Formal document that gives permission to perform a penetration test.
π Guideline for testers and as such should clearly state what is and isn't allowed
E.g. which IP addresses should be tested, which hosts are not to be tested, which techniques, time frame when test can take place etc.
. E.g. ok with SQL injection tests and brute force attacks but no DDoS attacks to not have service disruption or to not have network costs.
π€ Used also by armies, e.g. US army cannot fire on somebody unless they're firing on them.
π€ You can create your own cellphone tower and take over their connections as you'll have the strongest signal.
Contact information
E.g. sitting in a near coffee to take photos and take names. You can then look at their contact information in list of employees (if publicly available somewhere). They become suspectable to social engineering.
Information about other organizations
π€ E.g. You can come with a rack suit to fix air-conditioning devices and say "hey there's a problem in air conditioning on floor 14" or "regular maintenance" or "one of your devices is due.". A security personal mey escort you but he won't watch everything carefully, you can place a Raspberry Pie and connect it to electricity. Refer to the following video: Sneaking in EVERYWHERE for FREE (Yellow Vest Experiment)
Stupid and simple. Something too complex has higher risks of not working as the dumber it is, the simple it is, it'll probably work.
Trying to bypass IDS (Intrusion Detection System) and firewall
A way is to use social engineering to test out the boundaries and find a way into the system.
Firewall testing techniques include
ICMP probes
Checking access control
Evaluating protocol filtering rules
Evaluating IDS
Probing allow you to see what the perimeter detects & drops & won't detect
You can craft own packets and see the reactions
e.g. by modifying source/destination IPs
E.g. check if certain port always drops, maybe port is open but only goes through the VPN where employees access network.
Figure out what devices are running under perimeter to select as a target.
Enumerate devices collecting:
ID of the device
Description
Hostname
Physical location
IP and MAC address
π€ MAC address lets you know who the manufacturer is. Manufacturer information can give you idea of what kind of OS they run. You might get what devices they are running and how they are shipped. You can go to the distributor and put some physical keyloggers or sniffers e.g. a Raspberry Pi into a large router/switch.
By cross checking them later again, it is possible to identify unauthorized devices.
E.g. you realized that there's no strict policy regarding e-mails. You send an e-mail for phishing scheme, gain more information when the person clicks on that link, you can then execute arbitrary code if e-mail client is old (unlikely).
E.g. phone-call and ask what you need: works way more than it should
π€ A lot of companies have state-of-the-art perimeter
inside perimeter they have very old equipment and OS
they don't emphasize much on security interior as they do in external
once you pass the perimeter, you're more likely to find something inside
Defenses include
Running services with the least privileged accounts
Retract means being able to exit without leaving any traces behind
Traces left behind can cause suspicions and in effect vulnerablities would be patched and you cannot gain access to the target machine back using the same method.
Delete all the logs that indicates you existed to ensure persistent remote access.
Good idea is to figure out their antiviruses, and test your execution in a VM with same antivirus and security measures to not get detected by a random scan.
If alarm is raised, you might be detected, put it in the report and result of whether the flag was investigated.