Application-layer, Network-layer) Team detail 01 02 03 04 05 06
  • 14. 02. Foot Printing 14Penetration testing reporting and methodology - Multiple alerTs - From one of scanners - Upload file Foot Printing - Manual send alert - Detailed information about alert Scan resport Alert
  • 15. 03. Exploiting 15Penetration testing reporting and methodology Alert Level - Low, Medium or High level of alert Detailed information about alert 01 02
  • 16. 04. Reporting & Compare Detailed report for developers Short key information's for managers Report for managers Archive Staff For compare reports Compare Style Penetration testing reporting and methodology 16
  • 17. Future Work 17 Open beta testing Start analyzing for new features Get new features In process In process In process In process Penetration testing reporting and methodology Finish small works on project
  • 18. Rashad Aliyev Universitat Politècnica de València rashad@aliev.info @alievinfo Thank you www.penteston.com