> For the complete documentation index, see [llms.txt](https://pentest-segdesc.gitbook.io/pentesting/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://pentest-segdesc.gitbook.io/pentesting/pentest-127.0.0.1.md). # Pentest 127.0.0.1 Hi and welcome to my page! Pages do not follow any specific order. ### Penetration Testing Standards Penetration tests should not be performed without any `rules` or `guidelines`. There must always be a specifically defined scope for a pentest, and the owner of a network must have a `signed legal contract` with pentesters outlining what they're allowed to do and what they're not allowed to do. Pentesting should also be conducted in such a way that minimal harm is done to a company's computers and networks. Penetration testers should avoid making changes wherever possible (such as changing an account password) and limit the amount of data removed from a client's network. For example, instead of removing sensitive documents from a file share, a screenshot of the folder names should suffice to prove the risk. In addition to scope and legalities, there are also various pentesting standards, depending on what kind of computer system is being assessed. Here are some of the more common standards you may use as a pentester. **PTES** The [Penetration Testing Execution Standard](http://www.pentest-standard.org/index.php/Main_Page) (`PTES`) can be applied to all types of penetration tests. It outlines the phases of a penetration test and how they should be conducted. These are the sections in the PTES: * Pre-engagement Interactions * Intelligence Gathering * Threat Modeling * Vulnerability Analysis * Exploitation * Post Exploitation * Reporting **OSSTMM** `OSSTMM` is the `Open Source Security Testing Methodology Manual`, another set of guidelines pentesters can use to ensure they're doing their jobs properly. It can be used alongside other pentest standards. [OSSTMM](https://www.isecom.org/OSSTMM.3.pdf) is divided into five different channels for five different areas of pentesting: 1. Human Security (human beings are subject to social engineering exploits) 2. Physical Security 3. Wireless Communications (including but not limited to technologies like WiFi and Bluetooth) 4. Telecommunications 5. Data Networks **NIST** The `NIST` (`National Institute of Standards and Technology`) is well known for their [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework), a system for designing incident response policies and procedures. NIST also has a Penetration Testing Framework. The phases of the NIST framework include: * Planning * Discovery * Attack * Reporting **OWASP** `OWASP` stands for the [Open Web Application Security Project](https://owasp.org/). They're typically the go-to organization for defining testing standards and classifying risks to web applications. OWASP maintains a few different standards and helpful guides for assessment various technologies: * [Web Security Testing Guide (WSTG)](https://owasp.org/www-project-web-security-testing-guide/) * [Mobile Security Testing Guide (MSTG)](https://owasp.org/www-project-mobile-security-testing-guide/) * [Firmware Security Testing Methodology](https://github.com/scriptingxss/owasp-fstm) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentest-segdesc.gitbook.io/pentesting/pentest-127.0.0.1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.