3:55 AM
Fabio
Things to remember:
1) You will need a letter from the private/organization who asked you to pen test their infrastructure saying that you are authorized to do so.
2) Being authorized to hack into their system doesn't mean that you can damage systems or cause data loss. You should tell your customer to backup all the data before the test starts, you have to define the types of attacks allowed and you have to avoid to destroy valuable targets.
3) Well, you have done your job or at least you think you did. Doing pen testing isn't limited to penetrating into a system but at the end of your job you have to generate a fully comprehensive report of all the steps that allowed you to grant the access to the systems, the tools or methods you used, the level of control you reached, the possible risks, threats and the consequent countermeasures to adopt in other to avoid that some black hat take control of the system with not so good intentions :).
Following are the main sections defined by the standard as the basis for penetration testing execution:
- Pre-engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Exploitation
- Post Exploitation
- Reporting
Posted in: exploitation,intelligence gathering,pen testing,post exploitation,pre-engagement interactions,reporting,threat modeling,vulnerability analysis
0 comments:
Post a Comment