## 1. Introduction to Ethical Hacking and Penetration Testing
- **Module Title**: Introduction to Ethical Hacking and Penetration Testing
- **Module Objective**: Explain the importance of methodological ethical hacking and penetration testing

| Topic Title | Topic Objective |
| --- | --- |
| Understanding Ethical Hacking and Penetration Testing | Explain the importance of ethical hacking and penetration testing. |
| Exploring Penetration Testing Methodologies | Explain different types of penetration testing methodologies and frameworks. |
| Building Your Own Lab | Configure a virtual machine for your penetration testing learning experience. |


## 1.1 Understanding Ethical Hacking and Penetration Testing

### 1.1.1 Overview

- The term **ethical hacker** describes a person who acts as an attacker and evaluates the security posture of a computer network for the purpose of minimizing risk. 
- The **NIST Computer Security Resource Center (CSRC)** defines a hacker as an “unauthorized user who attempts to or gains access to an information system.”
- The truth is that as an ethical hacker, you use the same tools to find vulnerabilities and exploit targets as do nonethical hackers. However, as an ethical hacker, you would typically report your findings to the vendor or customer you are helping to make the network more secure. You would also try to avoid performing any tests or exploits that might be destructive in nature.

- An ethical hacker’s goal is to analyze the security posture of a network’s or system’s infrastructure in an effort to identify and possibly exploit any security weaknesses found and then determine if a compromise is possible. This process is called security **penetration testing** or **ethical hacking**.


**TIP**: Hacking is NOT a Crime ( [hackingisnotacrime.org](https://hackingisnotacrime.org) ) is a nonprofit organization that attempts to raise awareness about the pejorative use of the term hacker. Historically, hackers have been portrayed as evil or illegal. Luckily, a lot of people already know that hackers are curious individuals who want to understand how things work and how to make them more secure.


### 1.1.2 Why Do We Need to Do Penetration Testing?
Penetration testing helps identify potential paths of compromise before attackers do.
- It evaluates the effectiveness of existing security defenses like antivirus, firewalls, intrusion prevention systems [IPSs], anti-malware, etc.
- It assesses whether the right assets are being protected and if the defenses are adequate.
- Regular testing is necessary due to constant changes in networks and systems.
- Penetration testing ensures that security measures remain effective against evolving threats.

### 1.1.3 Lab - Researching PenTesting Careers

A good general reference to explore for descriptions of different job roles is The National Initiative for Cybersecurity Careers and Studies (NICCS) [Cyber Career Pathways Tool](https://niccs.cisa.gov/workforce-development/cyber-career-pathways-tool). It offers a visual way to discover and compare different job roles in our profession.


### 1.1.4 Threat Actors

Common types of threat actor (or malicious attacker):

- **Organized Crime**: Several years ago, the cybercrime industry took over the number-one spot, previously held by the drug trade, for the most profitable illegal industry. As you can imagine, it has attracted a new type of cybercriminal. Just as it did back in the days of Prohibition, organized crime goes where the money is. Organized crime consists of very well-funded and motivated groups that will typically use any and all of the latest attack techniques. Whether that is ransomware or data theft, if it can be monetized, organized crime will use it.

- **Hacktivists**: This type of threat actor is not motivated by money. Hacktivists are looking to make a point or to further their beliefs, using cybercrime as their method of attack. These types of attacks are often carried out by stealing sensitive data and then revealing it to the public for the purpose of embarrassing or financially affecting a target.

- **Nation-State Actors**: Cyber war and cyber espionage are two terms that fit into this category. Many governments around the world today use cyber attacks to steal information from their opponents and cause disruption. Many believe that the next Pearl Harbor will occur in cyberspace. That’s one of the reasons the United States declared cyberspace to be one of the operational domains that U.S. forces would be trained to defend.

- **Insider Threats**: An insider threat is a threat that comes from inside an organization. The motivations of these types of actors are normally different from those of many of the other common threat actors. Insider threats are often normal employees who are tricked into divulging sensitive information or mistakenly clicking on links that allow attackers to gain access to their computers. However, they could also be malicious insiders who are possibly motivated by revenge or money.


## 1.2 Exploring Penetration Testing Methodologies

The process of completing a penetration test varies based on many factors. The tools and techniques used to assess the security posture of a network or system also vary. The networks and systems being evaluated are often highly complex. Because of this, it is very easy when performing a penetration test to go off scope. This is where testing methodologies come in.

