0% found this document useful (0 votes)

26 views

HOD402_Pentesting_Reference-v1

The document outlines a structured pentesting process divided into six phases: Preparation and Planning, Information Gathering, Vulnerability Analysis, Exploitation, Post-Exploitation, and Reporting. Each phase includes specific objectives, methodologies, legal considerations, and detailed planning requirements. The document emphasizes the importance of thorough documentation and communication throughout the pentesting process.

Uploaded by

thientdhe171847

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

26 views

HOD402_Pentesting_Reference-v1

Uploaded by

thientdhe171847

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 2

HOD402

A Reference for Pentesting Process

Phase 1: Preperation and Planning

1. Objectives

2. Scope:

o Target system: app, site, database, infrastructure …

o Known-environment testing

o Unknown-environment testing

o Out of scope

3. Methodology

4. Timeline: milestones chart , Gantt chart …

5. Legal and Compliance:

o Regulatory Compliance Considerations

o Local Restrictions

o Service-level agreement (SLA), Conﬁdentiality, Statement of work (SOW), Master

service agreement (MSA), Non-disclosure agreement (NDA)

o Contract

o Disclaimers

6. Rules of Engagement Document

7. Team and members

8. Written Agreement (Agreement/Contract):

o Include some or all of items 1.1 to 1.7

o Costs

o Responsibilities of each party.

o Process for handling critical vulnerabilities.

9. Detailed Planning: Create a detailed project plan document, including:

o Project phases (information gathering, analysis, exploitation, reporting).

o Speciﬁc schedule for each phase.

o Task assignments for each team member.

o List of tools to be used.

1
HOD402

o Communication and progress reporting methods.

Phase 2: Information Gathering (Reconnaissance)

1. Identify Assets and Activities

2. Identify Threats by a threat modeling

3. Performing Passive Reconnaissance

4. Performing Active Reconnaissance

Phase 3: Vulnerability Analysis

1. Manual Analysis: using some frameworks and standards, such as OWASP Top 10, SANS Top
25, Misconﬁguration Checks, Session Management Checks, Authentication and
Authorization Checks, Input Validation Checks, Source Code Review (if White Box), API
Testing (if applicable) …

2. Severity Assessment: Using a scoring system like CVSS (Common Vulnerability Scoring
System) to determine the severity of each vulnerability (Critical, High, Medium, Low).

