Plan Your Penetration Testing Engagement

Learning Objectives

After completing this unit, you’ll be able to:

Describe how to plan the penetration test.
Explain the importance of pre-engagement documentation.

Determine the Penetration Test Scope

Before diving into this module, you should have a basic understanding of penetration testing and the skills of a penetration tester. We recommend that you first complete the Penetration Testing module before you begin this module.

In the Penetration Testing module, you learned about the phases of penetration testing and the skills of penetration testers. In this module we’ll dive deeper into those phases offering you an opportunity to practice your penetration testing skills.

Responsibilities of a penetration tester (or ethical hacker) extend far beyond just identifying vulnerabilities. They include understanding the importance of meticulous planning, executing tests with precision, adhering to legal and ethical standards, effectively communicating findings and recommending actionable remediations.

Penetration testing, a critical component of cybersecurity, typically involves five distinct phases:

Obtaining permission
Planning
Discovering vulnerabilities
Gaining access
Reporting findings

In the scenario below, we'll explore each phase in detail, highlighting your actions during each phase including the tools used and the potential outputs or results of each phase. At the end of each phase you will also have an opportunity to engage in a hands-on activity to help you practice the penetration testing skills relevant to that phase.

Scenario

Imagine you are a junior penetration tester at CyberSecure Inc., a company specializing in cybersecurity assessments. Your task is to conduct a penetration test on a client's business critical web application to identify potential security vulnerabilities. Here’s how you proceed through each phase:

Phase 1: Obtain Permission

There are two phases of the penetration testing process that separate ethical hackers from malicious hackers–gaining permission and reporting. Penetration testing is strictly governed by legal and ethical standards. Unlike the illegal and unethical hacking process conducted by malicious or black hat hackers, penetration testing must always be authorized by the client (e.g., system or network owner). In addition, clients must receive a final report of the penetration testing findings. Any unauthorized testing, even if not intended for harm, is illegal under laws such as the Computer Fraud and Abuse Act (CFAA) in the United States.

Gaining permission for penetration testing is a crucial and formal pre-engagement activity that includes a legally binding contractual agreement that addresses ethical and legal considerations and explicit permission to conduct the test.

Here is a list of the kind of information that is commonly included in a permissions document:

Authorization Statement:

Explicit permission from the client allowing the penetration test to be conducted on their systems and network.

Legal Considerations:

Clauses addressing compliance with relevant laws and regulations.
Statements regarding the legality of the actions taken during the test.

Confidentiality Agreement:

Provisions for the protection and handling of any sensitive data encountered during the testing.
Non-disclosure agreements to safeguard client information.

Liability and Indemnification:

Clauses limiting the liability of the penetration testers for disruptions or damage within agreed testing parameters.
Indemnification of the testers by the client against claims arising from the authorized testing activities.

Contact Information:

Contact details of both parties and any other stakeholders who may need to be contacted during the test.
Emergency contact information for use in case of unforeseen issues.

Post-Test Actions:

Information on the deliverables, such as weekly briefings, the final report, and any post-testing meeting or debriefing.

Signatures:

Signatures of authorized representatives from both the client’s organization and the organization or individuals conducting the test, along with the date of signing.

This document serves as a formal agreement between the penetration testing team and the client, ensuring that the testing is conducted responsibly, legally, and with the full consent and understanding of all involved parties.

Your actions:

Tools Used: Documentation and project management platforms (e.g., Google Drive)
Outputs: You obtain written authorization from the client ensuring your legal protection and agreed upon high-level aspects of the penetration test.

Practice Activity: Use an online template editor or word processing application to create a professional authorization request, outlining the scope and boundaries of your intended penetration test.

Phase 2: Planning

Now that you’ve gained written permission and legal rights to perform the test, your next step is to create a detailed roadmap of how the test will be conducted. . The customer can be an external company that you provide penetration testing services to, or an internal system owner within your organization. In either case you will interview the customer to understand the following:

Customer concerns: What drives the need for a penetration test? This could include compliance issues, potential loss of revenue, reputation risks, etc.
Assets for testing: Which assets do they want to evaluate for security?? This might include systems, networks or data.
Perceived threats: What are the possible threats to the assets?
Penetration testing goals: What are the goals of the penetration test? This information helps in aligning your testing strategies with customer expectations.
Constraints: What are constraints or limitations to the penetration test?

With these insights, you can define the targets for the test such as IP addresses , subnets, domains, applications, etc.,

In this phase you also discuss with the customer the types of testing exploits to use, the level of intrusion permissible on the target and the type of test to conduct: server-side, client-side, local, network, wireless, web application, social engineering, or physical security.

For this scenario you are engaging in web application testing, but let’s look at other test types:

Test Type	Description	Sample Asset
Server-side	Targets the main computer systems that manage important data and applications, trying to access sensitive back-end information.	Organization’s main database server
Client-side	Focuses on client-side software and client devices, often using tactics such as phishing	Employee laptop or work computer
Local	Involves escalating privileges once you gain access to a system	An employee’s account with typical user access
Network	Targets the way computers talk to each other, aiming to disrupt these conversations or change the data being sent.	Routers and switches
Wireless	Tests the security of a company’s Wi-Fi network and corresponding infrastructure devices	Wi-Fi network
Web application	Tests the security of websites or apps that customers or employees use.	Financial application
Social engineering	Exploits human psychology to gain access to valuable information (e.g., passwords) or access to systems.	IT support capability (e.g., a phone call pretending to be a customer, employee or other authorized user)
Physical security	Attempts to gain unauthorized physical access to restricted areas within a building, office, or area	Server rooms

Icons representing different types of penetration tests including wireless, network, social engineering, physical, firewall, and web application.

Pre-engagement Documentation

Once you’ve answered the customer interview questions and decided on the types of testing exploits to use, the next step is to formalize this information in a scoping statement document. This document will serve as a detailed record of the planned approach for the penetration test. The primary focus of the scoping statement is to set boundaries for the penetration test, ensuring that both the tester and the client have a clear understanding of which parts of the infrastructure will be included in the test. The document typically includes details about the systems, networks or applications to be tested, the types of tests to be conducted (e.g., black box, white box, gray box), time frames, and any specific areas or elements that are out of bounds.

It’s also crucial for senior management and the members of your penetration testing team to sign off on the rules of engagement (ROE) before any testing begins. This document serves as a guide for how the penetration test will be conducted. It’s a set of guidelines or protocols that the penetration tester agrees to follow during the testing process. The ROE should clearly define the parameters of the test including the procedures for handling discovered vulnerabilities (especially critical ones), points of contact, communication protocols with the client and escalation procedures in case of unexpected problems or issues.

Your Actions:

Tools Used: Project management software (e.g., Trello or Asana) for task organization and collaboration tools (e.g., Slack) for team communication.
Outputs: You received formal acceptance of a comprehensive plan outlining the test objectives, timeline, testing methodologies, and details regarding the specific financial management web application and endpoints (e.g., login page, user dashboard and invoice generation) to be tested.

Practice activity: Use an online mind mapping tool to visually plan your penetration test. Define the scope, set clear goals, and select methodologies.

Now that you understand more about the importance of pre-engagement activities and how to plan for the penetration test, let’s turn next to implementing your plan starting with identifying potential vulnerabilities in the target system.