lptv4 module 15 pre penetration testing checklist_norestriction

/ECSA/LPT

EC CouncilModule XV

EC-CouncilPre-Penetration Testing

ChecklistChecklist

List of Steps

1• Gather information about the client’s organization history and background

2• Visit the client organization premises to become familiar with the surroundings, car park,

facilities, restaurants

• List the client organization’s penetration testing requirements 3

List the client organization s penetration testing requirements

4• Obtain penetration testing permission from the company’s stakeholders

5• Obtain detailed proposal of test and services that are proposed to be carried out

6• Identify the office space/location your team would be working on for this project

6

7• Obtain temporary identification cards from the organization for the team members involved in

the process

Id if h ill b l di h i i j ( hi f i )

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

8• Identify who will be leading the penetration testing project (chief penetration tester)

List of Steps (cont’d)

9• Request from the client organization for previous penetration testing report/ vulnerability

assessment reports (if possible)

10• Prepare rules of engagement that lists the company’s Core competencies/ limitations/

timescales

11• Hire a lawyer who understands information technology and can handle your penetration testing

legal documents11 legal documents

12• Prepare penetration testing legal document and get it vetted with your lawyer

13• Prepare Non-disclosure Agreement (NDA) and have the client sign them

14• Obtain (if possible) liability insurance from a local insurance firm

4

15• Identify your core competencies/limitations

All b d f h i i j (X f d ll )



16• Allocate a budget for the penetration testing project (X amount of dollars)


17 • Prepare a tiger team

18 • List the security tools that you will be using for the penetration testing project

19 • List the hardware and software requirements for the penetration testing project

20 • Identify the clients security compliance requirements

21 • List the servers, workstations, desktops, and network devices that need to be tested21

22 • Identify the type of testing that would be carried out - Black Box or White Box testing

• Identify the type of testing that would be carried out - announced/ unannounced 23 de t y t e type o test g t at wou d be ca ed out a ou ced/ u a ou ced

24 • Identify local equipment required for pen test

Id tif l l i d f t t



25 • Identify local manpower required for pen test


26• List the contact details of key personnel of the client organization who will be in charge of the

penetration testing project

27• Obtain the contact details of the key person at the client company during an emergency

8• Points of contacts during an emergency

28Points of contacts during an emergency

29• List the tests that WILL NOT BE carried out at the client network

30• Identify the purpose of the test you are carrying out at the client organization

31• Identify the network topology in which the test would be carried out

31

32• Obtain special permission if required from local law enforcement agency

Li k i / i



33• List known waivers/exemptions


34 • List the contractual constraints in the penetration testing agreement

35 • Identify the reporting timescales with the client organization

36 • Identify the list of penetration testers required for this project3

37 • Negotiate per day per hour fee that you will be charging for the penetration testing project

38 • Draft the timeline for the penetration testing project38 p g p j

39 • Draft a quotation for the services that you be providing to the client organization

• Identify how the final penetration testing report will be delivered to the client organization40 • Identify how the final penetration testing report will be delivered to the client organization

41 • Identify the reports to be delivered after the pen test

• Identify the information security administrator of the client organization who will be helping you



42• Identify the information security administrator of the client organization who will be helping you

in the penetration testing assignment (if possible)

Step 1: Gather Information about Client Organization’s History and Background g y g

Penetration testing assesses the security model of the organization as a whole.

Before starting the penetration testing for an organization and gather Before starting the penetration testing for an organization and gather some information about that company.

S h h b i d h h hi d b k d f h li Search the websites and gather the history and background of the client organization which you are going to perform the penetration testing.



Step 2: Visit the Client Organization Premises to become Familiar with the Surroundings,

Parking Facilities RestaurantsParking, Facilities, Restaurants

Visit the premises of the client organization for moreinformation on its physical infrastructure.

Check for facilities like car parking levels, restaurant, restroom,lift, club, swimming pool.

Make yourself comfortable with all the facilities so that you willnot face difficulty while checking for the physical security of theclient organization as a part of your assignment (in case the



client wants you to do it).

