End-to-End Methodology. Testing Phases Reconnaissance Mapping Discovery Exploitation Repeat… ...

Post on 12-Jan-2016

220 views 0 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

Transcript of End-to-End Methodology. Testing Phases Reconnaissance Mapping Discovery Exploitation Repeat… ...

ANATOMY OF A WEB PEN TEST

End-to-End Methodology

Testing Phases

Reconnaissance Mapping Discovery Exploitation Repeat… Report

Reconnaissance

Whois records Architecture diagrams IPs and Hostnames DNS information Google Searches Social Networks Blogs and Other Web Sites

Whois[laa@lobo ~]$ whois generalstatics.com[Querying whois.verisign-grs.com]domain: generalstatics.comowner: Neale Pickettorganization: WoozleWorksemail: hostmaster@woozle.orgaddress: 2175 35th Stcity: Los Alamosstate: NMpostal-code: 87544country: USphone: +1.5055004666admin-c: CCOM-411473 hostmaster@woozle.orgtech-c: CCOM-411473 hostmaster@woozle.orgbilling-c: CCOM-411473 hostmaster@woozle.orgnserver: ns1.afraid.org

contact-hdl: CCOM-411473person: Neale Pickettorganization: WoozleWorksemail: hostmaster@woozle.orgaddress: 2175 35th Stcity: Los Alamosstate: NMpostal-code: 87544country: USphone: +1.5055004666

source: joker.com live whois service

Architecture Diagram

Mapping Port scans Version Checking OS Fingerprinting Spidering Pieces/flow of the application

User/admin/public areasLogin screensConfiguration and ManagementSession identifiers

Learning the various components that make up a web application

Network Scan

Discovery

Focus is on finding issues User interfaces Information leakage Authentication systems Error messages Some exploitation will happen as part of

this stepDirectory browsing

Directory Browsing

Exploitation

Attacking the flaws in an applicationInjectionXSSAuthentication/Authorization bypass

Determine implications of an attackWhat can happen as a result…

What other parts of the application infrastructure are exposed through the attack?

Repeat…

Some knowledge of the application may be gained that wasn’t found in the Recon, Mapping, or Discovery phases

Jump back into the workflow, utilizing the newly discovered information

Reporting Documentation for Reporting is collected

during all phases Executive Summary

Appears first, but written lastAudience is management

IntroductionScope, objectives, personnel

MethodologyStep-by-step, including tools usedSufficient detail to allow verification and repeat of

test

Reporting (2)

FindingsCategorized according to riskInclude recommendations

ConclusionsShort summaryLike Executive Summary, but audience is

technical Appendix

Permission memo, data discovered, tools outputs

Top related

Location and reconnaissance
 Entertainment & Humor
190312 Sergej Epp AI Ready Go submission...Reconnaissance Weaponization and Delivery Exploitation Command and Control Lateral Movement Installation Actions on the Objective Automated
 Documents
SATELLITE RECONNAISSANCE
 Documents
Compact Reconnaissance Imaging Spectrometer for Mars ... · Compact Reconnaissance Imaging Spectrometer for Mars ... novel method for stratigraphic ... The Compact Reconnaissance
 Documents
Network Reconnaissance. 2 What is? Military reconnaissance Military reconnaissance a mission conducted to confirm or deny prior intelligence (if any)
 Documents
AN ECOLOGICAL RECONNAISSANCE OF THE GRAND CANAL …...reconnaissance of the Grand Canal, a network of waterways on the north end of Siesta Key, Florida. Tasks included: 1. Physical
 Documents
DANVERS RECONNAISSANCE REPORT
 Documents
National reconnaissance office
 Technology
Rome Research Corporation Richard R. Petroski · 2011. 5. 14. · RADC-TR-830-400Jnay91LEVELYZ -t, Final Technical Report January 1981I! RECONNAISSANCE SENSOR 0 SYSTEM EXPLOITATION
 Documents
Overexploitation Tokyo Tuna Market. Types of Overexploitation Commercial exploitation Subsistence exploitation Recreational exploitation Incidental exploitation.
 Documents
RECONNAISSANCE FOR URANIUM-BEARING CARBONACEOUS MATERIALS ... · reconnaissance for uranium-bearing carbonaceous materials ... (2), and kolob terrace (3). reconnaissance for uranium-bearing
 Documents
B.A.R.T. Bridge Assessment and Reconnaissance Team Equipment.pdf• Route Recce Form (STANAG 2021) • Bridge Reconnaissance Report (BEL) ... => Reconnaissance / Assessment / Upgrade
 Documents
Mr. James Pettigrew€¦ · unclassified mr. james pettigrew . pm dcgs-sof, jtws, dmtrs, & isp . special reconnaissance, surveillance, and exploitation
 Documents
Network Reconnaissance
 Documents
RECONNAISSANCE pamphlet.pdfMARINE CORPS RECONNAISSANCE MARINE CORPS RECONNAISSANCE Entry level: ... The Basic Reconnaissance Preparation Workout Guide is one example of a 10
 Documents
End abuse, exploitation, trafficking and all forms of ... · 3 | I. Forms of violence covered by 16.2: End abuse, exploitation, trafficking and all forms of violence and torture against
 Documents
SPECIAL RECONNAISSANCE, SURVEILLANCE, AND EXPLOITATION ·  · 2017-06-06Program Executive Office Special Reconnaissance, Surveillance, and Exploitation. UNCLASSIFIED UNCLASSIFIED
 Documents
Reconnaissance vs. Enumeration - WordPress.com...Reconnaissance vs. Enumeration Both are involved in preliminary data collection, but each is unique Reconnaissance Passively engages
 Documents
Mars Reconnaissance Images
 Science
Network Reconnaissance Infographic
 Technology

Copyright © 2022 FDOCUMENTS