Professional Documents
Culture Documents
06 CLPT en EcC V1.2.2 20151119GP
06 CLPT en EcC V1.2.2 20151119GP
Training
www.pecb.com
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
Basing yourself on this information, determine and explain the three greatest
advantages for implementing a programme of pro-active penetration testing. Also
please explain how these benefits could be measured.
Advantage 1) Allows the identification of risks before incidents occur and allows the
likelihood of the risk to be more accurately calculated. This will allow the organization
to focus security efforts in the right areas based on proven scenarios..........................
.......................................................................................................................................
How can the organization measure this advantage? Measuring security spending
against risk, measuring the number of actual security incidents (which should reduce
either in number or impact)............................................................................................
.......................................................................................................................................
.......................................................................................................................................
Advantage 2) Using pro-active penetration testing with suitable follow ups will allow
the organization to demonstrate compliance with key standards and legal
requirements, e.g. PCI-DSS, ISO/IEC 27001, and Data Protection Legislation. This
may also allow the organization to fulfil customer contractual requirements.................
.......................................................................................................................................
How can the organization measure this advantage? Results from compliance audits
and successful certifications, contract wins based on (partially on) security posture.....
.......................................................................................................................................
.......................................................................................................................................
www.pecb.com
Page 2 of 22
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
How can the organization measure this advantage? Number of incidents, severity of
the impact of such incidents, ability to recover from incidents more quickly..................
.......................................................................................................................................
.......................................................................................................................................
www.pecb.com
Page 3 of 22
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
1. During the penetration test the a member of the IT team requests your permission
to use the notes you have collected and raw scan results to conduct a case study
exercise on penetration testing for their university studies. You have been
assured that the information will be sanitized and that no vulnerability details will
be shared externally.
Whilst the Lead Penetration tester should wish to be helpful and encourage interest
in the topic of security these details should not be simply shared in this way. The IT
team member should be advised that the report will be completed and circulated to
the authorized recipients. They should speak with the authorized recipient about
their intentions and the recipient can make a decision on what can be/should be
shared. The Lead Penetration tester is of course to give advice and general
information to the interested IT team member but must always be aware of the terms
of engagement with the organization.............................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
2. The client has contracted the penetration testing team to amongst other systems
test a specific wireless network. According to the network design and architecture
documents there is only one wireless network that belongs to the client in the
building. You identify this network but also identify a number of other wireless
networks which have SSIDs very similar to the client’s name. You speak with the
client’s IT Manager and they tell you they know nothing about these other
networks but ask that you test them anyway as they want to know more about
what these networks are and the levels of security they offer.
It would not be ethical to simply launch tests on the other wireless networks unless 1)
the scope was adjusted and the authority to conduct these tests was documented
www.pecb.com
Page 4 of 22
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
and formally signed off by the organization and 2) The organization can confirm that
these networks are indeed owned by them or are attached to the corporate network
(i.e. a rouge access point and not a wireless network belonging to an organization in
a neighboring building). Should the tester go ahead and perform such a test on a
verbal instruction they may end up accessing systems belonging to other
organizations who could be impacted and in the worst case could take legal action
against the test team......................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
3. You identify during the testing that a number of servers appear to be running
unlicensed software. The IT Manager confirms that this is the case and advises
that the situation is due to budget constraints but that the software will be
correctly licensed as soon as the new annual budget is made available in the next
two months.
www.pecb.com
Page 5 of 22
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
In this type of case, the penetration tester should usually alert the persons in charge
of security, human resources and/or legal resources in the organization. Depending
on the country’s legislation this situation maybe a compulsorily notifiable illegal act
and thus the penetration tester will be duty bound to report the situation to the
authorities. It should be noted that penetration tester is not an investigator (even if
they have such skills) and it is not the role of the tester to investigate or gather further
evidence. ......................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
The penetration tester must not base test plans on hearsay. The person probably has
score to settle with his former employer and therefore does not represent a reliable
source of information. In addition, the documents in his possession are, no doubt,
held in violation of his old work contract. In that case, the penetration tester should
politely refuse his help. The penetration tester should report this situation to the
client. It is the client’s decision whether they wish to investigate the matter further. In
terms of the testing a professional penetration tester will carry out the tests according
to the agreed and signed off scope. If such security problems do exist a
professionally executed test will deal identify such issues.............................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
www.pecb.com
Page 6 of 22
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
.......................................................................................................................................
6. Your client is an outsourcing company. You have been advised by the clients’
Head of IT before the test of a specific system that the testing has been
commissioned upon the demands of their customer. The Head of IT has stated
the number of vulnerabilities in the report and the severity of them will affect
whether their customer allows the new service to go live. She advises that failure
to go live will cost the outsourcing company a significant sum of money.
You conduct the test of the system and find multiple serious vulnerabilities. Upon
reviewing the report the Head of IT states that she is not happy with the number
of “high” findings and that this will have a negative impact when it is shown to
their customer. She asks if you would be willing to create a separate report for
their customer which would not include some of the issues (which she believes
are irrelevant to the customer) and would show some of the issues in a less
serious light.
Whilst a professional penetration testing team must support its direct client this does
not allow for the any of the test team to create reports which are knowingly
inaccurate, misleading or at worst fraudulent. It may be acceptable to create a
“customer facing” report which is layed out in a more business friendly manner
however it would not be acceptable to hide findings or change risk ratings unless the
test team genuinely believes that the original risk ratings were incorrect. If the
penetration testing team were to meet the request in this scenario they would be
leading an organization to a false sense of security which at best is unethical and at
worst could result in legal action being taken against the team in the event that an
incident occurred relating to a finding they deliberately omitted or downplayed............
