In-Depth Guide to Pentests: Types, Deliverables, and Scope

AGENDA DEFINING WHAT A PENTEST IS DEFINING THE TYPES OF PENTESTS OUT THERE DEFINING THE DELIVERABLES CHECKLISTS

DEFINING WHAT A PENTEST IS I GET PAID TO HACK?

DEFINING WHAT A PENTEST IS ASSIGNED A CERTAIN SCOPE IN SCOPE OUT OF SCOPE WE ARE EXPECTED TO BE ETHICAL SIGN AN NDA PROTECT OUR CUSTOMER AS #1 PRIORITY

DEFINING WHAT A PENTEST IS DELIVER A SOLID TEST PLAN INCLUDING METHODOLOGY DELIVER A PROPER REPORT GUARANTEE A CERTAIN LEVEL OF COVERAGE OFTEN OWASP TOP 10 IS NAMED OTHER WAYS EXIST DEPENDS ON THE TYPE OF TEST

THE TYPES OF PENTESTS WHAT CAN IHACK?

THE TYPES OF PENTESTS NETWORK PENTEST ORGANISATION PENTEST WEB PENTEST MOBILE PENTEST API PENTESTING CLOUD-HYBRID INFRASTRUCTURE TESTING

THE TYPES OF PENTESTS IOTPENTEST WEB 3.0 PENTEST METAVERSEPENTSEST SOCIALENGINEERING AUTOMOTIVE PENTEST PHYSICALPENTEST

THE TYPES OF PENTESTS -NETWORK OFTEN EXTERNAL AND INTERNAL HEAVY RELIANCE ON TOOLS REQUIRES NETWORKING KNOWLEDGE OFTEN THE GOAL IS TO GET FOOTHOLD GET INFORMATION THAT IS CONFIDENTIAL FIND A WAY TO DISABLE ACCESS TO THE NETWORK SUCH AS DOS

THE TYPES OF PENTESTS -ORGANISATION OFTEN EXTERNAL AND INTERNAL SOMETIMES COVERS MULTIPLE NETWORKS REQUIRES NETWORKING KNOWLEDGE OFTEN THE GOAL IS TO GET FOOTHOLD GET INFORMATION THAT IS CONFIDENTIAL FIND A WAY TO DISABLE ACCESS TO THE NETWORK SUCH AS DOS

THE TYPES OF PENTESTS -WEB OFTEN EXTERNAL ORINTERNAL 50/50 MIX OF TOOLS ANDMANUAL HACKING REQUIRES KNOWLEDGE OF WEB APPLICATIONS OFTEN THE GOAL IS TO GET A REVERSE SHELL FIND A WEB EXPLOIT DENY ACCESS TO THE SITE BY MEANS OF DOS FOR EXAMPLE

THE TYPES OF PENTESTS -API OFTEN EXTERNAL ORINTERNAL 50/50 MIX OF TOOLS ANDMANUAL HACKING REQUIRES KNOWLEDGE OF INTEGRATION TESTING AND DOCUMENTATION OFTEN THE GOAL IS TO EXPLOIT LOGIC EXPLOIT WEAK ARCHITECTURE OR SHADOW APIS DENY ACCESS TO THE SITE BY MEANS OF DOS FOR EXAMPLE

THE DELIVERABLES NO PROOF? YOUDIDNOTWORK!

THE DELIVERABLES NDA TEST PLAN TEST REPORT NOTICEOF ENGAGEMENT SIGNOFFSLIP TEST DEBRIEFING

THE DELIVERABLES NDA ENSURES NO COMPANY DATA IS LEAKED OFFERED AND DRAFTED BY TARGET OFTEN SIGNED BEFORE ACTUAL ENGAGEMENT READ CAREFULLY BEFORE YOU SIGN

THE DELIVERABLES TEST PLAN OFFERED AND DRAFTED BY PENTESTING COMPANY OFTEN SIGNED BEFORE ACTUAL ENGAGEMENT CONTAINS SEE EXAMPLES

THE DELIVERABLES TEST REPORT OFFERED AND DRAFTED BY PENTESTING COMPANY OFTEN SIGNED AFTER ACTUAL ENGAGEMENT CONTAINS (MVP) VULNERABILITIES FOUND STEPS TO REPRODUCE ACTUAL RESULT EXPECTED RESULT SUMMARY CVSS SCORE

THE DELIVERABLES TEST REPORT STEPS FOR REMIDIATION ARE RECOMMENDED TO ADD ADD WHAT YOU DID TO CLEAN UP AFTER YOURSELF CONLUSION

THE DELIVERABLES NOTICEOF ENGAGEMENT CONFIRMS TIMING OF ATTACKS CONFIRMS IP ADDRESSES OF ATTACKER AND ANY VPS USED CONTAINS SPECIAL HEADERS USED IS TO MONITOR LOGGING ON THE CUSTOMERS SIDE

THE DELIVERABLES SIGNOFF SLIP CONFIRMS EVERYTHING IS DELIVERED AS EXPECTED NOT REQUIRED BUT RECOMMENDED SIGNED BY BOTH CUSTOMER AND PENTESTER

THE DELIVERABLES DEBRIEFING A VIDEO OR AUDIO FILE EXPLAINING ISSUES FOUND CAN BE USED IN MEETINGS CAN BE A LIVE DEBRIEFING NICE EXTRA

CHECKLISTS DONE, DONE, DONE, TODO,

CHECKLISTS VERY IMPORTANT IN PENTESTING HELP ENSURE COVERAGE AND TRANSPARENCY ARE LIVING DOCUMENTS THAT EVER GROW PENTESTING CHECKLIST, DELIVERABLE CHECKLIST, LOGGING CHECKLIST ETC