Overview

  • Different test types can differ in how much information we start with
    • Blackbox is the minimal information provided to start such as external IP ranges and domains. Nothing more.
    • Greybox provides an additional layer of information, maybe specific IPs, URLs, hostnames or subnets to focus on
    • Whitebox provides a full disclosure. Could be full network topology diagrams, detailed configurations, admin credentials, source code
  • Different environments can also vary how information is gathered
    • Some environments, like IoT or SCADA environments, are more fragile and cannot have automated tooling scanning or it could DoS the entire network.
    • Cloud environments mean the cloud provider also may need notified or have additional rules for engagement.
    • Mobile devices could be corporate-owned or BYOD, which could be out of scope.
  • During recon, it is important not to jump ahead at the first potential vulnerability discovered, but ensure as much information is gathered up front. This can help prevent a loss of time if the exploitation of the first vuln fails and won't require falling back into more recon.
    • Pentests differ from CTFs in that a pentest is meant to be exhaustive. This stage should be much more meticulous and require more patience to ensure as much information is gathered up front before the exploitation phase starts. CTFs tend to immediately jump into the first vuln/exploit as time is of the essence.

Gathering

These are ordered (as best as possible) in the order from least amount of access to most amount of access required.

  • OSINT - Passively finding information about an org using public sources
  • Network Scanning - Actively scanning targets to gather information about active hosts, services, fingerprinting
  • Service Enumeration - Actively investigating specific services discovered running on a target
  • Host Enumeration - Recon that typically happens after initial access