Penetration Testing Workflows and Tools

The use of standardized workflows and automated testing tools helps ensure consistent quality and depth of all vulnerability assessments / penetration tests performed by CTSA personnel.

Project Workflows.jpg

Penetration Testing Project Workflow

CTSA operates under a structured, repeatable project approach, guided by the following steps:

Define Scope
Before a web application assessment can take place, CTSA needs to work with the client to define a clear scope of the client. Open communication between CTSA and the client organization at this stage is imperative to establish a comfortable foundation from which to assess.

  • Based on the goals, objectives, and environment maturity levels determine the most appropriate service

  • Establish expected deliverables

  • Determine which of the organization’s applications, domains, and/or operations are included in the engagement scope

  • Make exclusions from the assessment known (applications/specific pages/subdomains/operations/locations) 

  • Decide on the official testing period and confirm time zones

Information Gathering
Perform detailed reconnaissance on the agreed upon target(s), employing a myriad of tools and techniques. The gathered data will allow an accurate risk assessment as the engagement progresses. Targeted intelligence might include:

  • PDF, DOCX, XLSX, and other files leaked by Google 

  • Previous breaches/credential leaks

  • Revealing forum posts by application developers

  • Exposed robots.txt file

The next phase of the project incorporates automated scripts and tools, among other tactics in more advanced information gathering, leading to the initial identification of possible attack vectors. The gathered information from this stage will be the basis for our detailed assessment work in the next phase.
Testing and Evaluation
With careful consideration, CTSA will begin to perform targeted testing activities specifically designed to test and evaluate the risk mitigation mechanisms implemented by the client.  This is done cautiously to protect the client’s applications and data. The specific activities will be tailored based on the service(s) CTSA has been contracted to assess, the activities performed could include:

  • Vulnerability scanning of the client’s perimeter, applications, and social engineering programs

  • Detailed exploit testing leveraging identified attack vectors, such as SQL injection and/or Cross-Site Scripting 

  • Social engineering testing around user security awareness, physical environment controls, and security incident response/recovery

Reporting is the final stage of the assessment process. CTSA personnel aggregate all information obtained and testing results to provide the client with a detailed, thorough, comprehensive summary of our findings. The report will include a high-level breakdown of the overall risk, highlighting both strengths and weaknesses in the applications, domains, and/or operations included in the project scope. We also include strategic recommendations to aid business leaders in making informed decisions regarding the prioritization and effectiveness of potential remediation activities.

Remediation Testing
Additionally, upon client request, CTSA will complete post-remediation assessment tests to ensure changes were implemented properly, and that any residual risk is within the Company’s established risk tolerance levels.

Simple small tiny microcontroller blue b

Penetration Test Tools

CTSA commonly uses the following tools to conduct the various vulnerability assessment/penetration testing services.  This is not a comprehensive list of tools available to complete our engagements but merely those tools commonly used during our assessments.

1. Nessus

Nessus is a network and web application vulnerability scanner.  It can perform different types of scans and help a penetration tester identify vulnerabilities. The tester/attacker can then spend time in determining what can be exploited further.

2. Dirbuster

​Dirbuster is a directory busting tool, this will help the tester/attacker to find the directories that are present. The tool will take an input list and will help in testing their availability. This will allow for footprinting of the directory structure and find directories that will be difficult to find.

3. Metasploit

Metasploit is an exploitation framework that has been packed with various capabilities. A skilled tester/attacker can generate payloads, shellcodes, gain access, and perform privilege escalation attacks. The knowledge of python and ruby will be helpful since the framework uses them for most of the scripts.

4. Burp Suite

This tool is specifically used for testing web applications.  The tester/attacker can use this tool to dig deeper into an application and hunt vulnerabilities. The high severity vulnerabilities with known exploits can be further exploited to move forward with the pen test.

5. Kali Linux

Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains several hundred tools which are geared towards various information security tasks, such as Penetration Testing, Security research, Computer Forensics and Reverse Engineering. 

6. Social-Engineering Toolkit

Social-engineering toolkit (SET) is designed to perform advanced attacks against the human element.  SET is used during a penetration test and incorporates different attacks that are built inside the tool kit are designed to focus attacks against an organization or person.