The "KillChain Compendium" is a steadily growing, organized collection of in-depth resources, insights, and practical guidance, structured within the framework of the Kill Chain methodology. It serves as a comprehensive reference manual, offering knowledge and strategies for navigating the world of hacking, penetration testing, and cybersecurity. Whether you're an aspiring hacker, a seasoned security professional, or anyone seeking to delve into the intricacies of securing digital systems, the "KillChain Compendium" provides insights into each stage of the cyber kill chain while offering notes, actionable advice and real-world examples to bolster your understanding and capabilities in this complex field.
Penetration testing, often referred to as pen testing, is a systematic and controlled process of evaluating the security of computer systems, networks, applications, and environments. The primary objective of penetration testing is simulate real-world cyberattacks to identify vulnerabilities and weaknesses that could potentially be exploited by malicious actors.
Penetration Testing Standards are guidelines and frameworks that provide best practices and methodologies for conducting thorough and effective penetraton testing activities. These Standards help ensure consistency, quality, and rigor in the penetration testing process.
The [Pentesting Execution Standard](http://www.pentest-standard.org/index.php/Main_Page) provides the following sections for penetration testing execution
Rules of Engagement (RoE) in the context of penetration testing refer to guidelines, boundaries, and limitations that are established and agreed upon between the penetration testing team (red team) and the organization or client requesting the testing. These rules ensure that the testing is conducted in a controlled manner. They define the scope, targets, and acceptable activities for the engagement. RoE help prevent misunderstandings, conflicts, and unintended consequences dduring the testing process.
A brief summary of the steps included in the RoE are the following
* **Permissions** of the penetration testing team
* How the **Engagement** is done, e.g. internal/external pentest or adversary emulation of [advanced persistent threads](https://csrc.nist.gov/glossary/term/advanced_persistent_threat)
* **Scope** of how the tests are going to be executed, e.g. networks, IPs, exfilration of data, which stage, downtime, DDoS
* **Non-Disclosure Agreement (NDA)** as a contract describes how knowledge about sensitive data is handled
In practical terms there is a [Rules of Engagement -- Worksheet](https://sansorg.egnyte.com/dl/bF4I3yCcnt/?) provided by [SANS](https://www.sans.org/) and [a sample of RoEs](https://redteam.guide/docs/templates/roe_template/) provided by the [RedTeam.Guide](https://redteam.guide).
## Penetration Testing Campaign
A penetration testing campaign is a planned and organized series of penetration tests conducted on a specific target, like a computer system, network, or application. It involves a structured approach to identifying and addressing vulnerabilities in order to improve the overall security posture of the target.
A brief summary of the steps included are the following
* **Engagement** includes the planning and information gathering
* **Operations** includes vulnerability scanning, manual testing, analysis an communication with the client
* **Remediation** includes fixing the identified vulnerabilities, validation by re-testing, the final reporting and the lessons learned
To support your engagement, a [campaing checklist](https://redteam.guide/docs/checklists/red-team-checklist/) is provided by [RedTeam.Guide](https://redteam.guide/). A tool to support the organization of teams in an engagement is [vectr](https://github.com/SecurityRiskAdvisors/VECTR).
## Penetration Testing Methodology
Penetration testing methodologies typically follow a structured approach to
systematically identify and exploit vulnerabilities.
**Passive Reconnaissance** describes the gathering of information about the
target system or organization without directly interacting with it. This
involves searching for publicly available data, such as domains names, IP
addresses and employee information.
**Active Reconnaissance** describes the interaction with the target system to
collect more detailed information, using tools like WHOIS lookups, DNS
enumeration, and network scanning. The goal is to map out the target's network
and identify potential entry points.
### Enumeration/Scanning
**Network Scanning** is the identification of active hosts, open ports, and
services runing on these ports. This helps the penetration tester understand
the network's architecture and potential attack vectors.
**Service Enumeration** is the gathering of detailed information about services
running on open ports, such as version numbers and configurations. This
information can be sued to identify known vulnerabilities associated with
specific services.
### Gaining Access
**Exploitation** is the attempt to exploit identified vulnerabilities in order to gain unauthorized access to systems or applications. This might involve using known exploits, custom scripts, or socail engineering techniques.
**Password Attacks** describes the attempt of trying to crack passwords or gain unauthorized access by exploiting weak or default credentials.
### Privilege Escalation
**Vertical Movement** is the attempt to gain higher levels of access within the system, potentially through exploiting misconfigurations or vulnerabilities that allow for privilege elevation.
**Lateral Movement** is the attempt to move laterally within a computer system to compromise additional systems, potentially exploiting trust relationships or shared vulnerabilites.
### Covering Tracks
**Removing Evidence** describes taking steps to erase or alter any traces of the penetration testing activities to avoid detection. This might involve deleting logs, altering timestamps, or other techniques to hide the tester's presence.
**Backdooring** is the introduction of backoors to persistent access points to maintain access.
### Reporting
**Findings Documentation** includes detail of the vulnerabilities that were successfully exploited, the impact of each vulnerability, and the steps taken to exploit them.
**Risk Assessment** is the assessment of potential business impact of each vulnerability, considering factors such as data exposure, service disruption, and financial consequences.
**Recommendations** provide actionable remmediation, including prioritization of vulnerabilities based on their severity and potential impact.
**Lessons Learned** reflect on the testing process and provide insights int o the organization's security posture, including areas of strengths and improvements.