## 1. Introduction to Ethical Hacking and Penetration Testing
- **Module Title**: Introduction to Ethical Hacking and Penetration Testing
- **Module Objective**: Explain the importance of methodological ethical hacking and penetration testing

| Topic Title | Topic Objective |
| --- | --- |
| Understanding Ethical Hacking and Penetration Testing | Explain the importance of ethical hacking and penetration testing. |
| Exploring Penetration Testing Methodologies | Explain different types of penetration testing methodologies and frameworks. |
| Building Your Own Lab | Configure a virtual machine for your penetration testing learning experience. |


## 1.1 Understanding Ethical Hacking and Penetration Testing

### 1.1.1 Overview

- The term **ethical hacker** describes a person who acts as an attacker and evaluates the security posture of a computer network for the purpose of minimizing risk. 
- The **NIST Computer Security Resource Center (CSRC)** defines a hacker as an “unauthorized user who attempts to or gains access to an information system.”
- The truth is that as an ethical hacker, you use the same tools to find vulnerabilities and exploit targets as do nonethical hackers. However, as an ethical hacker, you would typically report your findings to the vendor or customer you are helping to make the network more secure. You would also try to avoid performing any tests or exploits that might be destructive in nature.

- An ethical hacker’s goal is to analyze the security posture of a network’s or system’s infrastructure in an effort to identify and possibly exploit any security weaknesses found and then determine if a compromise is possible. This process is called security **penetration testing** or **ethical hacking**.


**TIP**: Hacking is NOT a Crime ( [hackingisnotacrime.org](https://hackingisnotacrime.org) ) is a nonprofit organization that attempts to raise awareness about the pejorative use of the term hacker. Historically, hackers have been portrayed as evil or illegal. Luckily, a lot of people already know that hackers are curious individuals who want to understand how things work and how to make them more secure.


### 1.1.2 Why Do We Need to Do Penetration Testing?
Penetration testing helps identify potential paths of compromise before attackers do.
- It evaluates the effectiveness of existing security defenses like antivirus, firewalls, intrusion prevention systems [IPSs], anti-malware, etc.
- It assesses whether the right assets are being protected and if the defenses are adequate.
- Regular testing is necessary due to constant changes in networks and systems.
- Penetration testing ensures that security measures remain effective against evolving threats.

### 1.1.3 Lab - Researching PenTesting Careers

A good general reference to explore for descriptions of different job roles is The National Initiative for Cybersecurity Careers and Studies (NICCS) [Cyber Career Pathways Tool](https://niccs.cisa.gov/workforce-development/cyber-career-pathways-tool). It offers a visual way to discover and compare different job roles in our profession.


### 1.1.4 Threat Actors

Common types of threat actor (or malicious attacker):

- **Organized Crime**: Several years ago, the cybercrime industry took over the number-one spot, previously held by the drug trade, for the most profitable illegal industry. As you can imagine, it has attracted a new type of cybercriminal. Just as it did back in the days of Prohibition, organized crime goes where the money is. Organized crime consists of very well-funded and motivated groups that will typically use any and all of the latest attack techniques. Whether that is ransomware or data theft, if it can be monetized, organized crime will use it.

- **Hacktivists**: This type of threat actor is not motivated by money. Hacktivists are looking to make a point or to further their beliefs, using cybercrime as their method of attack. These types of attacks are often carried out by stealing sensitive data and then revealing it to the public for the purpose of embarrassing or financially affecting a target.

- **Nation-State Actors**: Cyber war and cyber espionage are two terms that fit into this category. Many governments around the world today use cyber attacks to steal information from their opponents and cause disruption. Many believe that the next Pearl Harbor will occur in cyberspace. That’s one of the reasons the United States declared cyberspace to be one of the operational domains that U.S. forces would be trained to defend.

- **Insider Threats**: An insider threat is a threat that comes from inside an organization. The motivations of these types of actors are normally different from those of many of the other common threat actors. Insider threats are often normal employees who are tricked into divulging sensitive information or mistakenly clicking on links that allow attackers to gain access to their computers. However, they could also be malicious insiders who are possibly motivated by revenge or money.


## 1.2 Exploring Penetration Testing Methodologies

The process of completing a penetration test varies based on many factors. The tools and techniques used to assess the security posture of a network or system also vary. The networks and systems being evaluated are often highly complex. Because of this, it is very easy when performing a penetration test to go off scope. This is where testing methodologies come in.

- **Why Do We Need to Follow a Methodology for Penetration Testing?**: As just mentioned, scope creep is one reason for utilizing a specific methodology; however, there are many other reasons. For instance, when performing a penetration test for a customer, you must show that the methods you plan to use for testing are tried and true. By utilizing a known methodology, you are able to provide documentation of a specialized procedure that has been used by many people.


