Transcription of The Penetration Testing Execution Standard Documentation
1 The Penetration Testing ExecutionStandard DocumentationRelease PTES TeamApr 12, 2022 Contents1 The Penetration Testing Execution Level Organization of the Standard ..32 Pre-engagement .. to Scope .. for Time Estimation .. Meeting .. Support Based on Hourly Rate .. Questions .. Creep .. Start and End Dates .. Specify IP Ranges and Domains .. Dealing with Third Parties .. Define Acceptable Social Engineering Pretexts .. DoS Testing .. Payment Terms .. Goals .. Establish Lines of Communication .. Emergency Contact Information .. Rules of Engagement .. Capabilities and Technology in Place ..183 Intelligence.
2 Gathering .. Selection .. Gathering .. Protection Mechanisms ..354 Threat .. Asset Analysis .. Process Analysis .. Agents/Community Analysis .. Capability Analysis .. Modeling .. relevant news of comparable Organizations being compromised ..435 Vulnerability ..516 .. Strike .. Exploitation Avenue .. Exploits .. Angle .. Avenues of Attack .. Objective ..597 Post .. of Engagement .. Analysis .. Value/Profile Targets .. Exfiltration .. Penetration Into Infrastructure ..748 .. Structure .. Executive Summary .. Report ..779 PTES Technical Required .. Gathering .. Analysis .. Exploitation.
3 Tools developed .. 19310 : What is this Penetration Testing Execution Standard ? .. : Who is involved with this Standard ? .. : So is this a closed group or can I join in? .. : Is this going to be a formal Standard ? .. : Is the Standard going to include all possible pentest scenarios? .. : Is this effort going to standardize the reporting as well? .. : Who is the intended audience for this Standard /project? .. : Is there a mindmap version of the original sections? .. 22711 Media22912 Indices and tables231iiiivThe Penetration Testing Execution Standard Documentation , Release :Contents1 The Penetration Testing Execution Standard Documentation , Release Penetration Testing Execution High Level Organization of the StandardFork Disclaimer: Note that this is an unofficial fork, the goal for which is to experiment with an alternative platformfor the Standard .
4 The official PTES can be located at Penetration Testing Execution Standard consists of seven (7) main sections. These cover everything related to apenetration test - from the initial communication and reasoning behind a pentest, through the intelligence gatheringand threat modeling phases where testers are working behind the scenes in order to get a better understanding of thetested organization, through vulnerability research, exploitation and post exploitation, where the technical securityexpertise of the testers come to play and combine with the business understanding of the engagement, and finally tothe reporting, which captures the entire process, in a manner that makes sense to the customer and provides the mostvalue to version can be considered a as the core elements of the Standard are solidified, and have been road tested for over a year through the industry.
5 A is in the works soon, and will provide more granular work in terms of levels - as in intensity levels at which each of the elements of a Penetration test can be performed at. As no pentestis like another, and Testing will range from the more mundane web application or network test, to a full-on red teamengagement, said levels will enable an organization to define how much sophistication they expect their adversary toexhibit, and enable the tester to step up the intensity on those areas where the organization needs them the most. Someof the initial work on levels can be seen in the intelligence gathering are the main sections defined by the Standard as the basis for Penetration Testing Penetration Testing Execution Standard Documentation , Release the Standard does not provide any technical guidelines as far as how to execute an actual pentest, we have alsocreated a technical guide to accompany the Standard itself.
6 The technical gude can be reached via the link below: PTES Technical GuidelinesFor more information on what this Standard is, please visit: FAQ4 Chapter 1. The Penetration Testing Execution StandardCHAPTER2 Pre-engagement OverviewThe aim of this section of the PTES is to present and explain the tools and techniques available which aid in asuccessful pre-engagement step of a Penetration test. The information within this section is the result of the manyyears of combined experience of some of the most successful Penetration testers in the you are a customer looking for Penetration test we strongly recommend going to the General Questions section ofthis document.
7 It covers the major questions that should be answered before a test begins. Remember, a penetrationtest should not be confrontational. It should not be an activity to see if the tester can hack you. It should be aboutidentifying the business risk associated with and get maximum value, make sure the questions in this document are covered. Further, as the Scoping activityprogresses, a good Testing firm will start to ask additional questions tailored to your Introduction to ScopeDefining scope is arguably one of the most important components of a Penetration test, yet it is also one of the mostoverlooked. While many volumes have been written about the different tools and techniques which can be utilizedto gain access to a network, very little has been written on the topic which precedes the Penetration : to properly complete pre-engagement activities has the potential to open the Penetration tester (or his firm)to a number of headaches including scope creep, unsatisfied customers, and even legal troubles.
8 The scope of a projectspecifically defines what is to be tested. How each aspect of the test will be conducted will be covered in the Rules ofEngagement key component of scoping an engagement is outlining how the testers should spend their time. As an example, acustomer requests that one hundred IP addresses be tested for the price of $100,000. This means that the customer isoffering $1,000 per IP address tested. However, this cost structure only remains effective at that volume. A commontrap some testers fall into is maintaining linear costs throughout the Testing process. If the customer had only asked forone business-critical application to be tested at the same pricing structure ($1,000), while the tester will still be onlyattacking a single IP, the volume of work has increased dramatically.
9 It is important to vary costs based on work Penetration Testing Execution Standard Documentation , Release a firm can easily find themselves undercharging for their services, which motivates them to do a less thancomplete having a solid pricing structure, the process is not all black and white. It is not uncommon for a client tobe completely unaware of exactly what it is they need tested. It is also possible the client will not know how tocommunicate effectively what they re expecting from the test. It is important in the Pre-Engagement phase that thetester is able to serve as a guide through what may be uncharted territory for a customer. The tester must understandthe difference between a test which focuses on a single application with severe intensity and a test where the clientprovides a wide range of IP addresses to test and the goal is to simply find a way Metrics for Time EstimationTime estimations are directly tied to the experience of a tester in a certain area.
10 If a tester has significant experiencein a certain test, he will likely innately be able to determine how long a test will take. If the tester has less experiencein the area, re-reading emails and scan logs from previous similar tests the firm has done is a great way to estimate thetime requirement for the current engagement. Once the time to test is determined, it is a prudent practice to add 20%to the extra 20% on the back end of the time value is called padding. Outside of consultant circles, this is also referred toas consultant overhead. The padding is an absolute necessity for any test. It provides a cushion should any interruptionsoccur in the Testing . There are many events which commonly occur and hinder the Testing process.