Phase 4: Exploitation

1. Exploiting Network-Based Vulnerabilities

2. Exploiting Wireless Vulnerabilities

3. Exploiting Application-Based Vulnerabilities

4. Exploiting cloud, mobile and IoT systems

Phase 5: Post-Exploitation

1. Creating a Foothold
2. Maintaining Persistence After Compromising a System

Phase 6: Reporting

1. Executive Summary
2. Scope Details
3. Methodology
4. Findings
5. Remediation
6. Conclusion
7. Appendix

Pentest_16thDec2024
No ratings yet
Pentest_16thDec2024
74 pages
CySA+ CS0-002 Cheat Sheet
100% (3)
CySA+ CS0-002 Cheat Sheet
31 pages
Report Template
No ratings yet
Report Template
11 pages
EXAMPLE-Penetration Testing Report v.1.0
100% (1)
EXAMPLE-Penetration Testing Report v.1.0
25 pages
CompTIA Pentest Study Guide PDF
100% (1)
CompTIA Pentest Study Guide PDF
71 pages
SharePoint Configuration Guidance For 21 CFR Part 11 Compliance
No ratings yet
SharePoint Configuration Guidance For 21 CFR Part 11 Compliance
78 pages
Times of India
100% (2)
Times of India
25 pages
Testing Isu CRM
No ratings yet
Testing Isu CRM
2 pages
2-Ethical Hacking Methodology
No ratings yet
2-Ethical Hacking Methodology
21 pages
PentestPlus Comparison 003 002
No ratings yet
PentestPlus Comparison 003 002
34 pages
Phase 11
No ratings yet
Phase 11
4 pages
Phase 1
No ratings yet
Phase 1
5 pages
WEBapp Tester
No ratings yet
WEBapp Tester
28 pages
6th Month Capstone Project
No ratings yet
6th Month Capstone Project
4 pages
Vulnerability Scanner
No ratings yet
Vulnerability Scanner
5 pages
Penetration Testing
No ratings yet
Penetration Testing
3 pages
Project Proposal
No ratings yet
Project Proposal
2 pages
WEB PT_final_2
No ratings yet
WEB PT_final_2
15 pages
lab scenario
No ratings yet
lab scenario
2 pages
Vulnerability Assessment and Penetration Testing VAPT 1730885750
No ratings yet
Vulnerability Assessment and Penetration Testing VAPT 1730885750
29 pages
VAPT Module 2 Part 1
No ratings yet
VAPT Module 2 Part 1
36 pages
Penetration Testing Methodology - Oissg - Archive - Org
No ratings yet
Penetration Testing Methodology - Oissg - Archive - Org
9 pages
Cissp Domain 6
No ratings yet
Cissp Domain 6
9 pages
unit_05_cyber notes
No ratings yet
unit_05_cyber notes
7 pages
Vulnerability and Penetration Testing
No ratings yet
Vulnerability and Penetration Testing
30 pages
Untitled
No ratings yet
Untitled
772 pages
Thor Teaches Study Guide CISSP Domain 6
No ratings yet
Thor Teaches Study Guide CISSP Domain 6
11 pages
Lecture 2 - Penetration Testing, Rules of Engagement and Vulnerability Scanning
No ratings yet
Lecture 2 - Penetration Testing, Rules of Engagement and Vulnerability Scanning
37 pages
Pen Testing Assignment
No ratings yet
Pen Testing Assignment
4 pages
Security testing
No ratings yet
Security testing
6 pages
unit 3 hs pdf
No ratings yet
unit 3 hs pdf
11 pages
VAPT Methodology Report
No ratings yet
VAPT Methodology Report
3 pages
General SIEM Q
No ratings yet
General SIEM Q
12 pages
Vulnerability Scanner For Os
No ratings yet
Vulnerability Scanner For Os
6 pages
Cysa+ Cs0-002 Exam Topics Notes: 1.0 Threat and Vulnerability Management
No ratings yet
Cysa+ Cs0-002 Exam Topics Notes: 1.0 Threat and Vulnerability Management
15 pages
Vulnerability Assessment Sro en 240617190214 67a6a703
No ratings yet
Vulnerability Assessment Sro en 240617190214 67a6a703
3 pages
chapter 3
No ratings yet
chapter 3
10 pages
Additional Task 2
No ratings yet
Additional Task 2
9 pages
CompTIA PenTest+ Exam Summary
No ratings yet
CompTIA PenTest+ Exam Summary
15 pages
Active Testing
No ratings yet
Active Testing
9 pages
pt0-002-05
No ratings yet
pt0-002-05
33 pages
cs0-003 Lesson 05
No ratings yet
cs0-003 Lesson 05
50 pages
Penetration Test Summary Project
No ratings yet
Penetration Test Summary Project
6 pages
CyberPWN - Application Security Services - 2020
No ratings yet
CyberPWN - Application Security Services - 2020
37 pages
UAD Plug-Ins Manual
No ratings yet
UAD Plug-Ins Manual
19 pages
Reference-1 (1)
No ratings yet
Reference-1 (1)
6 pages
4 Penetration Testing Proposal (Contract:Scope of Work (SoW) )
No ratings yet
4 Penetration Testing Proposal (Contract:Scope of Work (SoW) )
1 page
2.MICRO SYLLABUS - PAVT.v3 (VR20)
No ratings yet
2.MICRO SYLLABUS - PAVT.v3 (VR20)
3 pages
PGDIS Synopsis final
No ratings yet
PGDIS Synopsis final
16 pages
Penetration Testing Presentation
50% (2)
Penetration Testing Presentation
15 pages
Unit 5
No ratings yet
Unit 5
4 pages
Presnted by Ashwani (09IT16) Navneet (09IT48)
No ratings yet
Presnted by Ashwani (09IT16) Navneet (09IT48)
21 pages
pt0 002 02
No ratings yet
pt0 002 02
24 pages
His 06 2013
No ratings yet
His 06 2013
15 pages
Dec2008 Testing Assessment SP800 115
No ratings yet
Dec2008 Testing Assessment SP800 115
8 pages
Nufuzetme 1
No ratings yet
Nufuzetme 1
6 pages
Web Application VA_PT First Report_Sample
No ratings yet
Web Application VA_PT First Report_Sample
14 pages
Sample_Web_Application_Penetration_Testing_Report_v1.0
No ratings yet
Sample_Web_Application_Penetration_Testing_Report_v1.0
29 pages
no.ntnu_inspera_111604085_111608655
No ratings yet
no.ntnu_inspera_111604085_111608655
132 pages
Vulnerability Assessment Best Practices
100% (1)
Vulnerability Assessment Best Practices
25 pages
Penetration Testing Fundamentals-2: Penetration Testing Study Guide To Breaking Into Systems
From Everand
Penetration Testing Fundamentals-2: Penetration Testing Study Guide To Breaking Into Systems
Devi Prasad
No ratings yet
Practical Pentesting Guide: Preparation for Certification and Ethical Hacking
From Everand
Practical Pentesting Guide: Preparation for Certification and Ethical Hacking
Evan Blake
No ratings yet
Practical Guide to Penetration Testing: Breaking and Securing Systems
From Everand
Practical Guide to Penetration Testing: Breaking and Securing Systems
Peter Johnson
No ratings yet
Review of JIRA Integration Micro Service
No ratings yet
Review of JIRA Integration Micro Service
3 pages
ITS332 Final Report
0% (1)
ITS332 Final Report
14 pages
Os Lab
No ratings yet
Os Lab
4 pages
f5 Microsoft Remote Desktop Services DG
No ratings yet
f5 Microsoft Remote Desktop Services DG
29 pages
Database Constraints: What Are Keys?
No ratings yet
Database Constraints: What Are Keys?
8 pages
AZ-104T00-Microsoft-Azure-Administrator
No ratings yet
AZ-104T00-Microsoft-Azure-Administrator
2 pages
C To Connect MySql
No ratings yet
C To Connect MySql
3 pages
P - S4FIN - 1709.pdf-10 Question PDF
No ratings yet
P - S4FIN - 1709.pdf-10 Question PDF
5 pages
DEV-C++ and OPENGL (For MS Windows 98/NT/2000/XP) : Installation
No ratings yet
DEV-C++ and OPENGL (For MS Windows 98/NT/2000/XP) : Installation
4 pages
Working With Shared Libraries - Beginning Jenkins Blue Ocean - Create Elegant Pipelines With Ease
No ratings yet
Working With Shared Libraries - Beginning Jenkins Blue Ocean - Create Elegant Pipelines With Ease
11 pages
SW Reengineering
No ratings yet
SW Reengineering
40 pages
Rdbms Unit 2
No ratings yet
Rdbms Unit 2
24 pages
Fulltext01 3 PDF
No ratings yet
Fulltext01 3 PDF
61 pages
GSW 5.1 Options Pack Installation Card
No ratings yet
GSW 5.1 Options Pack Installation Card
12 pages
Cse 3-2 Cs & Syllabus - Ug - r20
No ratings yet
Cse 3-2 Cs & Syllabus - Ug - r20
93 pages
Department of Information Technology: Question Bank
No ratings yet
Department of Information Technology: Question Bank
14 pages
SAP - BAdI Concept
No ratings yet
SAP - BAdI Concept
34 pages
Sim - KNX: Serial Interface For KNX
No ratings yet
Sim - KNX: Serial Interface For KNX
2 pages
Build and Deploy A Microservice With Kubernetes - TechTarget
No ratings yet
Build and Deploy A Microservice With Kubernetes - TechTarget
8 pages
SISBUSI Notes
No ratings yet
SISBUSI Notes
3 pages
Human Resources Management/ Talent Acquisition: Profile Summery
No ratings yet
Human Resources Management/ Talent Acquisition: Profile Summery
3 pages
IBM Data Analyst
No ratings yet
IBM Data Analyst
2 pages
AWS Lambda
No ratings yet
AWS Lambda
6 pages
What Is Second Level User Authentication and How It Is Going To Add Security To Dbankonline Customer Account
No ratings yet
What Is Second Level User Authentication and How It Is Going To Add Security To Dbankonline Customer Account
8 pages
Enpm685 PRJ1
No ratings yet
Enpm685 PRJ1
5 pages
Report To MS Word Powershell
100% (1)
Report To MS Word Powershell
9 pages
PCI TSP Requirements v1
No ratings yet
PCI TSP Requirements v1
92 pages

