This is a short list with some of the top tips for penetration testers. These are not technical tips, but rather tips for a correct work methodology. These are not presented in a specific order since they are all equally important and none should be disregarded while conducting and preparing for your pen-test.
Document EVERYTHING!
When you get a work order, open up a new folder with the name of the company and the date. Create a spreadsheet which contains all time lines and activities. Document time of calls, when attacks and meetings are scheduled and everything else. While in the pen-test itself, document all the information that you can. I used to run a complete screen video capturing. Today i use tcpdump to save all traffic (yes, all of it), ttyrec to record terminal actions and spool in metasploit. Keep as much information as you can on everything that has happen. It will be useful in the report writing process, in case something went wrong and you want to prove that it wasn’t you or even just to make sure that you have not missed anything.
Be Available
Always be available on your cell phone and email to the client. This is extremely vital to most of them and will considered as disrespect if not applied. Do not put them on hold – especially not after the report had been submitted. You are an outsider interacting with their most intimate data. You can always charge for more hours in case the requests are big, but try to give a few hours on ‘on the house’. It will make the client feel much better and more relaxed and will probably come back to work with you next time.
Be Discreet
You are hacking into their sensitive systems and data. Be discreet with the information as if it was your own. Do not interact or communicate your work to any one in the compound or outside it. Keep even the mere information that you are working with that entity only to the ones who needs to know. Do not give your away your results even when required by the CEO of the company. Relay that information only to the person in that entity which have ordered the pen-test. Encrypt transmission of the report and keep the PoCs and findings well protected.
Coordinate Your Intentions
Find out all of the details of your on coming penetration test. Can you use social engineering? Should you verify DoS attacks? Can you damage systems’ availability? You can give your own tips and perception about how you think the PT should be conducted, but remember – the client has the final say.
Be Pedantic!
Set up exact time for the test. Do not leave the client hanging. The best thing to do, is scheduled the time-line for the PT ahead. Attack times are important even if you are ‘black-boxing’! The client should have IT team standing by and being able to bail you out in case of need.
Set an exact date to finish your report (including internal company procedures and approvals). Notify the client before the PT even begins on when you are going to hand out the report, but remember to take a few days buffer. When interacting with the client after each step (such as the actual attack) try to relay as less information as you can be certain of. Try to keep all findings to the report and not to mention them by heart over the phone.
Write the Best Report
a lot of penetration tester’s I’ve met do not understand the meaning of the report. The report is what the client payed for. It is the document which is going to be circulated all around the IT, IS and probably also the senior management. Have a professional report, include an executive summery, index of content, charts, solutions and vital appendixes. Don’t be sloppy!
Know What Your Actions Can Cause
Many attacks are unstable or can cause damage. Most exploits are very unpredictable so run them with caution. Man In The Middle attacks can be very dangerous and can cause multiple issues on a LAN and even paralyse it for more than a while. SQL injections can seriously harm a database. You can use any attack you see fit, as long as you are aware of the consequences it might lead to and that you have agreed upon with the client.
Include Everything
As i often say to my student, most hackers tent to avoid writing a big report since it takes a lot of time and effort and is usually not our favourite hobby. ‘Low’ risks can become ‘medium’ and ‘high’ within a short durations. Encryption standards are an excellent example since they drop constantly due to weaknesses found or just technology evolution to better and faster CPUs and GPUs. If you find a ‘low’ risk remember to put a date stamp on when next it should be testes.
Timeline
Usually a PT’s cost is estimated in hours. Remember to include time for each test to be conclusive, buffer and driving times and most importantly report writing time. Even if the report will be only 20 pages long and will include only the regular vulnerabilities, you should still put enough time to make a professional report and make sure you do not have typos.
Cover Everything
The fact that you have got the domain admin password after 2 hours does not mean that you work is done. Find every possible way you could have hacked in. Spend the rest of your hours finding new breaches and vulnerabilities and never settle for what you’ve found.
Version Control
We know that version control is usually somewhat of a hassle, but it is crucial. You need to know which document is which PT, which version went where and to whom and you must keep track of them. You can manage this even by using a regular Excel file, but do it. The better you can track these documents the better they will look and the more professional you will be.
It’s a powerful and vital information.
Thanks a lot !
Very good info!
Can you explain me more the “version control” part? I don’t understand it…
Hello Alex,
Version control is a vital part of the art of creating documents. As a pentester, the product / service you eventually offer is the report. The work behind is also very important, but the report is what the client eventually sees.
Version control of a pentest should have the following items in it:
Document Details:
Title, Version, Author, Pen-Tester, Reviewed by, Classification and Internal Indexing Number
Recipients list
Version Control
This list contain all previous versions of the document and the reasons it have been modified.
Later on we will publish a PT Report example and some more tips about how to conduct your pentest in the most efficient way.