i just want to ask you for little aid and some of your time.
The point is, that during my PhD. study i am, among other things, working on a bridge from results from pentests to risk management according to ISO 27001 standard. For this, i would like to use (well, i need to use) little statistics about methodology that you are using for penetration testing. So my request is, if u can post a methodology used by you.
For instance i am using OSSTMM since first version (from year 2001) till today (so currently i am working over OSSTMMv3).
Thanks for your time and responses.
generally speaking any and all methodologies used by a company and it's employees is the intellectual property of said company, no matter how generic the methodology may be. it may be better to request this information from companies themselves and include them in the study
You should subscribe the the security focus mailing lists, and ask there. You will find better suited answers.
The basic methodology I see used nearly everywhere is as follows (though each step may have a different name or slightly different activities or be divided slightly differently....kind of like programming a loop is a loop is a loop even if the syntax is slightly different).
The following steps assume a zero starting knowledge assessment or penetration test.
1) Open Source Intelligence Gathering (OSI) - Google the company, google details or the company, check LinkedIn, domain dossier, DNS lookups, ARIN/RIPE/APNIC, etc (Think about using FOCA, Maltego, etc)
2) Reconnaissance - Based on your OSI results do some tests to see what machines are live in their IP/name space and see what basic services they might be offering. (Think about using nmap, amap, ike-scan, ping, whois, nslookup, host, etc)
3) Identification - Now that you know what machines are there try to identify specific services and OS versions etc. (Think about using nmap version scans w/ NSE, etc)
3) Vulnerability Assessment - Now that you know what machines are there and what stuff is on them then fire up some actual VA "scanners". (Think about using Nessus, OpenVAS, etc)
3b) Vulnerability Research - Based on the info from steps 2 & 3 search Secunia and other vulnerability databases to identify issues which may impact the target's technologies etc. (This includes not only services/OS level stuff but also web apps, etc)
4) Vulnerability Exploitation - Now that you know what machines are there, what they're running, and what issues they might be vulnerable to...actually try to exploit said weaknesses.
Yeap, true in that. I am a member of few security teams and academic partnership programs, so i am going this way also. This was mainly intended to be a general statistic that can be used in first chapter or even abstract. Thats why there is no specification required, only general point of view. According to this, i need to thank all replies so far. Because for that kind of general purpose even no answer is a good answer.
Originally Posted by Archangel-Amael
thats not entirely true. A lot of companies and groups are proud on using certified techniques or standards, of course, the actual detailed procedure is often their secret, but the basic approach is usually defined and publicly stated.
Originally Posted by crweedon