Penetration Testing Bootcamp - Penetration Testing Methodologies
Key Takeaways
The video discusses the importance of penetration testing methodologies, including OSSTMM and OWASP Testing Guide, for identifying vulnerabilities and weaknesses in an organization's security posture.
Full Transcript
hey guys welcome back to the penetration testing boot camp and we're finally winding up with our uh fundamental terminology stage of this uh of this course or this boot camp and in this video we're going to be talking about penetration testing methodologies uh the various ones that are available but the whole objective of this video is to explain to you why a methodology is important regardless of what you're using it for they're using one for penetration testing vulnerability analysis or even landing a plane so i'll get to that in a second that might may seem a bit confusing but what is a pen testing methodology so a pen testing methodology is a comprehensive methodical approach uh or a system that is used in pen testing of course to identify vulnerabilities and weaknesses in the overall security posture of an organization now let me just talk about methodology in abstraction for a second so if we take a normal standard definition of methodology and what you're supposed to get after using a methodology is you're supposed to get outcomes right so when talking about the goal of using a methodology we're going to have outcomes so the outcomes of a pen testing methodology is to identify weaknesses flaws vulnerabilities in the security posture of an organization now methodologies can be comprehensive they can be vague they can be very basic and you can use methodologies for doing anything so there's a methodology for making a cup of tea this methodology for landing an aircraft now that might also ask you or might raise the question in your mind that question is going to be why are they important right when when doing anything really uh and of course the answer to that is that they ensure that you have consistent outcomes now that may seem a bit uh far-reaching but let's take the the example of the of landing an aircraft for example when learning an aircraft you have something called the landing checklist now that in all essence cannot be considered a methodology but it really is and that's because it is quite uh it's a checklist so it's very systematic and methodical and it's used by uh by aircraft pilots or by pilots to actually ensure that everything is set up for a successful landing now if they don't follow that they risk losing or missing one more you know a particular uh sequence that is extremely vital though the point i'm trying to make here is that when you're using methodology and one that is extremely comprehensive you're ensuring that you have a clear methodical and systematic approach to testing that ensures that tests are going to be reliable accurate and consistent across the board so what am i talking about so let's say you have you you create a pen testing methodology it can be simple it can be extremely in-depth and you give two penetration testers that same methodology what that methodology ensures is that the outcomes are going to be the same across the board so if you give them these methodologies and you give them the same organization with the same infrastructure you don't change a sim a single thing you don't change the scenario if they use that methodology the outcomes should be the same all right so again if you're talking about the example of the aircraft pilot uh if all of them follow the methodology for landing a particular aircraft then in most cases if they do follow them correctly they land the plane successfully so that takes us to another key aspect of any methodology is that the pen testing methodologies need to be extremely comprehensive and accurate and this of course is used to ensure that any penetration test or security tests are performed successfully or to the best that they can be performed you know they can give you the most accurate results that you're looking for because if you have a very vague and a very poorly written or spoily setup methodology it may leave out you know important aspects of this the overall security posture of an organization that an attacker might actually catch up to and because they were ignored or not actually covered you know that is an actual failure in the pen test so uh there's a there's a quick saying that i i personally believe and that is a penetration test is only as comprehensive as the methodology that was used and that is why in many of my ctf videos or any of my pen testing videos i actually really recommend creating your own methodology for these types of scenarios so you know having a ctf methodology for linux boxes windows boxes and if you follow that you actually come to the conclusion that you know your your outcomes are going to be the same and of course you can improve upon it by adding additional stages to ensure that uh you're not really performing anything redundant but you're very very methodical and you're uh you're extremely comprehensive in your test so when talking about pen testing methodologies we have both proprietary and open source i'm going to be focusing only on the open source methodologies uh proprietary methodologies you know you have some from ibm and some other companies that are you know also very good and they're used to test you know organizations and the overall security posture the threats they face identify any vulnerabilities but let's talk about the open source pin testing methodologies that i want you guys to focus on right now if you are a beginner that is so we have the oss tmm so that is the open source security testing methodology manual and then you have your os testing methodology uh which is of course uh created by the open web application security project so osstm is specifically targeted at testing various aspects of the security posture of a company so physical security wireless security and i'll get to that