### 1.2.3 Environmental Considerations

- **Network Infrastructure Tests**: 
    - Focus on evaluating the security posture of the actual network infrastructure.
    - Includes switches, routers, firewalls, and supporting resources (AAA servers, IPSs).
    - May include penetration tests on wireless infrastructure.
    - Wireless security testing involves bypassing security mechanisms or breaking cryptographic methods.
    - Helps determine weaknesses in wireless deployment and exposure.
    - Often includes a detailed heat map of signal disbursement.

- **Application-Based Tests**:
    - This type of pen testing focuses on testing for security weaknesses in enterprise applications.
    - These weaknesses can include but are not limited to misconfigurations, input validation issues, injection issues, and logic flaws.
    - Because a web application is typically built on a web server with a back-end database, the testing scope normally includes the database as well.
    - However, it focuses on gaining access to that supporting database through the web application compromise.
    - A great resource that we mention a number of times in this book is the Open Web Application Security Project (OWASP).

- **Penetration Testing in the Cloud**:
    - Cloud service providers (CSPs) such as Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP) have strict security and compliance responsibilities.(for example: [AWS Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model))
    - Cloud security responsibilities vary by model: (software as a service [SaaS], platform as a service [PaaS], or infrastructure as a service [IaaS])
    - For example: in IaaS, customers manage data, applications, runtime, middleware, VMs, containers, and OS in VMs.
    - Cloud security is a shared responsibility between the client and provider, detailed in contracts.
    - Contracts should address disaster recovery, SLAs, data integrity, and encryption.
    - Ensure CSPs have equivalent security layers (logical, physical, administrative) as on-premises services.
    - Understand CSP guidelines for security assessments and penetration testing.
    - Cloud data resides physically somewhere; CSPs should commit to required security levels.
    - AWS provides specific guidelines for penetration testing: [AWS Penetration Testing Policy](https://docs.aws.amazon.com/security/latest/developerguide/penetration-testing.html).


    I have included different bug bounty tips and resources in my GitHub repository at: [Bug Bounty Tips and Information](https://github.com/The-Art-of-Hacking/h4cker/tree/master/bug-bounties).


When talking about penetration testing methods, you are likely to hear the terms **unknown-environment** (previously known as black-box), **known-environment** (previously known as white-box), and **partially known environment** (previously known as gray-box) testing. These terms are used to describe the perspective from which the testing is performed, as well as the amount of information that is provided to the tester:

- **Unknown-Environment Testing**: In an unknown-environment penetration test, the tester is typically provided only a very limited amount of information. For instance, the tester may be provided only the domain names and IP addresses that are in scope for a particular target. The idea of this type of limitation is to have the tester start out with the perspective that an external attacker might have. Typically, an attacker would first determine a target and then begin to gather information about the target, using public information, and gain more and more information to use in attacks. The tester would not have prior knowledge of the target’s organization and infrastructure. Another aspect of unknown-environment testing is that sometimes the network support personnel of the target may not be given information about exactly when the test is taking place. This allows for a defense exercise to take place as well, and it eliminates the issue of a target preparing for the test and not giving a real-world view of how the security posture really looks.

- **Known-Environment Testing**:
In a known-environment penetration test, the tester starts out with a significant amount of information about the organization and its infrastructure. The tester would normally be provided things like network diagrams, IP addresses, configurations, and a set of user credentials. If the scope includes an application assessment, the tester might also be provided the source code of the target application. The idea of this type of test is to identify as many security holes as possible. In an unknown-environment test, the scope may be only to identify a path into the organization and stop there. With known-environment testing, the scope is typically much broader and includes internal network configuration auditing and scanning of desktop computers for defects. Time and money are typically deciding factors in the determination of which type of penetration test to complete. If a company has specific concerns about an application, a server, or a segment of the infrastructure, it can provide information about that specific target to decrease the scope and the amount of time spent on the test but still uncover the desired results. With the sophistication and capabilities of adversaries today, it is likely that most networks will be compromised at some point, and a white-box approach is not a bad option.

- **Partially Known Environment Testing**:
A partially known environment penetration test is somewhat of a hybrid approach between unknown- and known-environment tests. With partially known environment testing, the testers may be provided credentials but not full documentation of the network infrastructure. This would allow the testers to still provide results of their testing from the perspective of an external attacker’s point of view. Considering the fact that most compromises start at the client and work their way throughout the network, a good approach would be a scope where the testers start on the inside of the network and have access to a client machine. Then they could pivot throughout the network to determine what the impact of a compromise would be.



