HTB CPTS: Stages on Penetration Testing Process #1
After pre-engagement phase is completed, information gathering begins.
It’s a phase where we gather all available information about the company.
This is the phase which we return to multiple times.
OSINT
Open source intelligence is a great way to gather lots of information.
Pilaging is also one of the really important parts.
Vulnerability Assessment
During this phase we examine and analyze the information gathered during information gathering phase.
There are four types of analysis:
Descriptive | Descriptive analysis is essential in any data analysis. On the one hand, it describes a data set based on individual characteristics. It helps to detect possible errors in data collection or outliers in the data set. |
Diagnostic | Diagnostic analysis clarifies conditions' causes, effects, and interactions. Doing so provides insights that are obtained through correlations and interpretation. We must take a backward-looking view, similar to descriptive analysis, with the subtle difference that we try to find reasons for events and developments. |
Predictive | By evaluating historical and current data, predictive analysis creates a predictive model for future probabilities. Based on the results of descriptive and diagnostic analyses, this method of data analysis makes it possible to identify trends, detect deviations from expected values at an early stage, and predict future occurrences as accurately as possible. |
Prescriptive | Prescriptive analytics aims to narrow down what actions to take to eliminate or prevent a future problem or trigger a specific activity or process. |
If we have to test covertly and avoid alerts, we should mirror the target system locally as precisely as possible.
Suppose we are unable to detect or identify potential vulnerabilities from our analysis. In that case, we will return to the Information Gathering stage and look for more in-depth information than we have gathered so far.
Exploitation
We must prioritize possible attacks.
There are methodologies like CVSS Scoring for this.
- We calculate the probability of seccess.
Example of CVSS:
| Factor | Points | Remote File Inclusion | Buffer Overflow |
| 1. Probability of Success | 10 | 10 | 8 |
| 2. Complexity - Easy | 5 | 4 | 0 |
| 3. Complexity - Medium | 3 | 0 | 3 |
| 4. Complexity - Hard | 1 | 0 | 0 |
| 5. Probability of Damage | -5 | 0 | -5 |
| Summary | max. 15 | 14 | 6 |
Post Exploitation
This is the stage aims to obtain sensitive and security-relevant information.
In most cases we need higher privileges than a standard user.
This stage includes the following components:
Evasive Testing
If a skilled administrator monitors the systems, any change or even a single command could trigger an alarm that will give us away.
We can provide value to the client in this situation by still writing up an entire attack chain and helping them identify gaps in their monitoring and processes where they did not notice our actions.
Perhaps we did not thoroughly test a payload, or we got careless and ran a command such as
net userorwhoamithat is often monitored by EDR systems and flagged as anomalous activity.
Information Gathering
Since we have new perspective about the system and the network, we need again gather as much information as possible
We also do Vulnerability Assessment here with new information
Pillaging
Pillaging is the stage where we examine the role of the host in the corporate network. We analyze the network configurations.
Some parts are:
| Interfaces | Routing | DNS | | --- | --- | --- | | ARP | Services | VPN | | IP Subnets | Shares | Network Traffic |
It helps us to understand how different parts of the systems communicate
Vulnerability Assessment
- We can maintain access and we can use information about the system to repeat Vuln Assessment stage, but this time from inside the system.
Privilege Escalation
The goal is to get the highest possible privileges on the system or domain.
If we have root privileges there are many doors open for us
Persistence
Once we have an overview of the system, our immediate next step is maintaining access to the exploited host.
We need a back door in other words
This step is essential and often used as the first step before the
Information GatheringandPillagingstages.
Data Exfiltration
During the
Information GatheringandPillagingstage, we will often be able to find personal information and customer data.Many companies use encryption on the disks.
Important point about exfiltrating information is to write fake card number, change it, so that we do not hold the real sensitive information and we wont be responsible for any live sensitive data.
Outro
Thanks to HTB Academy for opportunity to learn.