Step 2: Visit the Client Organization Premises to become Familiar with the Surroundings, Parking Facilities and Restaurants (cont’d)Parking, Facilities, and Restaurants (cont d)

Examine the work areas where most employees would utilize the p yequipment.

Check the network equipment room where the routing set up is securedCheck the network equipment room where the routing set up is secured.

Alternately check the server roomAlternately, check the server room.

Inspect the area where the testing team carries out its work.Inspect the area where the testing team carries out its work.



Step 3: List the Client Organization’s Penetration Testing Requirements g q

Requirements of a penetration test vary with different clientsRequirements of a penetration test vary with different clients.

Penetration testing requirement depend on the nature of work criticality of Penetration testing requirement depend on the nature of work, criticality of data, legal issue, and business model of the client organization.

A li t i ti k th t ti t t t

• Internal/external testing

A client organization may ask the penetration tester to conduct some or all the tests listed below:

/ g• Whitebox/Blackbox testing• Announced/unannounced testing• Testing according to the number of IPs• Physical/security policy testing



• Physical/security policy testing• Testing a particular server/service

Step 4: Obtain Penetration Testing Permission from the Company’s Stakeholdersp y

A corporate stakeholder is a party who affects or can be affected by theA corporate stakeholder is a party who affects, or can be affected by, thecompany's actions.

A l d fi d li t f t k h ld i ht i l d

• Employees. • Customers

A narrowly defined list of stakeholders might include:

• Customers.• Shareholders. • Investors.

The company stakeholders must give a go ahead for your penetration test. Request the client organization to obtain permission from the stakeholders in order to avoid future litigations.



Step 5: Obtain Detailed Proposal of Test and Services that are Proposed to be carried out p

The nature and intensity of a penetration test should be mentioned in y pdetailed by the client organization.

A k th li t t b it d t il d l f th t ti t t th t Ask the client to submit a detailed proposal for the penetration test that is to be carried out.

Th l h t h ld li t th b f IP th t d t b t t d The proposal sheet should list the number of IPs that need to be tested; the type of test; the number of tests that need to be carried out, specifying the test details.



Step 6: Identify the Office Space/Location your Team would be Working in for this

ProjectProject

Penetration testing is a time consuming process (depending on the Penetration testing is a time consuming process (depending on the client organization’s testing requirements).

You need to make sure that the space provided for you and your team at the office premises of the client organization is comfortable, spacious, and airy.

The location should have easy access to restrooms, cafeteria and should have restricted access for other employees of the client organizationhave restricted access for other employees of the client organization.



Step 7: Obtain Temporary Identity Cards from the Organization for the Team who

are Involved in the Processare Involved in the Process

After getting the physical location to carry out the test process, request h i i id h id i d ll hthe organization to provide the temporary identity card to all the

penetration testers.

Use this identity card as access card to get into the company.

Make sure that all the testers who are involved in the penetration testing at the client’s organization contains an unique identity or access cardat the client s organization contains an unique identity or access card.



Step 8: Identify who will be Leading the Penetration Testing Project (Chief

P t ti T t )Penetration Tester)

Your penetration testing team should have a mixYour penetration testing team should have a mixof qualified professional from different domains.

The testing team will be lead by a chiefpenetration tester who will lead the project andb i f f h f hbe a point of contact for the management of theclient organization.

The chief penetration tester plays a key role indelivering the project, handling issues related totesting and maintaining the team



testing and maintaining the team.

Step 9: Request from the Client Organization for Previous Penetration Testing Report/ Vulnerability

Assessment Reports ( If Possible)Assessment Reports ( If Possible)

Organizations retain a copy of the penetration testing report for future Organizations retain a copy of the penetration testing report for future reference.

R t th li t i ti f i t ti t ti t Request the client organization for previous penetration testing report so that you will have a clear idea of the problems that existed in the past.

Most of the organizations will not be willing to share their penetration Most of the organizations will not be willing to share their penetration test report with you.