### 1.2.5 Surveying Different Standards and Methodologies
There are a number of penetration testing methodologies that have been around for a while and continue to be updated as new threats emerge.
The following is a list of some of the most common penetration testing methodologies and other standards:

- **MITRE ATT&CK**: 
    - The MITRE ATT&CK framework (https://attack.mitre.org) is an amazing resource for learning about an adversary’s tactics, techniques, and procedures (TTPs). Both offensive security professionals (penetration testers, red teamers, bug hunters, and so on) and incident responders and threat hunting teams use the MITRE ATT&CK framework today. 
    - The MITRE ATT&CK framework is a collection of different matrices of tactics, techniques, and subtechniques. These matrices–including the Enterprise ATT&CK Matrix, Network, Cloud, ICS, and Mobile–list the tactics and techniques that adversaries use while preparing for an attack, including gathering of information (open-source intelligence [OSINT], technical and people weakness identification, and more) as well as different exploitation and post-exploitation techniques. You will learn more about MITRE ATT&CK throughout this course.

- **OWASP Web Security Testing Guide (WSTG)**:
    - The OWASP Web Security Testing Guide (WSTG) is a comprehensive guide focused on web application testing. It is a compilation of many years of work by OWASP members. 
    - OWASP WSTG covers the high-level phases of web application security testing and digs deeper into the testing methods used. For instance, it goes as far as providing attack vectors for testing cross-site scripting (XSS), XML external entity (XXE) attacks, cross-site request forgery (CSRF), and SQL injection attacks; as well as how to prevent and mitigate these attacks. 
    - You will learn more about these attacks in Module 6, “Exploiting Application-Based Vulnerabilities.” 
    - From a web application security testing perspective, OWASP WSTG is the most detailed and comprehensive guide available. 
    - You can find the OWASP WSTG and related project information at https://owasp.org/www-project-web-security-testing-guide/.

- **NIST Special Publication (SP) 800-115**:
    - Special Publication (SP) 800-115 is a document created by the National Institute of Standards and Technology (NIST), which is part of the U.S. Department of Commerce. 
    - NIST SP 800-115 provides organizations with guidelines on planning and conducting information security testing. 
    - It superseded the previous standard document, SP 800-42. 
    - SP 800-115 is considered an industry standard for penetration testing guidance and is called out in many other industry standards and documents. 
    - You can access NIST SP 800-115 at https://csrc.nist.gov/publications/detail/sp/800-115/final.

- **Open Source Security Testing Methodology Manual (OSSTMM)**:
    - The Open Source Security Testing Methodology Manual (OSSTMM), developed by Pete Herzog, has been around a long time. Distributed by the Institute for Security and Open Methodologies (ISECOM), the OSSTMM is a document that lays out repeatable and consistent security testing (https://www.isecom.org). It is currently in version 3, and version 4 is in draft status. The OSSTMM has the following key sections:
        - Operational Security Metrics
        - Trust Analysis
        - Work Flow
        - Human Security Testing
        - Physical Security Testing
        - Wireless Security Testing
        - Telecommunications Security Testing
        - Data Networks Security Testing
        - Compliance Regulations
        - Reporting with the Security Test Audit Report (STAR)

- **Penetration Testing Execution Standard (PTES)**:
    - The Penetration Testing Execution Standard (PTES) (http://www.pentest-standard.org) provides information about types of attacks and methods, and it provides information on the latest tools available to accomplish the testing methods outlined. PTES involves seven distinct phases:
        - Pre-engagement interactions
        - Intelligence gathering
        - Threat modeling
        - Vulnerability analysis
        - Exploitation
        - Post-exploitation
        - Reporting

- **Information Systems Security Assessment Framework (ISSAF)**:
    - The Information Systems Security Assessment Framework (ISSAF) is another penetration testing methodology similar to the others on this list with some additional phases. ISSAF covers the following phases:
        - Information gathering
        - Network mapping
        - Vulnerability identification
        - Penetration
        - Gaining access and privilege escalation
        - Enumerating further
        - Compromising remote users/sites
        - Maintaining access
        - Covering the tracks



### 1.2.6 Lab - Compare Pentesting Methodologies
**Objectives**: In this lab, you will complete the following objectives:
    - Compare Various Pentesting Methodologies
    - Conduct Research of Popular Pentesting Methodologies

- Part 1: Conduct Research Popular Pentesting Methodologies
Using your favorite search engine, conduct research on four of the most popular pentesting methodologies:
    - OSSTMM: https://www.isecom.org/
    - PTES: http://www.pentest-standard.org/
    - OWASP WSTG: https://owasp.org/www-project-web-security-testing-guide/
    - MITRE ATT&CK: https://attack.mitre.org/

**Questions**:

**OSSTMM**:
1. What is the latest version of the manual and its copyright date?
    - **Answer**: At the time of writing, Version 3 with a copyright date of 2010.

2. What organization develops the OSSTMM? What do they do?
    - **Answer**: The Institute for Security and Open Methodologies. Answers may vary. They publish security certifications, publish books, and conduct research. They publish a security awareness curriculum for teenagers and conduct other activities.