in a second uh and then we have your os which is used to test uh web applications you know and it does this by defining the top most vulnerabilities that affect web applications in a particular year and it also covers how they can be remediated so on and so forth so uh i want you guys to perform research on this and i'll be giving you guys my pen testing methodologies as we'll be covering vulnerable boxes i'll give you my ctf methodologies so you can use them and you'll actually see how helpful they are because they allow you to document what you're doing they allow you to actually go through it method uh you know in a methodical way or a methodical manner so you don't miss any stage and you get you know extremely accurate and comprehensive results when you're doing them so let's uh let me open up the oss tmm right over here so i'll post a link to where you can actually download this so again this is the open source security testing methodology manual and uh another question that might be coming into your mind right now is how do we actually ensure that this manual is comprehensive how how is the quality of this manual uh you know how is it maintained and how can you trust it and of course that is done through peer review because this is actually quite extensive and it gives you you know a bit of information right over here so if you take a look at the introduction it gives you a bit of introduction into that so it provides your methodology for a thorough uh security test herein referred to as the oss tmm audit so it's an accurate measurement of security at an operational level that is uh void of assumptions and anecdotal evidence that's very important so again the methodology is designed to be consistent and repeatable that comes to the earlier point if you have two penetration or if you have 10 penetration testers and you give them this manual and the very same organization and you don't change anything they should come with the same results or they should have the same results at the end of performing their test if they follow this method if they follow this uh this pen testing methodology all right so uh it gives you information as um regarding it being an open source project and again you can contribute to it and you can go ahead and look at all the the discussions going on regarding its future all right so uh if you take a look at the the actual stages here it gives you what you need to know and then of course if you open that up it talks about the various controls uh the limitations and then compliance etc then what you need to do defining a scope rules of engagement as i said and of course you have the trifecta error handling disclosure very important stuff then you have security analysis uh you then have operational security metrics very very important we'll not be covering that in this course but very very important you then have trust analysis uh you have what the workflow uh human security testing so primarily dealing with uh social engineering to a certain extent uh physical security uh testing uh you then have wireless security testing uh so on and so forth enough compliance and you you get it so you can actually go through this yourself and let me know what you guys think so that's all i wanted to cover in this video we'll be using various methodologies as we move along but now that we've taken care of the foundations of pen testing we have a good understanding of what we're doing now we can actually get started with the various phases of pen testing with live examples and i hope you guys are excited about that so that's going to be it for this video and i'll be seeing you in the next video
Original Description
In this video, I explain the importance of using a penetration testing methodology and the various open-source methodologies available.
OSSTMM: https://www.isecom.org/research.html
OWASP Testing Guide: https://www.owasp.org/images/1/19/OTGv4.pdf
📈 SUPPORT US:
Patreon: https://www.patreon.com/hackersploit
Merchandise: https://teespring.com/en-GB/stores/hackersploitofficial
SOCIAL NETWORKS:
Reddit: https://www.reddit.com/r/HackerSploit/
Twitter: https://twitter.com/HackerSploit
Instagram: https://www.instagram.com/hackersploit/
LinkedIn: https://www.linkedin.com/company/18713892
WHERE YOU CAN FIND US ONLINE:
Blog: https://hsploit.com/
HackerSploit - Open Source Cybersecurity TRaining: https://hackersploit.org/
HackerSploit Academy: https://www.hackersploit.academy
HackerSploit Discord: https://discord.gg/j3dH7tK
LISTEN TO THE CYBERTALK PODCAST:
Spotify: https://open.spotify.com/show/6j0RhRiofxkt39AskIpwP7
We hope you enjoyed the video and found value in the content. We value your feedback. If you have any questions or suggestions feel free to post them in the comments section or contact us directly via our social platforms.
Thanks for watching!
Благодарю за просмотр!
Kiitos katsomisesta
Danke fürs Zuschauen!
感谢您观看
Merci d'avoir regardé
Obrigado por assistir
دیکھنے کے لیے شکریہ
देखने के लिए धन्यवाद
Grazie per la visione
Gracias por ver
شكرا للمشاهدة
#PenetrationTesting#OSSTMM
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from HackerSploit · HackerSploit · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
How To Install Kali Linux 2.0 On Virtual Box
HackerSploit
100 Subscriber Q&A! - How I Learned Ethical Hacking
HackerSploit
BlackArch Linux Review - Better Than Kali Linux?
HackerSploit
How to Access the Deep Web Safely | Deep Web Starter Guide 1.0
HackerSploit
Wireshark Tutorial for Beginners - Installation
HackerSploit
Wireshark Tutorial for Beginners - Overview of the environment
HackerSploit
Wireshark Tutorial for Beginners - Capture options
HackerSploit
Wireshark Tutorial for Beginners - Filters
HackerSploit
Complete Ethical Hacking Course - Become a Hacker Today - #1 Hacking Terminology
HackerSploit
Complete Ethical Hacking Course #2 - Installing Kali Linux
HackerSploit
Parrot OS 3.5 Review | The Best Kali Linux Alternative
HackerSploit
Nmap Tutorial For Beginners - 1 - What is Nmap?
