Security Assessment

PENETRATION TEST EXTERNAL OPEN-SOURCE META DATA IDENTITY COLLECTION

This task identifies the entity’s risk exposure to publicly available identity-based metadata pertaining to its users past and present. This information provides attackers insight to valid usernames, valid email addresses and format, applications in use, and associated users with business function. Using these collected data points, the attacker can more effectively form password spraying and spear phishing attacks against the target entity MITRE ATT&CK ID: T1589. The Pen Test team will use active and passive reconnaissance techniques to acquire relevant and actionable information where possible.

• Tools that can be used for this task.
  SimplyEmail - not currently supported tool.
  FOCA
  theHarvester - built-in to Kali.

PENETRATION TEST EXTERNAL SPEAR PHISHING ATTEMPT

This task assesses the entity’s ability to react to a simulated threat actor directed spear phishing campaign derived from data collected via public/open sources only.

• Tools that can be used for this task.
  Attack simulation training M365

PENETRATION TEST EXTERNAL PASSWORD GUESSING ACTIVITIES

This task simulates a threat actor’s ability to derive logon credentials while external to the entity network using brute force techniques MITRE ATT&CK ID T1110 including password spraying and password guessing. This process can include informed guessing via resources such as vendor documentation, key phrases on public websites, common passwords, and password dumps from public sources.

• Tools that can be used for this task.
  Spray365
  GoMapEnum

PENETRATION TEST EXTERNAL UNDECLARED HOSTS/NETWORKS

This task simulates a threat actor’s attempt to gather information about the victim's networks as part of their pre-attack, targeting phase MITRE ATT&CK ID: T1590. To validate the entity’s knowledge and documentation of allocation assets/networks, a comparison of network exposures in the pre-attack phase is compared to the entity Data Call provided prior to assessment start date.

• Tools that can be used for this task.
  Amass
  DNSRecon

PENETRATION TEST EXTERNAL HIGH-RISK SERVICE EXPOSURE DETECTION

This task assesses the entity's exposure of insecure services to the internet MITRE ATT&CK ID: T1557. Using results from various service analysis techniques of in-scope and undeclared assets.

Periodically run an all ports NMAP scan

nmap -vv -O -sV -sC -sT -Pn -p 0-65535 --script http-methods --script-args http.useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" --open --min-hostgroup 256 --min-parallelism 32 --stylesheet=https://svn.nmap.org/nmap/docs/nmap.xsl -oA entity.name_external_allports -iL /path/to/subnetfile.txt --excludefile /path/to/exclusionfile.txt

PENETRATION TEST EXTERNAL HOST MANAGEMENT SERVICE DETECTION

This task identifies poorly secured host management services and web application administrative interfaces exposed to the internet MITRE ATT&CK ID: T1219.

Periodically run an all ports NMAP scan, see TASK 16.6 for NMAP command

PENETRATION TEST EXTERNAL WEB APPLICATION MISCONFIGURATIONS AND EXPOSURES

This task identifies and probes selected in-scope and undeclared external websites and web applications to determine potential attack opportunities MITRE ATT&CK ID: T1190. Research and analysis are conducted to identify exploits and misconfigurations, achieve unauthorized access, detect non-public data exposure, and/or obtain unauthorized remote host access.

• Tools that can be used for this task.
  Eyewitness
  Burpsuite
  ZAP Proxy

PENETRATION TEST EXTERNAL EXECUTION OF MALICIOUS CODE ON CONTROLLED HOST

The successful exploitation of hosts or services operated, controlled, or provided via 3^rd party to the entity. Exploitation of hosts must occur via the introduction of malicious code execution MITRE ATT&CK ID: T1204.002 or host misconfiguration MITRE ATT&CK ID: T1574.

• Tools that can be used for this task.
  Atomic Red Team
  Mitre Caldera
  PowerShell Empire
  Sliver

PENETRATION TEST INTERNAL PASSWORD GUESSING, SPRAYING, AND DEFAULT CREDENTIAL DETECTION

This task addresses two unique methods of obtaining passwords – password guessing and password spraying. Password spraying is the process of using informed knowledge such as acquired usernames in combination with common password dictionaries or common entity terminology to guess a username/password combination using brute force techniques MITRE ATT&CK ID T1110. Default credential testing, when password guessing, utilizes well-known, often public information from application/hardware manufactures installation manuals to inform password guessing attempts on the targeted application/host MITRE ATT&CK ID T1078.