TRY YOUR LUCK!



Step 10: Prepare Rules of Engagement that Lists the Company’s Core Competencies/

Limitations/ Timescales Limitations/ Timescales

Identify the core competency of the client organization:

• Core competency is something that a firm can do well and that meets the following three conditions specified by Hamel and Prahalad (1990):• It provides customer benefits.

organization:

• It is hard for competitors to imitate. • It can be leveraged widely to many products and markets.

Identify limitation of the client organization:

• Your rules of engagement should list points that limit your testing ability due to restrictions (if any) from the client organization.

Identify limitation of the client organization:

i l i h i i hi h h i i i i

List the timescale:



• Time scale is the time in which the organization carry out its operation. Tester should be ready for a flexible timing which will not affect the organization.

Step 11: Hire a Lawyer who Understands Information Technology and can Handle

your Penetration Testing Legal Documentsyour Penetration Testing Legal Documents

Hire a lawyer who can understand technology and Hire a lawyer who can understand technology and related matters.

A legal document related to the penetration testing needs to be signed by you before you start your penetration testing assignment. Get the document vetted by your lawyer before you sign.

A lawyer who understands information technology and risks associated with the penetration testing will be able to render his/her professional service more



able to render his/her professional service more efficiently.

Step 12: Prepare PT Legal Document and get Vetted with your Lawyer g y y

Aft tti l l d t f th li t After getting legal document from the client organization, study it with the help of lawyer.

Based on the document given by the organization, prepare a penetration testing document and check it p p p gwith the lawyer you have appointed.

This document contains information related to legal aspects of testing and the scope of the project.



Step 13: Prepare Non Disclosure Agreement (NDA) and have the Client Sign

themthem

A di l t i t th t t i fid ti l A non-disclosure agreement is an agreement that contains confidential information.

Your lawyer should vet the NDA form before you ask the client to sign.

Include clauses which will highlight the fact that you and your team will not disclose any information divulged by the client during the course of penetration test.penetration test.

The NDA should also be aimed at protecting your interests.



Step 14: Obtain ( if possible) Liability Insurance from a Local Insurance Firm

T t bt i li bilit i f th l l i Try to obtain a liability insurance from the local insurance company to protect your interest incase there the client organization files a lawsuit against you for bringing their network down during the penetration test.penetration test.



Step 15: Identify your Core Competencies/Limitations Competencies/Limitations

Identify the core competencies and limitations of the tester who is going f h to perform the test.

Core competencies of the tester mainly contains:

• Network Management• Program Management

Data Administration

contains:

• Data Administration• Risk Management

Limitations of penetration testers:

• Configuration problems.• No technical knowledge of new acquired technologies by the client.

F l i h b fi i i Wi d Pl f b ill

Limitations of penetration testers:



For example, you might be proficient in Windows Platform but will not be in Sun Solaris.

Step 16: Allocate a Budget for the Penetration Testing Project ( X amount of $ )g j ( $ )

P b d h i h f i d Prepare a budget that contains the cost of expenses required to perform the testing.

T li f ffi i l

Budget includes:

• Traveling expenses for official purposes.• Lodging expenses.• Food expenses.• Stationary expenses. y p• Expenses spent for entire team.



Step 17: Prepare a Tiger Team

A tiger team consists of licensed penetration testers taken from different A tiger team consists of licensed penetration testers taken from different disciplines.

Thi t i l i t f This team mainly consists of:

• Database penetration testers.• Firewall penetration testers• Firewall penetration testers.• Cisco penetration testers.• Oracle penetration testers.• Report writers, and so on.Report writers, and so on.

This tiger team is managed by the chief penetration tester.



Step 18: List the Security Tools that you will be using for the Penetration Testing

ProjectProject

Tools required to perform the penetration

• Port scanner (i.e., Nmap, Firewalk, Superscan).

Tools required to perform the penetration testing are:

• Vulnerability scanners (i.e., Nessus, SAINTexploit and Metasploit, X-scan).