HackerSploit
Katoolin | How To Install Pentesting Tools On Any Linux Distro
HackerSploit
Nmap Tutorial For Beginners - 2 - Advanced Scanning
HackerSploit
Nmap Tutorial For Beginners - 3 - Aggressive Scanning
HackerSploit
Zenmap Tutorial For Beginners
HackerSploit
How To Setup Proxychains In Kali Linux - #1 - Stay Anonymous
HackerSploit
How To Setup Proxychains In Kali Linux - #2 - Change Your IP
HackerSploit
How To Change Mac Address In Kali Linux | Macchanger
HackerSploit
How To Setup And Use anonsurf On Kali Linux | Stay Anonymous
HackerSploit
Ubuntu 17.04 "Zesty Zapus" Review - Bye Unity
HackerSploit
VPN And DNS For Beginners | Kali Linux
HackerSploit
Tails OS Installation And Review - Access The Deep Web/Dark Net
HackerSploit
Steganography Tutorial - Hide Messages In Images
HackerSploit
The Lazy Script - Kali Linux 2017.1 - Automate Penetration Testing!
HackerSploit
Best Linux Distributions For Penetration Testing
HackerSploit
Netcat Tutorial - The Swiss Army Knife Of Networking - Reverse Shell
HackerSploit
Gaining Access - Web Server Hacking - Metasploitable - #1
HackerSploit
Web Server Hacking - FTP Backdoor Command Execution With Metasploit - #2
HackerSploit
How To Install Kali Linux On VMware - Complete Guide 2018
HackerSploit
Q&A #1 - Best Cyber-security Certifications?
HackerSploit
Terminator - Kali Linux - Multiple Terminals
HackerSploit
Shodan Search Engine Tutorial - Access Routers,Servers,Webcams + Install CLI
HackerSploit
Q&A #2 - Mr Robot?
HackerSploit
Metasploit Community Web GUI - Installation And Overview
HackerSploit
Linux Expl0rer - Forensics Toolbox - Installation & Configuration
HackerSploit
QuasarRAT - The Best Windows RAT? - Remote Administration Tool for Windows
HackerSploit
Metasploit For Beginners - #1 - The Basics - Modules, Exploits & Payloads
HackerSploit
Metasploit For Beginners - #2 - Understanding Metasploit Modules
HackerSploit
Kali Linux Quick Tips - #1 - Adding a non-root user
HackerSploit
Metasploit For Beginners - #3 - Information Gathering - Auxiliary Scanners
HackerSploit
Spectre Meltdown Vulnerability - How To Check Your System
HackerSploit
Metasploit For Beginners - #4 - Basic Exploitation
HackerSploit
ARP Spoofing With arpspoof - MITM
HackerSploit
WordPress Vulnerability Scanning With WPScan
HackerSploit
Generating A PHP Backdoor with weevely
HackerSploit
Nikto Web Vulnerability Scanner - Web Penetration Testing - #1
HackerSploit
How To Install Kali Linux On Windows 10 - Windows Subsystem For Linux
HackerSploit
Stacer - System Optimizer And Monitoring Tool For Linux
HackerSploit
Kali Linux 2018.1 - Kernel Updates & Patches
HackerSploit
MITM With Ettercap - ARP Poisoning
HackerSploit
Password Cracking With John The Ripper - RAR/ZIP & Linux Passwords
HackerSploit
How To Detect Rootkits On Kali Linux - chkrootkit & rkhunter
HackerSploit
Channel Updates - How To Post Questions & Video Suggestions
HackerSploit
Web App Penetration Testing - #1 - Setting Up Burp Suite
HackerSploit
Web App Penetration Testing - #2 - Spidering & DVWA
HackerSploit
Cl0neMast3r - GitHub Repository Cloning Tool
HackerSploit
Kali Linux On Windows 10 Official - WSL - Installation & Configuration
HackerSploit
DoS/DDoS Protection - How To Enable ICMP, UDP & TCP Flood Filtering
HackerSploit
Web App Penetration Testing - #3 - Brute Force With Burp Suite
HackerSploit
More on: Security Basics
View skill →
🎓
Tutor Explanation
DeepCamp AI