Pen testing Methodology
.pdf
keyboard_arrow_up
School
Grand Canyon University *
*We aren’t endorsed by this school
Course
320
Subject
Information Systems
Date
Dec 6, 2023
Type
Pages
7
Uploaded by BailiffKnowledge19216
1
Pen Testing Methodology
Adrian Andrade
Grand Canyon University
ITT-340
Ingrid Gaviria
Due September 23, 2023
2
Phases of Compromise and Pen-testing methodology
Before this begins, it is important to note that the pen-testing methodology being used here will
be PTES (or Penetration Testing Execution Standard). This standard is a comprehensive
framework for conducting penetration tests, and it designed to provide a structured approach for
performing and reporting results. With that out of the way, there are several similarities between
an attackers typical line of compromising a system, and this pen-testing methodology line of
phases.
An attacker will typically follow these seven steps: Reconnaissance, weaponization, delivery,
exploitation, installation, command and control, and action.
The goal of the first goal, called reconnaissance is to gain information about the target and find
it’s vulnerabilities.
This goal is completed when the attacker gains sufficient information about
the system to exploit one or more vulnerabilities. The second phase (called Weaponization) is
about creating malware or malicious payload that takes advantage of the vulnerability (or
vulnerabilities). The goal is complete when the attacker successfully creates malware tailored to
exploiting the specific weakness. The next step
Is called ‘Delivery’. The goal of this step is to
gain access to the target’s machine or network. This
can be done by sending malware in the form
of an email, or by calling the target and coaxing him/her into giving access. The goal is
completed when the attacker successfully gains access to the target machine.
The step after this is ‘Exploitation’. The goal of this step is to actually ex
ploit the weaknesses
found in the reconnaissance stage, and using the malware created in step 2. The goal is
completed when the weaknesses have been exploited, and the attacker is able to gain further
access into the target machine.
3
After this step is installation. The goal here is to successfully install malware and gain further
control of the target machine. Malware can be installed by using trojan horses, access token
manipulation, command-line interfaces, and backdoors. Each of these can be helpful in
completing the goal. Goal is completed by installing further malware and gathering more control
of system.
After installation, the next step is command and control. The main goal here to gain more control
of the system. Control to the point where the attacker can track, monitor, and guide their cyber
weapons. The attacker can also try and obfuscate and commence denial of service. Obfuscate is
the process in which an attacker covers their tracks and makes it seem as if nothing had occurred.
Denial of service is an attack that disrupts the host machine or network in the hopes of slowing
things, and distracting users.
The last and final phase of the steps is Action. The goal of this step is to achieve the main reason
for committing this attack in the first place. Which could be for gaining access to classified
documents, attacking critical infrastructure, or for money purposes. This step can take the longest
because it depends on how well the attack was performed overall.
The steps for the methodology is: Pre-engagement interactions, intelligence gathering, threat
modeling, vulnerability analysis, exploitation, post exploitation, and reporting.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help