HOD402_Pentesting_Reference-v1

Uploaded by

HOD402_Pentesting_Reference-v1

Uploaded by

HOD402

A Reference for Pentesting Process

o Target system: app, site, database, infrastructure …

4. Timeline: milestones chart , Gantt chart …

5. Legal and Compliance:

o Regulatory Compliance Considerations

o Service-level agreement (SLA), Conﬁdentiality, Statement of work (SOW), Master

6. Rules of Engagement Document

7. Team and members

8. Written Agreement (Agreement/Contract):

o Include some or all of items 1.1 to 1.7

o Responsibilities of each party.

o Process for handling critical vulnerabilities.

9. Detailed Planning: Create a detailed project plan document, including:

o Project phases (information gathering, analysis, exploitation, reporting).

o Speciﬁc schedule for each phase.

o Task assignments for each team member.

o List of tools to be used.

o Communication and progress reporting methods.

Phase 2: Information Gathering (Reconnaissance)

1. Identify Assets and Activities

2. Identify Threats by a threat modeling

3. Performing Passive Reconnaissance

4. Performing Active Reconnaissance

Phase 3: Vulnerability Analysis

1. Exploiting Network-Based Vulnerabilities

2. Exploiting Wireless Vulnerabilities

3. Exploiting Application-Based Vulnerabilities

4. Exploiting cloud, mobile and IoT systems

You might also like