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
.......................................................................................................................................
www.pecb.com
Page 7 of 22
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
Asset1
Exercise:3Background Checking Service
Risk Impacts
scenarios Threat Vulnerability C I A
Poor corporate network security, single factor Loss/theft of key records, deletion of key X X X
Hacking attack against the authentication, failure to identify key records, system disruption.
background checking web vulnerabilities within the application.
#2 application.
www.pecb.com
Page 8 of 22
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
Asset1
Exercise:3Background Checking Service
Risk Impacts
scenarios Threat Vulnerability C I A
www.pecb.com
Page 9 of 22
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
Outlook Web Access on the main Microsoft An attack against the Microsoft OWA site
Exchange server and is enabled with an could allowing onbound access to all key
internet facing URL however this is not corporate systems leading to system
External attack using the Outlook protected or held in a clear DMZ. outages, data theft and fraudulent activity. X X X
#2 Web Access.
www.pecb.com
Page 10 of 22
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
Insiders from branch offices Access from branch offices not controlled, poor Attack resulting in the theft of large
#2 accessing the database and copying authentication controls, lack of logging, lack of volumes of personal data. Ongoing X X
bulk data. clear authorization within the database. fraudulent activity.
www.pecb.com
Page 11 of 22
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
www.pecb.com
Page 12 of 22
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
……………………………………………………………………………An
Announced penetration test is conducted at a certain point in time
and all key staff are aware of the test. This reduces the risk of false
alarms (e.g. security incidents being identified and actions being
taken) and allows those involved in monitoring systems to see if
they can identify attacks etc.
……………………………………………………………………………………
………………………………………………………………………………An
Unannounced test is still authorized however key people may not
be aware the test is taking place. One key purpose of this approach
is to test the organizations ability to identify and address incidents
such as cyber-attacks, social engineering etc. For example when
attempting to gain unauthorized access to a system do the system
administrators notice, if so how do they react, is the reaction
successful and in-line with policy? Could the organization really
respond in the event of a real world attack?
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
…………….
14
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
Exercise 5:
For the first test I would propose that this should be conducted to cover:
An external test to identify if the DMZ and perimeter firewall can be
compromised
……………………………………………………………………………………
An external test of the Outlook Web Access configuration to identify if
this can be compromised leading to further attack vectors
……………………………………………………………………………………
An external test of the core website and applications and the mobile
applications looking for application vulnerabilities
……………………………………………………………………………………
An internal test of the VM server and underlying platform to identify if the
underlying platform can be compromised leading to compromise of all
VMs.
……………………………………………………………………………………
………………………………………………………………………………An
internal test from a sample of branch offices to test insider access to the
main candidate database. The physical security of the branch offices
could also be tested to identify if an individual could gain access and
then easy access to the network
……………………………………………………………………………………
A social engineering test aimed at the helpdesk and some user to
identify if credentials can be obtained (more sophisticated techniques
could be applied once the organization had basic awareness of social
engineering in place at an acceptable level
.……………………………………………………………………………………
Going forward specific application tests, tests of network infrastructure
could be conducted once the basic vulnerabilities are identified and
defined.
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
15
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
……………………………………………………………………………………
…….
Exercise 6: Mapping
In groups please map a public application such as www.pecb.org using all public
resources
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
16
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
In groups please map the attack surface and entry points of www.pecb.org using
BURP Suite
A more detailed Web Application Assessment is beyond the scope of this course and a more
specific Web Application Course will be delivered in the future to cover other more specific
vulnerabilities.
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
17
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
……………………………………………………………………………………………………………
…………………………………………………………
In groups please consider some scenarios where you may use social engineering in a
penetration test and explain the techniques you may use.
Using tools such as google, Shodan and other public information sources please find
as much information as possible about PECB. In particular can you identify:
1. A finding was raised because a Microsoft Windows server had over 12 months of
patches missing.
Proposed action plan: Organise a formal change to apply all relevant patches and
test accordingly.
18
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
.......................................................................................................................................
.......................................................................................................................................
2. A finding has been raised because the tester could boot an internal PC into LINUX
using a CD and then override local security settings. They could also steal the
Windows SAM file and crack passwords offline.
Proposed action plan: Disable the ability to boot from the CD rom on the PC.
19
Certified Lead Pen Test Professional
Exercises Form
© 2015 Parker Solutions Group, Sysca Consulting
3. A finding has been raised because the tester could access resources on the local
CITRIX server by using the command line. The CITRIX server was meant to host a
specific application and a standard user should not have access to the command
line. Through this the tester (with a standard user logon account) managed to
access a number of local files on the server which contained highly sensitive
information.
Proposed action plan: Disable the command line on the local CITRIX server.
4. A finding was raised because the penetration tester was able to obtain a number
of passwords through social engineering. The tester made telephone calls to a
number of users profiled through social networking sites, in the calls he posed as a
member of IT support stating the passwords were required for emergency support
work.
Proposed action plan: Send an email to all staff reminding them never to reveal
passwords to anyone including IT support.
.......................................................................................................................................
5. Several findings were raised because the penetration tester was able to gain
unauthorised access to a key office. Once in the building they were able to freely sit
at a desk, connect their machine and conduct a number of activities such as sniffing
local network traffic. During this sniffing exercise they captured credentials to a
number of key systems. When accessing the building they reported to the main
reception and claimed to be an IT support engineer. They were immediately sent to
the relevant floor of the office. They were then allowed through the main door of the
office by tail-gaiting a member of staff who had a key fob access card.
Proposed action plan: Several actions have been proposed by the client:
Implement a procedure where all visitors to the main reception are reported to
a relevant contact in the office. The office contact will be required to collect
the visitor from reception hand them a visitors badge, check their ID and
escort them at all times.
Notes
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
…………………………………………………………………………………………………
………………………………………………………………………………………………….
22