Planning and Preparing for a Penetration Test Engagement

Introduction

Welcome to the Planning and Preparing for a Penetration Test Engagement Practice Lab. In this module, you will be provided with the instructions needed to develop your hands-on skills.

Learning Outcomes

In this module, you will complete the following exercises:

• Exercise 1 - Explain Penetration Testing and its Importance
• Exercise 2 - Use Serpico to Generate a Penetration report
• Exercise 3 - Explain Penetration Testing Resources and Requirements
• Exercise 4 - Explain Rules of Engagement, Contract Types, and Scoping an Engagement
• Exercise 5 - Explain Different Testing Strategies
• Exercise 6 - Explain Target Selection and Threat Actors
• Exercise 7 - Explain Asset Categorization and Risk Assessment
• Exercise 8 - Explain Compliance-based Assessments
• Exercise 9 - Prepare for Penetration Test Engagement

After completing this lab, you will be able to:

• Access a List of Common Penetration Testing Tools
• Access Zenmap in Kali Linux
• Configure the Serpico Web Application
• Know about Different Types of Resource Documents
• Have an Overview of Budget Requirements and Technical Constraints
• Download Sample Penetration Testing Agreements
• Know about the Rules of Engagement
• Assess Guidelines for Planning the Penetration Testing
• Know about SOW, MSA, and NDA
• Know about the Legal Restrictions including Local and National Government
• Know about the Scopes in an Engagement
• Difference between Black Box vs. White Box vs. Gray Box
• Know about the Types of Targets and Threat Actors
• Explain Types of Assets, Risk Responses, Tolerance to Impact and Risk Appetite
• Key Aspects of Compliance-Based Assessments and their Limitations
• Know key points to prepare a team for penetration testing
• Explain Data Collection and Documentation
• Generate a Penetration Test Report with Serpico
• Explain Activity Assignment and Sequencing, Contingency Planning, Escalation Paths and Communications

Exam Objectives

The following exam objectives are covered in this lab:

• PT0-001: 1.1 Explain the importance of planning for an engagement
• PT0-001: 1.2 Explain key legal concepts
• PT0-001: 1.3 Explain the importance of scoping an engagement properly
• PT0-001: 1.5 Explain the key aspects of compliance-based assessments

Lab Duration

It will take approximately 1 hour to complete this lab.

Exercise 1 - Explain Penetration Testing and its Importance

Penetration testing (Pen test) is a simulated cyber-attack to exploit the vulnerabilities in a network and its systems. A person conducting the pentest can attempt to breach applications, protocols, Application Programming Interfaces (APIs), servers, firewalls, and anything that can be exploited on a network.

The core intent is to discover the vulnerabilities before an attacker from the outside world can and then exploit them to simulate the amount of damage that can be caused.

In this exercise, you will learn about Penetration Testing and its importance.

Learning Outcomes

After completing this exercise, you will be able to:

• Access a List of Common Penetration Testing Tools
• Access Zenmap in Kali Linux

Exercise 2 - Use Serpico to Generate a Penetration report

Serpico is a free, open-source tool available on Github. The tool is accessed through a web browser.

In this exercise, the Serpico web application will be configured and used to generate a report. Serpico is a web-based application that is used to generate reports from pre-configured templates, which can be modified to the pentesters specifications.

Learning Outcomes

After completing this exercise, you will be able to:

• Configure the Serpico Web Application

Exercise 3 - Explain Penetration Testing Resources and Requirements

The resources that should be made available to the pentester are dependent on the scope of penetration testing. There can be a variety of resources that can be made available to the pentester if they fit into the scope of penetration testing.

In this exercise, you will learn about the penetration testing resources and requirements.

Learning Outcomes

After completing this exercise, you will be able to:

• Know about Different Types of Resource Documents
• Have an Overview of Budget Requirements and Technical Constraints

Exercise 4 - Explain Rules of Engagement, Contract Types, and Scoping an Engagement

In this exercise, you will learn about the Rules of Engagement, contract types, and scoping an engagement.

Learning Outcomes

After completing this exercise, you will be able to:

• Download Sample Penetration Testing Agreements
• Know about the Rules of Engagement
• Assess Guidelines for Planning the Penetration Testing
• Know about SOW, MSA, and NDA
• Know about the Legal Restrictions including Local and National Government
• Know about the Scopes in an Engagement

Exercise 5 - Explain Different Testing Strategies

There are different types of penetration testing strategies. They are black box, white box, and grey box penetration testing.

In this exercise, you will learn about the different types of penetration testing strategies.

Learning Outcomes

After completing this exercise, you will be able to:

• Difference between Black Box vs. White Box vs. Gray Box

Exercise 6 - Explain Target Selection and Threat Actors

Penetration testing needs to have focused targets. This helps in limiting the scope of the testing.

In this exercise, you will learn about the target selection and threat actors.

Learning Outcomes

After completing this exercise, you will be able to:

• Know about the Types of Targets and Threat Actors

Exercise 7 - Explain Asset Categorization and Risk Assessment

Assets are critical for an organization. Depending on the type of asset, it will have certain risks associated with it.

In this exercise, you will learn about asset categorization and risk assessment.

Learning Outcomes

After completing this exercise, you will be able to:

• Explain Types of Assets, Risk Responses, Tolerance to Impact and Risk Appetite

Exercise 8 - Explain Compliance-based Assessments

Compliance-based assessments are designed to meet the requirements of a specific law or standard. In most scenarios, the organization must be tested and certified by an authorized agency against the defined compliance-based assessment. Not every organization needs to obtain a compliance-based certification or pass the assessments. Many organizations define their own security policies that they use to ensure their infrastructure security.

In this exercise, you will learn about compliance-based assessments.

Learning Outcomes

After completing this exercise, you will be able to:

• Key Aspects of Compliance-Based Assessments and their Limitations

Exercise 9 - Prepare for Penetration Test Engagement

After scoping the penetration testing and planning the engagement with the client, there are various activities that need to be performed. These activities are crucial to streamline the overall penetration testing project and, therefore, must be planned carefully. Some of the key activities that must be performed before the penetration test are preparing the team, activity assignment, and contingency planning.

In this exercise, you will learn about preparation for penetration testing engagement.

Learning Outcomes

After completing this exercise, you will be able to:

• Know key points to prepare a team for penetration testing
• Explain Data Collection and Documentation
• Generate a Penetration Test Report with Serpico
• Explain Activity Assignment and Sequencing, Contingency Planning, Escalation Paths and Communications