3. What are the stated primary and secondary purposes of the OSSTMM as stated in the OSSTMM publication?
    - **Answer**: “The primary purpose is to provide a scientific methodology for the accurate characterization of operational security through the examination and correlation of text results in a consistent and reliable way. The secondary purpose is to provide guidelines that allow an analyst to perform a certified OSSTMM audit.”

4. What six outcomes are assured then the OSSTM guidelines are correctly followed?
    - **Answer**: From the OSSTMM manual page 13:
        1. That the test was conducted thoroughly.
        2. That the test included all necessary channels.
        3. That the test complied with the law.
        4. That the test results are measurable in a quantifiable way.
        5. That the test results are consistent and repeatable.
        6. That the test results contain only facts as derived from the tests themselves.

5. What are the ten steps of applying the OSSTM when the 4 Point Process and Trifecta are combined?
    - **Answer**: From the OSSTMM manual, page 45:
        1. Passively collect data of normal operations to comprehend the target.
        2. Actively test operations by agitating operations beyond the normal baseline.
        3. Analyze data received directly from the operations tested.
        4. Analyze indirect data from resources and operators (i.e. workers, programs).
        5. Correlate and reconcile intelligence from direct (step 3) and indirect (step 4) data test results to determine operational security processes.
        6. Determine and reconcile errors.
        7. Derive metrics from both normal and agitated operations.
        8. Correlate and reconcile intelligence between normal and agitated (steps 1 and 2) operations to determine the optimal level of protection and control which would best be implemented.
        9. Map the optimal state of operations (step 8) to processes (step 5).
        10. Create a gap analysis to determine what enhancements are needed for processes governing necessary protection and controls (step 5) to achieve the optimal operational state (step 8) from the current one.

**PTES**:
1. What are the seven main sections of the PTES?
    - **Answer**:
        - Pre-engagement interactions
        - Intelligence gathering
        - Threat modeling
        - Vulnerability analysis
        - Exploitation
        - Post-exploitation
        - Reporting


2. What is the stated purpose of the PTES? (Hint: Look in the FAQs)
    - **Answer**: “To provide businesses and security professionals with a common language and scope for performing penetration testing and security evaluations.”

3. What document specifies tools and techniques to be used in the seven sections of the test?
    - **Answer**: The PTES Technical Guidelines

4. What is the PTES?
    - **Answer**: The Penetration Testing Execution Standard (PTES) is a guide for conducting repeatable penetration tests. It is a community-driven framework that provides a standard for conducting penetration tests.

**OWASP WSTG**:
1. What is the latest version of the WSTG standard?
    - **Answer**: At the time of writing, Version 5.

2. Access the current stable version of the WSTG. What are the five phases of the Web Security Testing Framework?
    - **Answer**: 
        - Phase 1 - Before development begins
        - Phase 2 - During definition and design
        - Phase 3 - During development
        - Phase 4 - During Deployment
        - Phase 5 - During Maintenance and Operations

3. What is the stated purpose of the OWASP WSTG?
    - **Answer**: “To provide a comprehensive guide for testing the security of web applications. It describes techniques, methods, tools and resources for testing the most common web application security issues.”

4. What are the twelve categories of active tests defined in the OWASP Web Testing Framework?
    - **Answer**: 
        1. Information gathering        
        2. Configuration and deployment management testing
        3. Identity management testing
        4. Authentication testing
        5. Authorization testing
        6. Session management testing
        7. Input validation testing
        8. Error Handling
        9. Cryptography
        10. Business logic testing
        11. Client-side testing
        12. API testing


**MITRE ATT&CK**:
1. What is the MITRE ATT&CK framework?
    - **Answer**: The MITRE ATT&CK framework is a knowledge base of adversary tactics and techniques based on real-world observations.

2. Why did MITRE develop ATT&CK? (Hint: Look in the FAQs)
    - **Answer**: MITRE ATT&CK started out to document common tactics, techniques, and procedures (TTPs) that advanced persistent threats use against Windows enterprise networks.

In the page menu click Resources > General Information > ATT&CK Design and Philosophy.Open and review the ATT&CK Design and Philosophy pdf.

3. What six common use cases for ATT&CK are described?
    - **Answer**: Adversary Emulation, Red Teaming, Behavioral Analytics Development, Defensive Gap Assessment, SOC Maturity Assessment, Cyber Treat Intelligence Enrichment.

4. What are the three ATT&CK Technology Domains?
    - **Answer**: Enterprise, Mobile, ICS

Go to the MITRE ATT&CK Enterprise matrix by opening the Matrices menu and choosing Enterprise.
The matrix represents tactics as column headers with techniques arranged as entries in each column. For information on a given technique, click its entry. Additional information is shown on the information page. The information page can include sub-techniques, procedures, mitigations, detection methods, and references. Not all techniques include procedures.
In the column for the Reconnaissance tactic, click the Gather Victim Identity Information entry.

