Corporate pentest methodology

MethodologyThis is not going to be the usual methodology (identification, assessment, exploitation, analysis) but more how I currently get from receiving a “scope of works” to the final report. Hopefully this will be useful to someone not yet in the industry by showing them what needs to be done every job. If you are getting a pentest and are not sure what to expect perhaps this will give you an insight into what happens behind the scenes.

It all starts with me recieving a document called a “scope of work”. All this is is a document with the client name, URL’s and IP’s that need testing, name of the company and customer along with contact details.

I Mostly do web application security so this document is my methodology on performing a web application assessment.

Before

Check target accessible

A simple thing, connect to the company VPN and visit the URL’s – Just to make sure you can access them, that the web applications are working correctly, perhaps click a few links just to browse around a little and get a feel of the application. NO testing should happen yet or payloads entered.

Ring client

Call the client before starting the test. Ask the client any pertinent questions, areas of concern, reasons for wanting the test. If loading the links didn’t work initially now is the time to let the client know. If there is anything specific they want you test for or specific areas. Now is also a good time to let them know when to expect the report and ask if they would like notifying of critical vulnerabilities as they are discovered. The client may ask for daily wash-up calls, so best times for these can also be discussed now. This doesn’t have to be a long call, it depends on the client, sometimes it only takes 20 mins, sometimes more.

Set up environment

Now that the call is over you can relax. Time to load your pentest VM,create a folder for the job, load up the tools needed and double check the VPN is active. make sure your browser is proxied through burp to capture all traffic and logs are being stored to the job folder.

Create report template

This is fairly self explanatory, if you have a report template now is the time to create it, fill in all the details you can such as the client name and company name, fill in all of the little bits like URL’s and IP’s tested. Make space for the issues and executive summary etc.

During

Screenshots and notes

While testing it is best to take screenshots and record your findings as you discover them. Find XSS, press “printscreen” and move it into the job’s folder. They can be tidied up in photoshop later, but recording findings as they are found saves you from having to remember everything and do all of this later and lets you keep pace testing.

Report as going

Admittedly I am in the bad habit of doing this at the end of the test, cleaning up the screenshots and putting the notes into issues in the report. However this is something that should be done as you are going. The issue I have with this is it breaks up the test too often and I forget what I was doing. But if you can do this it will make the end of the test much quicker and easier.

Ring client if crit

This is only necessary if the client said they wanted notification of critical vulnerabilities on the first phone call. If it wasn’t discussed then I would recommend doing it just as a courtesy, hopefully the client will appreciate this. This will prepare them for whats to come in the report.

After

Send for QA

Now the test is done, all the information gathered and report written it’s time for QA. The method for this process is different for every company but it pretty much boils down to the same thing. a team member writes notes on whats wrong whilst making minor changes such as spelling, grammar etc.

Email client & others

Once I have the report back from QA and have made all the necessary changes it’s time to send it to the client. Often your team leader and sales would like to be notified of this so they can mark the job as closed and bill the client.

That’s all

I hope this helps someone. If you are looking to get into pentesting I would recommend learning this as it is what you are likely to be doing most weeks, sometimes two times a week. If you are having a pentest done I hope this gives you an insight into a small part that goes on behind the scenes.

As I have said before this varies massively between companies, some have more procedures and stricter controls, some much laxer, but I think the general parts most companies adhere to are here.

If there is anything missing or anything you think will improve the process I would love to hear from you. also if your company does stuff differently I’d be interested to know the differences.

Leave a Reply