- **Why Do We Need to Follow a Methodology for Penetration Testing?**: As just mentioned, scope creep is one reason for utilizing a specific methodology; however, there are many other reasons. For instance, when performing a penetration test for a customer, you must show that the methods you plan to use for testing are tried and true. By utilizing a known methodology, you are able to provide documentation of a specialized procedure that has been used by many people.


### 1.2.3 Environmental Considerations

- **Network Infrastructure Tests**: 
    - Focus on evaluating the security posture of the actual network infrastructure.
    - Includes switches, routers, firewalls, and supporting resources (AAA servers, IPSs).
    - May include penetration tests on wireless infrastructure.
    - Wireless security testing involves bypassing security mechanisms or breaking cryptographic methods.
    - Helps determine weaknesses in wireless deployment and exposure.
    - Often includes a detailed heat map of signal disbursement.

- **Application-Based Tests**:
    - This type of pen testing focuses on testing for security weaknesses in enterprise applications.
    - These weaknesses can include but are not limited to misconfigurations, input validation issues, injection issues, and logic flaws.
    - Because a web application is typically built on a web server with a back-end database, the testing scope normally includes the database as well.
    - However, it focuses on gaining access to that supporting database through the web application compromise.
    - A great resource that we mention a number of times in this book is the Open Web Application Security Project (OWASP).

- **Penetration Testing in the Cloud**:
    - Cloud service providers (CSPs) such as Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) have strict security and compliance responsibilities.(for example: [AWS Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model))
    - Cloud security responsibilities vary by model: (software as a service [SaaS], platform as a service [PaaS], or infrastructure as a service [IaaS])
    - For example: in IaaS, customers manage data, applications, runtime, middleware, VMs, containers, and OS in VMs.
    - Cloud security is a shared responsibility between the client and provider, detailed in contracts.
    - Contracts should address disaster recovery, SLAs, data integrity, and encryption.
    - Ensure CSPs have equivalent security layers (logical, physical, administrative) as on-premises services.
    - Understand CSP guidelines for security assessments and penetration testing.
    - Cloud data resides physically somewhere; CSPs should commit to required security levels.
    - AWS provides specific guidelines for penetration testing: [AWS Penetration Testing Policy](https://docs.aws.amazon.com/security/latest/developerguide/penetration-testing.html).


    I have included different bug bounty tips and resources in my GitHub repository at: [Bug Bounty Tips and Information](https://github.com/The-Art-of-Hacking/h4cker/tree/master/bug-bounties).


When talking about penetration testing methods, you are likely to hear the terms **unknown-environment** (previously known as black-box), **known-environment** (previously known as white-box), and **partially known environment** (previously known as gray-box) testing. These terms are used to describe the perspective from which the testing is performed, as well as the amount of information that is provided to the tester:

- **Unknown-Environment Testing**: In an unknown-environment penetration test, the tester is typically provided only a very limited amount of information. For instance, the tester may be provided only the domain names and IP addresses that are in scope for a particular target. The idea of this type of limitation is to have the tester start out with the perspective that an external attacker might have. Typically, an attacker would first determine a target and then begin to gather information about the target, using public information, and gain more and more information to use in attacks. The tester would not have prior knowledge of the target’s organization and infrastructure. Another aspect of unknown-environment testing is that sometimes the network support personnel of the target may not be given information about exactly when the test is taking place. This allows for a defense exercise to take place as well, and it eliminates the issue of a target preparing for the test and not giving a real-world view of how the security posture really looks.

- **Known-Environment Testing**:
In a known-environment penetration test, the tester starts out with a significant amount of information about the organization and its infrastructure. The tester would normally be provided things like network diagrams, IP addresses, configurations, and a set of user credentials. If the scope includes an application assessment, the tester might also be provided the source code of the target application. The idea of this type of test is to identify as many security holes as possible. In an unknown-environment test, the scope may be only to identify a path into the organization and stop there. With known-environment testing, the scope is typically much broader and includes internal network configuration auditing and scanning of desktop computers for defects. Time and money are typically deciding factors in the determination of which type of penetration test to complete. If a company has specific concerns about an application, a server, or a segment of the infrastructure, it can provide information about that specific target to decrease the scope and the amount of time spent on the test but still uncover the desired results. With the sophistication and capabilities of adversaries today, it is likely that most networks will be compromised at some point, and a white-box approach is not a bad option.