5. What are three sub-techniques that are provided for this technique?
    - **Answer**:
        - T1589.001 Credentials 
        - T1589.002 Email Addresses
        - T1589.003 Employee Names

Select the Email Addresses sub-technique. Review the information there.
Look at the entries under Procedures.

6. Who is the Lazarus Group? They conducted a campaign to gather email addresses for later attacks. How did they gather and use email addresses?
    - **Answer**: The Lazarus Group is a state-sponsored cyber threat group from North Korea. They conducted a campaign called Operation Dream Job in which they used fake job lure phishing attacks and other active attacks to gather email addresses that were later used in phishing campaigns.


**Reflection Questions**:
1. You researched four popular pentesting methodologies in this lab. Name at least two additional pentesting methodologies that are in common use.
    - **Answer**:
        - NIST SP 800-115: Guide to Information Security Testing and Assessment
        - ISO/IEC/IEEE 15408-2: Information Technology — Security Techniques — Information Security Management System — Requirements
        - ISSAF: Information Security Systems Assessment Framework

2. Why is it important to follow a recognized pentesting methodology?
    - **Answer**: to help organize and systematize the pentesting effort, to show your methods follow accepted guidelines and best practices and that they are valid, to provide accurate documentation that includes all important aspects of the tests, and to satisfy regulatory and compliance requirements.

**Skills Check**
1. Under what tactic in the MITRE ATT&CK matrix would you find the information gathering stage of the Operation Dream Job procedure?
    - **Answer**: Reconnaissance
    - Operation Dream Job is an example of a reconnaissance tactic. North Korean cybercriminals known as the Lazarus group conducted a campaign in which fraudulent job offers were used to gather information about users. The information was later used to distribute malware through phishing attacks.



## 1.3 Building Your Own Lab

- It is not possible for you to practice on our clients' networks and applications. However, you can practice on simulated targets, networks that you have permission to access, and certain sites on the open internet. In this topic, you will install and explore a Kali Linux virtual machine (VM) that is full of popular ethical hacking tools. The VM also includes simulated internal IP networks that include a variety of intentionally vulnerable systems.

- When it comes to penetration testing, a proper lab environment is very important. The way this environment looks depends on the type of testing you are doing. The types of tools used in a lab also vary based on different factors. We discuss tools in more detail in Module 10, “Tools and Code Analysis.” Here we only touch on some of the types of tools used in penetration testing. Whether you are performing penetration testing on a customer network, your own network, or a specific device, **you always need some kind of lab environment to use for testing**. For example, when testing a customer network, you will most likely be doing the majority of your testing against the customer’s production or staging environments because these are the environments a customer is typically concerned about securing properly. Because this might be a critical network environment, you must be sure that your tools are tried and true – and this is where your lab testing environment comes in. You should always test your tools and techniques in your lab environment before running them against a customer network. There is no guarantee that the tools you use will not break something. In fact, **many tools are actually designed for breaking things**. You therefore need to know what to expect before unleashing tools on a customer network. When testing a specific device or solution that is only in a lab environment, there is less concern about breaking things. With this type of testing, you would typically use a closed network that can easily be reverted if needed.

- There are many different Linux distributions that include penetration testing tools and resources, such as 
    - [Kali Linux](https://www.kali.org)
    - [Parrot OS](https://www.parrotsec.org)
    - [BlackArch](https://www.blackarch.org)

These Linux distributions provide you with a very convenient environment to start learning about the different security tools and methodologies used in pen testing. You can deploy a basic penetration testing lab using just a couple of VMs in virtualization environments such as [Virtual Box](https://www.virtualbox.org) or [VMware Workstation/Fusion](https://www.vmware.com).


Figure 1-1 shows two VMs (one running Parrot OS and another running a vulnerable Microsoft Windows system). The two VMs are connected via a virtual switch configuration and a “host-only network.” This type of setup allows you to perform different attacks and send IP packets between VMs without those packets leaving the physical (bare-metal) system.


<img src="images/01_Intro EH and PT/img2.png" alt="Figure 1-1 - Basic Penetration Testing Lab Environment with Two VMs" style="width: 600px; height: 400px;"/>


Figure 1-2 shows a more elaborate topology for a penetration testing lab environment.

<img src="images/01_Intro EH and PT/img3.png" alt="Figure 1-2 - More Elaborate Penetration Testing Lab Environment" style="width: 600px; height: 400px;"/>


### 1.3.2 Requirements and Guidelines for Penetration Testing Labs

<img src="images/01_Intro EH and PT/img4.png" alt="Figure 1-2 - More Elaborate Penetration Testing Lab Environment" style="width: 600px; height: 400px;"/>

### 1.3.3 What Tools Should You Use in Your Lab?

If you are doing testing on a customer environment, you will likely be evaluating various attack surfaces – such as network infrastructure, 
wireless infrastructure, web servers, database servers, Windows systems, or Linux systems, for example.