• Tools that can be used for this task.
  Spray
  DomainPasswordSpray

PENETRATION TEST INTERNAL CREDENTIAL HASH CAPTURE AND CRACKING

This task will assess the entity’s risk exposure to Man-in-the-Middle authenticator hash capture MITRE ATT&CK ID: T1040, hash harvesting from exploited hosts MITRE ATT&CK ID: T1003, and extraction of authenticator hashes from network directory services MITRE ATT&CK ID: T1558.003. Captured hashes will be subjected to offline cracking attempts using dictionary and brute force attack methods for a period not to exceed the assessment period to assess cracking resistance MITRE ATT&CK ID: T1110.

• Tools that can be used to capture hashes.
  Responder
  Inveigh

• Tools that can be used to crack hashes.
  John the Ripper
  Hashcat

Password lists

• Tools that can be used for this task.
  Password Lists

PENETRATION TEST INTERNAL USE OF INSECURE HOST MANAGEMENT SERVICES

This task attempts to identify any management service/interface that allows unencrypted access, weak encryption services, utilizes well-known community strings, or can be exploited using remote code execution methods places the entity at enhanced risk MITRE ATT&CK ID: T1219.

Periodically run an all ports NMAP scan

nmap -vv -O -sV -sC -sT -p 0-65535 --script http-methods --script-args http.useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36" --open --min-hostgroup 256 --min-parallelism 32 --stylesheet=https://svn.nmap.org/nmap/docs/nmap.xsl -oA entity.name_internal_allports -iL /path/to/subnetfile.txt --excludefile /path/to/exclusionfile.txt

PENETRATION TEST INTERNAL WEB SITE/APPLICATION RISKS

This task identifies and probes selected in-scope and undeclared, internal websites and web applications to determine potential attack opportunities MITRE ATT&CK ID: T1190. Research of web risks and analysis are conducted to identify exploits and misconfigurations, achieve unauthorized access, detect non-public data exposure, or obtain unauthorized remote host access.

• Tools that can be used for this task.
  Eyewitness
  Burpsuite
  ZAP Proxy

PENETRATION TEST INTERNAL WIRELESS NETWORK BREACH RESISTANCE

This task assesses the entity’s protection of their wireless access at the network perimeter. The successful breach of a wireless network requires the capture of the 4-way handshake between any client and access point. This data provides a hash value of the credentials required for authentication. Once captured, a series of dictionary and brute force attacks on the hash can be performed to attempt to crack the password.

• Tools that can be used for this task.
  Airgeddon
  Wifi Pineapple

PENETRATION TEST INTERNAL EXECUTION OF MALICIOUS CODE ON CONTROLLED HOST

The successful exploitation of hosts or services operated, controlled, or provided via 3^rd party to the entity. Exploitation of hosts must occur via the introduction of malicious code execution MITRE ATT&CK ID: T1204.002 or host misconfiguration MITRE ATT&CK ID: T1574.

• Tools that can be used for this task.
  Kali Image
  Manidant Commando Atomic Red Team
  Mitre Caldera
  PowerShell Empire
  Sliver

Vendor Notification

Subject: Request for Approval and Notification of Upcoming Security Assessment and Penetration Test

Dear [Third-Party Vendor Name],

As part of our ongoing commitment to ensuring the security and integrity of our platform, we are notifying you that our site will be undergoing a comprehensive security assessment, including penetration testing. This assessment will be conducted by [insert company name], an accredited third-party security firm, during the period from [insert start date] to [insert end date].

The testing will focus on the following sites and systems:  

* [Site/Platform 1] - [Brief description or URL]  
* [Site/Platform 2] – [Brief description or URL]  

We kindly request your formal approval to proceed with this testing. Additionally, if there are any specific restrictions, guidelines, or requirements related to conducting penetration tests on your platform or services, please provide the relevant documentation and protocols. This will enable us to ensure full compliance with your security policies and avoid any disruption to your services.

Should you require further information about the scope of the assessment or the testing methodologies, please do not hesitate to contact us. We look forward to your confirmation and any guidance you may provide.

Thank you for your prompt attention to this matter, and we appreciate your continued partnership in maintaining the security of our systems.

Best regards,
[Your Full Name]
[Your Job Title]
[Your Company Name]
[Your Contact Information]

Third Party Security Assessment Docs

SalesForce Security Assessment
SalesForce Security Assessment Agreement
Google Cloud Platform Acceptable Use Policy
Google Cloud Platform Terms of Service
AWS Customer Support Policy for Penetration Testing
Wordpress.com Security Assessment
Wordpress.com HackerOne Bug Bounty Program