Phase four active penetration. This is again, four phases in, at this point, right. So, the fourth or fifth step, eighty percent of the way, is where we start actually executing, on information. Obviously, always want to give out proper guidance here. When you are doing a pen test, a couple of things to keep in mind. A, you should never do this unless you have the permission of the system owners that you are working with. It is very important you never target systems without permission, even in a black box test. You have negotiated upfront and made sure you have the general consent of the system owners, and you have a general plan for what is allowed, and a general plan for what is off limits. You never want to go after systems without the system owner approval, because that is hacking. That is not penetration testing, and hacking is illegal. We want to make sure we know that, it is also unethical, violates the code of ethics, and that is also a concern or a problem for us. So, we want to make sure we know that. Aside from that, we also want to make sure that we have the proper training, the proper skills, and the proper knowledge to do this without compromising the systems that we are targeting, because, just because the system owner said, Oh yeah, it is okay if you try to get into our web servers, but by the way, our web servers are up and running and serving our customers, try not to take them offline. You know that is something you need to be aware of, and you need to obviously, have great respect for, and understand how to operate accordingly. You can not take down systems in production during pen test. I mean it happens, do not get me wrong, you can. What I am saying is, you should not, and if you have the skills to do this the right way, you will not. But amateur pen testing leads to complicated problems that professionals then have to go back and fix. So, if you want to learn how to do this, and I definitely encourage you to think about learning these skills, they are incredibly valuable for security professionals and practitioners to have. You should get formal training and you should set up a virtual network where you can practice these skills, hone them, refine them, learn them the right way, before you try to take the skills out into the wild and go hunting. It is very important for you to think about. So, make sure we understand that in phase four. Phase five, analysis and reporting. We are going to go in, and gather up the information that we have, not only discovered during all the discovery phases of all the recon, network mapping, et cetera, but we are going to actually also gather up all the information we have gotten during phase four where we have actively gone in and probed and attacked. Put that all together. We should have a template of some kind we use, or we negotiate with the customer ahead of time as to what form they want the report to take. We will then present that information to them, we will give detailed analysis. We may be asked to give a briefing, it depends on the nature of what we are doing, but we will give all that information over to the customer, along with recommendations about how to fix the things we found, and the reasons why these things are occurring. This is the five phase methodology we use for penetration testing. We want to make sure we understand the phases, we want to make sure we are comfortable walking through them in sequence, we want to make sure you know them in order, we want to make sure you understand what happens in each phase. Understanding some of the examples of things we talked about specifically, where we spent a great deal of time, and being able to go in and look at how we would do recon and network mapping in phase three, it is pretty important, right. We spent a lot of time talking about that, demonstrated one of the many techniques we discussed, gave you a pretty thorough discussion of the kinds of scans that can be used. That information is valuable. It is also important information for you to have a sense of, in case you are asked questions about. So, the heights of the pen test high level steps. In other words, kind of wrapping that five step methodology, into the actual approach, what would it look like. We would go in if we are going to do this for real, go through and obtain one or more network addresses, the gateway addresses upfront, to understand how to approach the network, do our recon, target vulnerability analysis and enumeration takes place, followed by exploitation. And what is not there about the fifth step, would obviously be analysis and reporting back to the customer. So, I just want to make sure as we review those, that we have good common sense of what is going on, and we understand that this is a logical, progressive, process, right. We move from step one to step two, or phase one to phase two. We may jump right to phase three, if we think we know everything, but chances are good, we are going to want to spend time walking through each of these phases methodically to understand what is happening. Let us just do a quick review, as we always do as we wrap up our conversations here around pen testing. So we have three questions on the screen, I'll give you a moment to ponder those. As soon as you are ready, you think you know what the answers are, come on back and we will take a look. Let us go ahead and take a look at what those answers are. Let us start with questions one and two. What are the phases of penetration testing? We have been through them, we have talked about what they are, phase one, preparation. Phase two, information gathering. Phase three, information evaluation and risk analysis. Phase four, active penetration, and phase five, analysis and reporting. What are the three penetration testing modes. Again we will talk about those, white box, black box, red box. Remember, gray box is not quite white, not quite black. It is, kind of a, middle ground between the two. We know some stuff, but not everything, but in the white box, we tend to know everything, in the black box we know nothing. So it is a middle ground, a bridge, between the two. And then finally what is firewalking? I actually demonstrated this for you live, right. This is a technique for mapping a network that uses trace route techniques, we are looking at the hops from point A to point B, C, D and E to get to point F. And we are going to either mirror that back to a command shell as you saw, we can take that output, dump into a file and document it, we can screen capture, we can do all sorts of stuff with it. But the point is, it is the ability for us to use a program, that will ping every interface along the path, and report back on the status of that interface up or down, are we allowing traffic, yes or no. That is what firewalking is. As we finish up our review or discussion of penetration testing, we want to make sure we understand as we have been looking at testing methodologies, and information acquisition methodologies. Assessment methodologies is the broad name or category that we are operating under here. We have talked about penetration testing, talked about vulnerability analysis, we have talked about risk assessment and risk management. These are all areas that we have to spend time on. We have to understand more about, and assess SSCPs, you have to be comfortable discussing, answering questions on, and applying those skills, for these particular areas that we have been discussing, or things that we have been taught how to do, in the wild. You have to be able to go out in your networks, and understand how to allocate information and resources that will help us to map out the network. You have to understand how to deal with risks, identify them, understand what threats and vulnerabilities are, and how threat sources can take advantage of those vulnerabilities, to create the likelihood that we will see a risk. You have to assess vulnerabilities, understand how to measure them, how to monitor them, and how to document them, so we can manage risk. These are very important skills. Take some time to review that information. Make sure you are comfortable with it. As soon as you feel good, you are ready to go, come on back and we will continue to talk about some additional cool stuff. See you soon.
