Penetration Testing - Planning an Engagement
I am taking Dion Training’s PenTest+ course on Udemy in parallel with the OSCP PEN-200 course. There is a lot of overlap between the two courses, however, one area that I haven’t seen covered in the PEN-200 that is covered in PenTest+ is planning and scoping an engagement. This section in PenTest+ compares the different frameworks with a nice table seen in the image above.
There have been a lot of certifications over the past half decade or so with some being older, and therefore, more well-known than others. What I appreciate about this framework comparison image is clearly seeing the differences between the EC Council’s methodology compared against both the PenTest+ and NIST SP 800-115 frameworks.
Jason Dion, the course instructor, points out, that the PenTest+ framework closely mirrors the structure of the NIST framework.
It is to my understanding that the CompTIA PenTest+ certification is a bit newer than the EC Council’s CEH certification, and while some may consider that ‘more steps is better’, for the sake of simplicity (and memorization), it helps to squash the sections defined by the EC Council into fewer sections.
As a side note: this is not much different from the comparisons seen between the OSI model and the TCP/IP model. Where the OSI model contains 7 different layers, the TCP/IP model only contains 4 as observed in a post from Guru99:
Importance of visualizing frameworks
Visualizing this is important for the sake of mental modelling the processes that are needed before beginning a penetration test/assessment/engagement.
What is not so obvious in making the comparisons between the penetration testing frameworks is the lifecycle that is inherit to each framework.
Given that a penetration tester will engage in multiple penetration tests throughout their career, it is important to embed these concepts in order to more effectively plan each engagement.
In other words to know that after an assessment has been planned and scoped that information gathering and vulnerability scanning is the next step, followed by attacks and exploits, and finally reporting and communicating is helpful to keep in mind, particularly when learning penetration testing material for the first time.
For instance, while working through some of my first boxes on TryHackMe, I started to develop the muscle memory of loading up a walkthrough. While this is not terrible in and of itself, I’d rather be aware of what the scope of the box is, and work through the steps defined in these frameworks to make a better decision on what to do next.
Understanding that the scope of an Active Directory box is different from the scope of a vulnerable web application helps to inform where to begin information gathering.
In summary, while there are differences between these three frameworks, there are also similarities, that is, the options available to a penetration tester are finite. To put it most simply, all one needs to remember can be referenced in four words:
- Plan
- Discover
- Attack
- Report
And build from there.
If you liked this blog, I’d love to see you again in a future posts, I’ll be adding more of these as I proceed through my penetration testing education.
Cheers!
(NOTE: I do not own the images mentioned in this post, and have made sure to reference owners of said images when possible)