-   **Network infrastructure-based tools** might include tools for sniffing or manipulating traffic, flooding network devices, and bypassing firewalls and IPSs. For **wireless testing purposes**, you might use tools for cracking wireless encryption, de-authorizing network devices, and performing on-path attacks (also called man-in-the-middle attacks).

-   **When testing web applications and services**, you can find a number of automated tools built specifically for scanning and detecting web vulnerabilities, as well as manual testing tools such as interception proxies. Some of these same tools can be used to test for database vulnerabilities (such as SQL injection vulnerabilities).

-   **For testing the server and client platforms in an environment**, you can use a number of automated vulnerability scanning tools to identify things such as outdated software and misconfigurations. With a lot of development targeting mobile platforms, there is an increasing need for testing these applications and the servers that support them. For such testing, you need another set of tools specific to testing mobile applications and the back-end APIs that they typically communicate with. And you should not forget about fuzzing tools, which are normally used for testing the robustness of protocols.



You can access the repository cybersecurity resources at https://h4cker.org/github. You can directly access the section “Building Your Own Cybersecurity Lab and Cyber Range” at https://github.com/The-Art-of-Hacking/h4cker/tree/master/build_your_own_lab .



### 1.3.4 Practice - Requirements and Guidelines for Penetration Testing Labs

You need to setup a penetration testing practice lab because some of the tools that are preferred at Protego are new to you. What best practices will you follow as you setup your lab? (Choose all that apply.)
- Ensure closed access to the network and internet.
- Create a virtualized computing environment.
- Provide sufficient hardware resources to ensure valid results.


### 1.3.5 What If You Break Something?

- For instance, when you are testing web applications, some of the attacks you send will input bogus data into form fields, and that data will likely end up in the database, so your database will be filled with that bogus data. Obviously, in a production environment, this is not a good thing. The data being input can also be of malicious nature, such as scripting and injection attacks. This can cause corruption of the database as well. Of course, you know that this would be an issue in a production environment. It is also an issue in a lab environment if you do not have an easy way to recover. Without a quick recovery method, you would likely be stuck rebuilding your system under test. This can be time-consuming, and if you are doing this for a customer, it can affect your overall timeline.

- Using some kind of virtual environment is ideal as it offers snapshot and restore features for the system state. Sometimes this is not possible, though. For example, you may be testing a system that cannot be virtualized. In such a case, having a full backup of the system or environment is required. This way, you can quickly be back up and testing if something gets broken – because it most likely will. After all, you are doing penetration testing.

### 1.3.6 Lab - Deploy a Pre-Built Kali Linux Virtual Machine (VM)

The Kali Linux version that I am giving you contains all of the Kali tools and several networked simulated targets that you can practice on without risking legal problems. I encourage you to use the simulated targets and other networks that you have permission to scan, such as your home network. Be careful though, Kali provides some very powerful tools! 

In this lab, you will complete the following objectives:

- Part 1: Deploying a Customized Kali Linux VM on AMD or Intel Chip-based Computer
- Part 2: Deploying a Customized Kali Linux VM on ARM M1/M2 based MacOS Computer
- Part 3: Exploring Linux


#### Background / Scenario
Computing power and resources have increased tremendously in a short period of time. A benefit of multi-core processors and large amounts of RAM is the ability to run multiple operating systems on a computer using virtualization.

With virtualization, one or more virtual computers can operate on a single physical computer. Virtual computers that run on physical computers are called virtual machines (VMs). **Virtual machines are often called guests, and physical computers are often called hosts**. Anyone with a modern computer and operating system can run virtual machines.

In this lab, you will first install a desktop virtualization application, such as Oracle VirtualBox, and deploy a virtual machine running a Kali Linux OS.

#### Instructions
Even though most modern computers can support virtualization, if you are not sure, perform an internet search to determine the capability of virtualization on your PC and enable virtualization as necessary.

Depending on the architecture of your PC, you will either use Oracle VirtualBox or UTM for your virtualization software.

##### Part 1: Deploying a Pre-Built Customized Kali VM on AMD or Intel Chip-based Computer

Step 1: Download and install VirtualBox.

Step 2: Download the pre-built customized Kali.
- Navigate to the [Resource Hub](https://skillsforall.com/resources/lab-downloads?courseLang=en-US) from skillsforall.com.
- Download the OVA file for this course. Note the location of the downloaded OVA file on your computer.

