Planning and Preparing for a Penetration Test Engagement
Welcome to the Planning and Preparing for a Penetration Test Engagement Practice Lab. In this module, you will be provided with the instructions needed to develop your hands-on skills.
Already have an account? Sign In »
Introduction
Welcome to the Planning and Preparing for a Penetration Test Engagement Practice Lab. In this module, you will be provided with the instructions needed to develop your hands-on skills.
Learning Outcomes
In this module, you will complete the following exercises:
- Exercise 1 - Explain Penetration Testing and its Importance
- Exercise 2 - Use Serpico to Generate a Penetration report
- Exercise 3 - Explain Penetration Testing Resources and Requirements
- Exercise 4 - Explain Rules of Engagement, Contract Types, and Scoping an Engagement
- Exercise 5 - Explain Different Testing Strategies
- Exercise 6 - Explain Target Selection and Threat Actors
- Exercise 7 - Explain Asset Categorization and Risk Assessment
- Exercise 8 - Explain Compliance-based Assessments
- Exercise 9 - Prepare for Penetration Test Engagement
After completing this lab, you will be able to:
- Access a List of Common Penetration Testing Tools
- Access Zenmap in Kali Linux
- Configure the Serpico Web Application
- Know about Different Types of Resource Documents
- Have an Overview of Budget Requirements and Technical Constraints
- Download Sample Penetration Testing Agreements
- Know about the Rules of Engagement
- Assess Guidelines for Planning the Penetration Testing
- Know about SOW, MSA, and NDA
- Know about the Legal Restrictions including Local and National Government
- Know about the Scopes in an Engagement
- Difference between Black Box vs. White Box vs. Gray Box
- Know about the Types of Targets and Threat Actors
- Explain Types of Assets, Risk Responses, Tolerance to Impact and Risk Appetite
- Key Aspects of Compliance-Based Assessments and their Limitations
- Know key points to prepare a team for penetration testing
- Explain Data Collection and Documentation
- Generate a Penetration Test Report with Serpico
- Explain Activity Assignment and Sequencing, Contingency Planning, Escalation Paths and Communications
Exam Objectives
The following exam objectives are covered in this lab:
- PT0-001: 1.1 Explain the importance of planning for an engagement
- PT0-001: 1.2 Explain key legal concepts
- PT0-001: 1.3 Explain the importance of scoping an engagement properly
- PT0-001: 1.5 Explain the key aspects of compliance-based assessments
Lab Duration
It will take approximately 1 hour to complete this lab.
Exercise 1 - Explain Penetration Testing and its Importance
Penetration testing (Pen test) is a simulated cyber-attack to exploit the vulnerabilities in a network and its systems. A person conducting the pentest can attempt to breach applications, protocols, Application Programming Interfaces (APIs), servers, firewalls, and anything that can be exploited on a network.
The core intent is to discover the vulnerabilities before an attacker from the outside world can and then exploit them to simulate the amount of damage that can be caused.
In this exercise, you will learn about Penetration Testing and its importance.
Learning Outcomes
After completing this exercise, you will be able to:
- Access a List of Common Penetration Testing Tools
- Access Zenmap in Kali Linux
Exercise 2 - Use Serpico to Generate a Penetration report
Serpico is a free, open-source tool available on Github. The tool is accessed through a web browser.
In this exercise, the Serpico web application will be configured and used to generate a report. Serpico is a web-based application that is used to generate reports from pre-configured templates, which can be modified to the pentesters specifications.
Learning Outcomes
After completing this exercise, you will be able to:
- Configure the Serpico Web Application
Exercise 3 - Explain Penetration Testing Resources and Requirements
The resources that should be made available to the pentester are dependent on the scope of penetration testing. There can be a variety of resources that can be made available to the pentester if they fit into the scope of penetration testing.
In this exercise, you will learn about the penetration testing resources and requirements.
Learning Outcomes
After completing this exercise, you will be able to:
- Know about Different Types of Resource Documents
- Have an Overview of Budget Requirements and Technical Constraints
Exercise 4 - Explain Rules of Engagement, Contract Types, and Scoping an Engagement
In this exercise, you will learn about the Rules of Engagement, contract types, and scoping an engagement.
Learning Outcomes
After completing this exercise, you will be able to:
- Download Sample Penetration Testing Agreements
- Know about the Rules of Engagement
- Assess Guidelines for Planning the Penetration Testing
- Know about SOW, MSA, and NDA
- Know about the Legal Restrictions including Local and National Government
- Know about the Scopes in an Engagement
Exercise 5 - Explain Different Testing Strategies
There are different types of penetration testing strategies. They are black box, white box, and grey box penetration testing.
In this exercise, you will learn about the different types of penetration testing strategies.
Learning Outcomes
After completing this exercise, you will be able to:
- Difference between Black Box vs. White Box vs. Gray Box
Exercise 6 - Explain Target Selection and Threat Actors
Penetration testing needs to have focused targets. This helps in limiting the scope of the testing.
In this exercise, you will learn about the target selection and threat actors.
Learning Outcomes
After completing this exercise, you will be able to:
- Know about the Types of Targets and Threat Actors
Exercise 7 - Explain Asset Categorization and Risk Assessment
Assets are critical for an organization. Depending on the type of asset, it will have certain risks associated with it.
In this exercise, you will learn about asset categorization and risk assessment.
Learning Outcomes
After completing this exercise, you will be able to:
- Explain Types of Assets, Risk Responses, Tolerance to Impact and Risk Appetite
Exercise 8 - Explain Compliance-based Assessments
Compliance-based assessments are designed to meet the requirements of a specific law or standard. In most scenarios, the organization must be tested and certified by an authorized agency against the defined compliance-based assessment. Not every organization needs to obtain a compliance-based certification or pass the assessments. Many organizations define their own security policies that they use to ensure their infrastructure security.
In this exercise, you will learn about compliance-based assessments.
Learning Outcomes
After completing this exercise, you will be able to:
- Key Aspects of Compliance-Based Assessments and their Limitations
Exercise 9 - Prepare for Penetration Test Engagement
After scoping the penetration testing and planning the engagement with the client, there are various activities that need to be performed. These activities are crucial to streamline the overall penetration testing project and, therefore, must be planned carefully. Some of the key activities that must be performed before the penetration test are preparing the team, activity assignment, and contingency planning.
In this exercise, you will learn about preparation for penetration testing engagement.
Learning Outcomes
After completing this exercise, you will be able to:
- Know key points to prepare a team for penetration testing
- Explain Data Collection and Documentation
- Generate a Penetration Test Report with Serpico
- Explain Activity Assignment and Sequencing, Contingency Planning, Escalation Paths and Communications
See the full benefits of our immersive learning experience with interactive courses and guided career paths.