Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/cybersecurityup/pentest-consulting-creator

Repository with some necessary information for you to create your PenTest consultancy
https://github.com/cybersecurityup/pentest-consulting-creator

Last synced: about 1 month ago
JSON representation

Repository with some necessary information for you to create your PenTest consultancy

Host: GitHub
URL: https://github.com/cybersecurityup/pentest-consulting-creator
Owner: CyberSecurityUP
Created: 2022-09-23T02:25:33.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2022-09-23T03:22:43.000Z (over 2 years ago)
Last Synced: 2023-03-05T07:48:48.918Z (almost 2 years ago)
Size: 14.8 MB
Stars: 90
Watchers: 2
Forks: 25
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# PenTest-Consulting-Creator
Repository with some necessary information for you to create your PenTest consultancy

PwnDoc is a pentest reporting application making it simple and easy to write your findings and generate a customizable Docx report.
- https://github.com/pwndoc/pwndoc

Curated list of public penetration test reports released by several consulting firms and academic security groups.
- https://github.com/juliocesarfort/public-pentesting-reports

PenTest Calculator Cost
- https://go.cobalt.io/roi/
- https://www.mangoldsecurity.com/cost-estimator/

PenTest Checklist
- https://pentestbook.six2dez.com/others/web-checklist
- https://github.com/harshinsecurity/web-pentesting-checklist
- https://github.com/Hari-prasaanth/Web-App-Pentest-Checklist
- https://book.hacktricks.xyz/mobile-pentesting/ios-pentesting-checklist
- https://book.hacktricks.xyz/mobile-pentesting/android-checklist

PenTest Methodology

PTES
- http://www.pentest-standard.org/index.php/Main_Page

OSSTMM
- https://www.isecom.org/OSSTMM.3.pdf

NIST 800-115
- https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf

ISSAF
- http://cuchillac.net/archivos/pre_seguridad_pymes/2_hakeo_etico/lects/metodologia_oissg.pdf

OWASP Test Guide
- https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf

## Timeline PenTest

Planning – 1-2 Weeks: Includes the contract execution, initial deposit, scheduling of resources, and review/agreement of the project Rules of Engagement (ROE).

Execution – 2-3 Weeks: This phase is when active testing of all in-scope targets is set to occur – the length of this phase varies by project and is directly related to the size/scope of the assessment.

Analysis, Documentation, and Quality Assurance – 1 Week: Document preparation including the Executive Summary Report and Technical Findings Report. This phase may also include some minimal testing and manual interactions with the in-scope targets to validate findings identified during the original execution of the test or gather more detail.

Presentation of Findings – 1 Day: Scheduled after all documentation and QA is complete, this is the final step to review findings, address questions, and wrap up the project.

## Burocracy

- Understand the bureaucratic part of the country you work in, whether in opening a company, even in providing services and the proper credentials to act.

- Structure your portfolio of services well in PenTest, the types of tests you do and how you perform them, what methodology is used in each one?

## Certifications

- CEH
- OSCP
- eCPPT
- eCPTX
- eWPT
- GPEN
- GWAPT
- CREST CPSA
- CRTO
- CRTL
- OSWE
- OSEP
- CRTP
- CARTP

## Toolkits

- What tools do you use?

- Do you have trading tools?

- Are there partnerships for the services you have? Whether to assist in the remediation, protection and mitigation of risk

- How is the licensing of your tools? If you have a Burp, Cobalt Strike, Exploit Pack and others?

## CVEs, CVSS, NVD

- CVE
Is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. CVE does not provide severity scoring or prioritization ratings for software vulnerabilities.

- CVSS
Operated by the Forum of Incident Response and Security Teams (FIRST) used to score the severity of software vulnerabilities identified by CVE Entries.

- NVD NIST
Provides a free CVSS calculator for CVE Entries.

- Report your CVE
When you find a 0day you can report this vulnerability to the company that owns the solution or a third party depending on the case, so waiting for a positive result and get your cve depending on the vulnerability

Tutorial Report
https://drive.google.com/file/d/1pfZbOm_dExehIqGHLPtjWm2GJ4UUMMJK/view?usp=sharing

## PenTest Report Writing

- https://www.youtube.com/watch?v=J34DnrX7dTo
- https://www.youtube.com/watch?v=NEz4SfjjwvU
- https://www.youtube.com/watch?v=6QIrXgPGJhM
- https://www.cobalt.io/blog/how-to-write-an-effective-pentest-report-vulnerability-reports