Step 3: Deploy the VM in VirtualBox.
- Open VirtualBox.
- Click File > Import Appliance to import the downloaded OVA file, Kali.ova. Click Next to continue.
- Review the appliance settings. Increase the amount of RAM if desired. Click Finish to continue.
- Click Start to power up the newly created VM after the appliance has been imported.


##### Part 3: Exploring Linux

Step 1: Root Privileges
The root user in Linux is equivalent to the administrator user on windows. The commands **su** and **sudo** allow you to gain root permissions.

The **su** command allows you to become the root user after providing the root password. When you are done with running commands, you will need to type the exit command to leave the root shell and back to your own account.

With the **sudo** command, only a single command is run with root privileges using the current user’s password by default.

For the pre-built customized Kali for this course, the user **kali** is configured to use the **sudo** command to access root privileges.

Note: These commands are for demonstration only. You will be more familiar with these commands as you become more fluent with Linux.

Log into the Kali system with the username **kali** and the password **kali**. You are presented with the Kali desktop.
Right-click the Desktop > select Applications > click Terminal Emulator. This will open a terminal emulator window.
Root privilege is required to view and edit the file **/etc/sudoers**. To illustrate the use of root privileges, enter the command **visudo** at the command prompt in the terminal.

┌──(kali㉿Kali)-[~]

└─$ visudo

&& echo 

"This is a new line"
visudo: /etc/sudoers: Permission denied
Note that you do not have permission to view and edit the file.

To temporarily elevate your permission for root access, enter **sudo visudo** at the prompt. Provide the password **kali** when prompted.

┌──(kali㉿Kali)-[~]

└─$ sudo visudo

Scroll toward the end of the file. The highlighted configurations allow any users in the sudo group to execute any commands. Press Ctrl +x to exit the file and do not save any changes.
# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL
Verify that the user **kali** is part of the **sudo** group. The **grep** command only prints out the lines that match the given pattern. In this example, the command searches for the word **sudo** in the file **/etc/group** and prints out that line. The result confirms that the user **kali** is in the group **sudo**.

┌──(kali㉿Kali)-[~]

└─$ grep sudo /etc/group
sudo:x:27:kali

Step 2: Keyboard shortcuts  
As you work in the terminal, you may find yourself retyping some commands or trying to remember a command, filename, or folder name. A few keyboard shortcuts can help you become more efficient at the terminal.
You can use the up or down arrow keys to locate and execute the previously entered command. In the terminal, press the up arrow until you find the **visudo** command.



## 1.4. Summary

### 1.4.1 What Did I Learn in this Module?

**Understanding Ethical Hacking and Penetration Testing**
- This topic covers ethical hacking and penetration testing, explaining that an ethical hacker is someone who uses the same tools as nonethical hackers to find vulnerabilities in a network's or system's infrastructure but reports their findings to the vendor or customer to help make the system more secure. 
- The purpose of penetration testing is to identify possible paths of compromise before malicious attackers do. It is important to evaluate and test the effectiveness of defensive techniques used to secure and defend networks and systems, and this is where penetration testing comes in. 
- The topic also describes different types of threat actors, including organized crime, hacktivists, state-sponsored attackers, and insider threats.

**Exploring Penetration Testing Methodologies**
- This topic discusses the importance of using a methodology for penetration testing to avoid scope creep and providing documentation of a specialized procedure that has been used successfully by many organizations to test their network and data infrastructures. 
- It also lists different types of penetration tests, including network infrastructure tests, application-based tests, and penetration testing in the cloud. 
- The topic further explains the different perspectives from which testing is performed, including unknown-environment testing, known-environment testing, and partially known environment testing. 
- Lastly, the topic provides an overview of various penetration testing methodologies, including MITRE ATT&CK, OWASP WSTG, NIST SP 800-115, OSSTMM, PTES, and ISSAF.

**Building Your Own Lab**
- This topic discusses the importance of a proper lab environment for penetration testing and the different types of tools used in the testing process. It emphasizes the need to test tools and techniques in a lab environment before running them against a customer network to avoid breaking anything. Requirements for a typical penetration testing lab are discussed, including a closed network, virtualized computing environment, realistic environment, health monitoring, sufficient hardware resources, multiple operating systems, duplicate tools, and practice targets. 
- The types of tools used in penetration testing depend on the type of testing being done, such as network infrastructure-based tools, web application testing tools, automated vulnerability scanning tools, and mobile application testing tools. It is important to have a recovery method in case something breaks during testing.


### 1.4.2 Reflection Questions


### 1.4.3 Quiz - Introduction to Ethical Hacking and Penetration Testing


1. Which statement best describes the term ethical hacker?

    -**Answer**: a person who mimics an attacker to evaluate the security posture of a network

2. Which threat actor term describes a well-funded and motivated group that will use the latest attack techniques for financial gain?

