The Open Source Security Testing Methodology Manual (OSSTMM)

This methodology tests the operational security of physical security, human interactions, and all forms of communications (wireless, analog, wired, digital etc). The OSSTMM aims to provide the tester the goal of verified information specific to the needs on which to base security decisions[6]. This way, the test cases that the manual provides, result in proven facts that offer actionable information that can be measured to improve one’s operational security. For this very reason, OSSTMM has been selected, as well as being open source it opens accessibility for a wider scope of testing guidance. The OSSTMM starts by tracking what you test (the targets), how you test them (the parts of the targets tested, instead of the tools or techniques used), the types of controls discovered and what was not in scope (the parts of the target not tested). To do this more efficiently, we will be following the OSSTMM 4 Point Process[7]. 4 point process.

The 4 Point Process

The Four Point Process (4PP) breaks down a test from start to conclusion. The aim for this methodology is to not confuse the formalities of dissection of the process with the formality of the reporting, but rather understand how you got from point A to B. Each point is broken down in Induction, Inquest, Interaction and Intervention[8].

Induction

The first step of the 4PP, guides the tester to establish the principle truths about the target from an environmental perspective. The analyst determines factual principles regarding the target’s influence in relation to its environment[8]. Where the target is not influenced by its environment, there exists an anomaly to be understood. In this use case, we will be using tools like nmap[9], to investigate the Kali interface, the vulnerable website, the browser etc. These tools provide options like port scanning, network sweeping and OS Fingerprinting, which are quite useful when learning about the environment.

Inquest

In this step, the analyst or tester investigates the emanations from the target and the indicators that make those origins[10]. In the scenario with Mutillidate, the Inquest step will take the shape of enumeration of the web server where Mutillidae is hosted. A good tool for this purpose can be nikto[11] , which is a web server security scanner, or nessus, also a vulnerability scanner.

Interaction

This step involves probing and testing interactions with the target to trigger responses, based on the information gathered from the previous steps. The analyst will agitate the target to trigger responses for further analysis[10]. A good tool for this step is dirbuster and burpsuite. Dirbusters provides the ability to brute force directories and files names on web /application servers[12]. Burp Suite is a swiss army tool, in the sense of having many perks and functionalities. One of its functionalities is to capture requests, make necessary modifications and 1 forward the request to see how the web server or application behaves, amongst other things[13].

Intervention

In this step, the tester will change the resource interactions with the target, or in between targets. It will intervene with the behaviour the web/application server requires from its environment or from interactions with other targets to understand the extrements under it can continue operating adequately[10]. For this step, the tool used will be burp suite and the injection of payloads on the Mutillidae Server.

Head over to Mutillidae XSS Dive to check out how we exploit XSS using this methodology.

References

[6]2021. OSSTMM 3 Contemporary Security Testing and Analysis. [ebook] p.3. Available at: https://www.isecom.org/OSSTMM.3.pdf . [7]2021. OSSTMM 3 Contemporary Security Testing and Analysis. [ebook] p.4. Available at: https://www.isecom.org/OSSTMM.3.pdf . [8]2021. OSSTMM 3 Contemporary Security Testing and Analysis. [ebook] p.45. Available at: https://www.isecom.org/OSSTMM.3.pdf . [9]Nmap.org. 2021. Nmap: the Network Mapper - Free Security Scanner. [online] Available at: https://nmap.org/ . [10]2021. OSSTMM 3 Contemporary Security Testing and Analysis. [ebook] p.46. Available at: https://www.isecom.org/OSSTMM.3.pdf .