- **Partially Known Environment Testing**:
A partially known environment penetration test is somewhat of a hybrid approach between unknown- and known-environment tests. With partially known environment testing, the testers may be provided credentials but not full documentation of the network infrastructure. This would allow the testers to still provide results of their testing from the perspective of an external attacker’s point of view. Considering the fact that most compromises start at the client and work their way throughout the network, a good approach would be a scope where the testers start on the inside of the network and have access to a client machine. Then they could pivot throughout the network to determine what the impact of a compromise would be.



### 1.2.5 Surveying Different Standards and Methodologies
There are a number of penetration testing methodologies that have been around for a while and continue to be updated as new threats emerge.
The following is a list of some of the most common penetration testing methodologies and other standards:

- **MITRE ATT&CK**: 
    - The MITRE ATT&CK framework (https://attack.mitre.org) is an amazing resource for learning about an adversary’s tactics, techniques, and procedures (TTPs). Both offensive security professionals (penetration testers, red teamers, bug hunters, and so on) and incident responders and threat hunting teams use the MITRE ATT&CK framework today. 
    - The MITRE ATT&CK framework is a collection of different matrices of tactics, techniques, and subtechniques. These matrices–including the Enterprise ATT&CK Matrix, Network, Cloud, ICS, and Mobile–list the tactics and techniques that adversaries use while preparing for an attack, including gathering of information (open-source intelligence [OSINT], technical and people weakness identification, and more) as well as different exploitation and post-exploitation techniques. You will learn more about MITRE ATT&CK throughout this course.

- **OWASP Web Security Testing Guide (WSTG)**:
    - The OWASP Web Security Testing Guide (WSTG) is a comprehensive guide focused on web application testing. It is a compilation of many years of work by OWASP members. 
    - OWASP WSTG covers the high-level phases of web application security testing and digs deeper into the testing methods used. For instance, it goes as far as providing attack vectors for testing cross-site scripting (XSS), XML external entity (XXE) attacks, cross-site request forgery (CSRF), and SQL injection attacks; as well as how to prevent and mitigate these attacks. 
    - You will learn more about these attacks in Module 6, “Exploiting Application-Based Vulnerabilities.” 
    - From a web application security testing perspective, OWASP WSTG is the most detailed and comprehensive guide available. 
    - You can find the OWASP WSTG and related project information at https://owasp.org/www-project-web-security-testing-guide/.

- **NIST Special Publication (SP) 800-115**:
    - Special Publication (SP) 800-115 is a document created by the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce. 
    - NIST SP 800-115 provides organizations with guidelines on planning and conducting information security testing. 
    - It superseded the previous standard document, SP 800-42. 
    - SP 800-115 is considered an industry standard for penetration testing guidance and is called out in many other industry standards and documents. 
    - You can access NIST SP 800-115 at https://csrc.nist.gov/publications/detail/sp/800-115/final.

- **Open Source Security Testing Methodology Manual (OSSTMM)**:
    - The Open Source Security Testing Methodology Manual (OSSTMM), developed by Pete Herzog, has been around a long time. Distributed by the Institute for Security and Open Methodologies (ISECOM), the OSSTMM is a document that lays out repeatable and consistent security testing (https://www.isecom.org). It is currently in version 3, and version 4 is in draft status. The OSSTMM has the following key sections:
        - Operational Security Metrics
        - Trust Analysis
        - Work Flow
        - Human Security Testing
        - Physical Security Testing
        - Wireless Security Testing
        - Telecommunications Security Testing
        - Data Networks Security Testing
        - Compliance Regulations
        - Reporting with the Security Test Audit Report (STAR)

- **Penetration Testing Execution Standard (PTES)**:
    - The Penetration Testing Execution Standard (PTES) (http://www.pentest-standard.org) provides information about types of attacks and methods, and it provides information on the latest tools available to accomplish the testing methods outlined. PTES involves seven distinct phases:
        - Pre-engagement interactions
        - Intelligence gathering
        - Threat modeling
        - Vulnerability analysis
        - Exploitation
        - Post-exploitation
        - Reporting

- **Information Systems Security Assessment Framework (ISSAF)**:
    - The Information Systems Security Assessment Framework (ISSAF) is another penetration testing methodology similar to the others on this list with some additional phases. ISSAF covers the following phases:
        - Information gathering
        - Network mapping
        - Vulnerability identification
        - Penetration
        - Gaining access and privilege escalation
        - Enumerating further
        - Compromising remote users/sites
        - Maintaining access
        - Covering the tracks

### 1.2.6 Lab - Compare Pentesting Methodologies