    -**Answer**: organized crime

3. Which type of threat actor uses cybercrime to steal sensitive data and reveal it publicly to embarrass a target?

    -**Answer**: hacktivists

4. What is a state-sponsored attack?

    -**Answer**: An attack perpetrated by governments worldwide to disrupt or steal information from other nations.

5. What is an insider threat attack?

    -**Answer**: An attack perpetrated by disgruntled employees inside an organization

6. What kind of security weakness is evaluated by application-based penetration tests?

    -**Answer**: logic flaws

7. What two resources are evaluated by a network infrastructure penetration test? (Choose two.)

    -**Answer**: AAA servers (Authentication, Authorization, and Accounting servers) and IPSs (Intrusion Prevention Systems). These components are crucial for maintaining network security and are often targeted to identify potential vulnerabilities.


8. When conducting an application-based penetration test on a web application, the assessment should also include testing access to which resources?

    -**Answer**: back-end databases. These databases often store sensitive information, and ensuring their security is crucial to protecting the overall application.

9. What is the purpose of bug bounty programs used by companies?

    -**Answer**: reward security professionals for finding vulnerabilities in the systems of the company


10. What characterizes a partially known environment penetration test?

    -**Answer**: The test is a hybrid approach between unknown and known environment tests

11. What characterizes a known environment penetration test?

    -**Answer**: The tester could be provided with network diagrams, IP addresses, configurations, and user credentials.


12. Which type of penetration test would only provide the tester with limited information such as the domain names and IP addresses in the scope?

    -**Answer**: unknown-environment penetration test (previously known as black-box), the tester typically only has a very limited amount of information. For instance, the tester may only provide the domain names and IP addresses in scope for a particular target. The tester would have yet to gain prior knowledge of the organization's target and infrastructure.


13. Match the penetration testing methodology to the description

    -  **Answer**:
        -  MITRE ATT&CK (E): Collection of different matrices of tactics and techniques that adversaries use while preparing for an attack.
        - OSSTMM (C): Lays out repeatable and consistent security testing.
        - OWASP WSTG (A): Covers the high-level phases of web application security testing.
        - NIST SP 800-115 (B): Provides organizations with guidelines on planning and conducting information security testing.
        - PTES (D): Provides information about types of attacks and methods. 
        - ISSAF (F): Provides a framework for conducting penetration testing.

14. Which three options are phases in the Penetration Testing Execution Standard (PTES)? (Choose three.)

    -**Answer**:
        - Threat modeling
        - Reporting
        - Exploitation

15. Which two options are phases in the Information Systems Security Assessment Framework (ISSAF)? (Choose two.)

    -**Answer**:
    Information Systems Security Assessment Framework (ISSAF) is a penetration methodology with the following phases: Information gathering, Network mapping, Vulnerability identification, Penetration, Gaining access and privilege escalation, Enumerating further, Compromising remote users/sites, Maintaining access, and Covering the tracks.

16. Which two options are phases in the Open Source Security Testing Methodology Manual (OSSTMM)? (Choose two.)

    -**Answer**:
        - Work Flow
        - Trust Analysis

17. Which penetration testing methodology is a comprehensive guide focused on web application testing?

    -**Answer**: OWASP WSTG (OWASP Web Security Testing Guide) is a comprehensive guide focused on web application testing. It covers various aspects of web application security and provides detailed methodologies for identifying and addressing vulnerabilities.

18. Which option is a Linux distribution that includes penetration testing tools and resources?

    -**Answer**: BlackArch is indeed a Linux distribution that includes a wide range of penetration testing tools and resources. It's designed specifically for security researchers and penetration testers, providing a comprehensive suite of tools to assess and secure systems.


19. Which option is a Linux distribution URL that provides a convenient learning environment about pen testing tools and methodologies?

    -**Answer**: [parrotsec.org](https://parrotsec.org)

20. What does the "Health Monitoring" requirement mean when setting up a penetration test lab environment?

    -**Answer**: The tester needs to be able to determine the causes when something crashes.

21. Which tool would be useful when performing a network infrastructure penetration test?

    -**Answer**: The tools used in penetration testing depend on the type of testing to be done. Network infrastructure penetration test might include tools for sniffing or manipulating traffic, flooding network devices, and bypassing firewalls and IPSs.

22. Which tool should be used to perform an application-based penetration test?

    -**Answer**: interception proxies tool. These tools allow testers to intercept and analyze the traffic between the client and the server, helping to identify vulnerabilities and security issues within the application

23. Which tools should be used to perform a wireless infrastructure penetration test?

    -**Answer**: de-authorizing network devices tools

24. Which tools should be used for testing the server and client platforms in an environment?

    -**Answer**: vulnerability scanning tools

25. Sometimes a tester cannot virtualize a system to do the proper penetration testing. What action should be taken if a system cannot be tested in a virtualized environment?

    -**Answer**: a full backup of the system

