Penetration Testing Cheat Sheet

Definition Terms Common findings Ethical hacking certifications

Simulated attacks in a controlled environment carried out by Black box: performed without any additional knowledge Password attacks and default
third-party security specialists who employ the same Certified Ethical Hacker (CEH)
of the target and organization itself. passwords, Operating system attacks,
techniques as attackers located outside your infrastructure. GIAC Penetration Tester (GPEN)
White box: performed with knowledge of the internal Application level attacks,
Offensive Security Certified Professional
structure of a network or application to better uncover Misconfiguration issues, Injection
(OSCP)
potential vulnerabilities. attacks (SQL, NoSQL, LDAP, etc.),
Objective Grey box: in between a black box and white box Cross-Site Scripting (XSS),
CREST Certified Tester
Foundstone Ultimate Hacking
pentest, a grey box pentesting team will have partial Authentication issues, Authorization
“Identify ways to exploit vulnerabilities to circumvent or defeat Certified Penetration Testing Consultant
knowledge of the network’s or applications’ inner- and access control issues,
the security features of system components” (PCI SSC). (CPTC)
workings. Misconfiguration issues, Vulnerable
A pentest reveals whether your organization is potentially Certified Penetration Testing Engineer
Red Team: known as the attackers, Red Teams are components.
vulnerable to cyberattacks and provides recommendations on (CPTE)
external entities brought in by a client to exploit
how to strengthen your security posture.
vulnerabilities in the environment
Blue Team: known as the defenders, Blue Teams are Phases
internal entities mandated by the client to defend their
Why a pentest? environment against external attacker and Red Teams 1. Reconnaissance
Purple Team: leveraging knowledge from both the
Tools
2. Scanning
1. To uncover critical vulnerabilities in your environment
attackers and the defenders, Purple Teams are a 3. Gaining access
2. To prioritize and tackle risks based on their exploitability Nmap
group of people who do both Red and Blue Team 4. Maintaining access and
and impact Burp Suite
security testing to secure a client environment 5. Covering tracks
3. To comply with industry standards and regulations Metasploit
4. Keep stakeholders and shareholders informed about your Netcat
organization’s risk exposure and security posture Python
5. Preserve your organization’s integrity and reputation
Report elements
PowerShell and PowerSploit
Types Executive summary Scanning applications (Nessus,
Technical approach and Qualys, Nexpose, OpenVAS)
Python Script Responder
When to conduct a pentest? Network/ Infrastructure Pentest: one of the most methodology
Wireshark
common pentests, aimed at discovering Vulnerabilities and exploits
vulnerabilities and gaps in the client’s network Recommendations for remediation Cobalt Strike
Pentest your environment at least 1x per year, ideally on a
quarterly basis for optimal results. infrastructure Appendix
(Web) Application Pentest: conducted on (web)
After a major breach or data leak, to find out which applications, browsers and their related plugins
vulnerabilities may have led to exploitation Wireless Pentest: aimed at analyzing the wireless How to select a vendor
devices deployed at the client site, e.g. tablets, Resources to Bookmark
During major changes or updates to a network or
applications, e.g. when relocating offices or adding new laptops, notebooks, iPads, smart phones 1. Define the type of pentest you
Social Engineering: a targeted attack of the client’s Offensive Security
infrastructure need
employees to attempt to initiate a breach from within The Exploit Database
As part of the Software Development Lifecycle (SDLC) 2. Evaluate the pentesting team
the client environment The SANS Institute PentesterLab
process, e.g. before application launches skills
Capture-the-Flag Pentest: a cybersecurity Cybrary
As part of a regular compliance practice, e.g. with PCI DSS 3. Ask for relevant references
competition designed to challenge its pentesters to Penetration Testing Practice Lab
v3.2, ISO 27001, HIPPA, NIST, or the 20 Critical Security 4. Find out how your data will be
find a “flag” (a file, a snippet of code, a piece of Ethical Hacking LinkedIn Group
Controls from the CIS secured
hardware) within a specific environment. Kioptrix
If you want to find out how strong your cybersecurity 5. Ask for liability insurance
Cloud Pentest: conducted to reveal vulnerabilities on EHacking.net
posture really is against breaches and intrusions 6. Get a sample report
cloud systems and applications GitHub – Awesome Penetration
7. Verify project management
Testing
capabilities
8. Clarify the methodology and
process
9. Ask about options for retesting
www.hitachi-systems-security.com 10. Get to know the pentesting vendor