• Application scanners (i.e., Appscan, Webinsect).Fi ll t l (i Fi t t F l t h)• Firewall tools (i.e., Firestarter, Fwlogwatch).

• Sniffers (i.e., Wireshark, Kismet).• VPN/tunneling tools.• Access control tools• Access control tools.




Project (cont’d)

The list of penetration tools required to f th t ti f ll

Project (cont d)

• Cryptography tools.• DNS tools.

perform the testing are as follows:

DNS tools.• Fingerprint/OS detection tools (i.e., queso, siphon-v.666, and

Winfingerprint).• Hijacking tools (i.e., pasvagg.pl, sw-mitm tool).• HTML tools (i.e., WebSnake).• IDS tools (i.e., AIDE, HostSentry, Logcheck, PortSentry, Snort,

Swatch, Tripwire).• Miscellaneous tools (i e Copernic Genius and ucd-snmp)• Miscellaneous tools (i.e., Copernic, Genius, and ucd-snmp).• NetBIOS Tools (i.e., enum, nbnbs, NetBios Auditing Tool).• Network Management/Monitoring Tools (i.e., analyzer, cheops,

ciscoconf, IP-Watcher, ipaudit, iplog, netsaint, and sting).



• Novell tools.


Project (cont’d)Project (cont d)

NT-specific tools (i.e., ELDump, NetViewX, WsSes)

Password tools (i.e., ChkLock, MakePWL, ZipPassword)

Packet tools (i.e., isic, nemesis, NeoTrace, SendIP)

Phone tools (i.e., THC-PBX, ToneLoc)

Ping tools (i e icmpquery sping netping Visual Route)Ping tools (i.e., icmpquery, sping, netping, Visual Route)

Promiscuous mode detection tools (i.e., CommView, sentinel)

R lRemote tools

Root kits

St h t l (i Bli d id if h ffl Hid PGP JPHIDE d



Steganography tools (i.e., Blindside, gifshuffle, Hide4PGP, JPHIDE and JPSEEK, SteganoGifPaletteOrder , Steganos, Stego, wbStego)

Step 19: List the Hardware and Software Requirements for the Penetration Testing Project

The configuration mentioned below is meant for a laptop.

• Intel Core Duo Processor

Ideal hardware configuration includes:

• Intel Core Duo Processor.• 2 GHZ speed.• 2 GB RAM.• 120 GB storage capacity.120 GB storage capacity.

IIS

Ideal software configuration includes:

• IIS server.• Application servers.• Ms-Office 2007.• Operating systems: Windows 2003 Server Vista Linux and



• Operating systems: Windows 2003 Server, Vista, Linux and Macintosh.

Step 20: Identify the Clients Security Compliance Requirementsp q

Major requirements for client security compliance are:

Administrative proceduresAdministrative procedures.

Physical safeguards.

Technical security services.

Technical security ec ca secu ymechanism.

Standards.



Step 21: List the Servers, Workstations, Desktops and Network Devices that need to be Tested

• IIS servers

Servers that need to be tested includes:

• IIS servers.• Application servers:

• Client application server.• Web application server.

• Windows servers• Windows servers.• Unix/Linux servers.

Workstations and desktops required to test includes:

• Number of workstations per department incase there are multiple departments within the organization.

Some network devices that need to be tested are:

• Routers.• Hubs.• Switches.

d



• Modems.• Network load balancers.

Step 22: Identify the Type of Testing that would be carried out - Black Box or White Box Testing

• White box testing.• Black box testing.

The two basic tests typically performed are:

• Is carried out with a complete knowledge on the infrastructure such as IP address range of the t t t k d t k d i OS i Whit b t ti target network and network devices, OS version, etc.

• Is also called a complete-knowledge test.

White box testing:

• Is carried out with out any prior knowledge on the infrastructure.I l ll d k l d t ti

Black box testing:



• Is also called zero-knowledge testing.

Step 23: Identify the Type of Testing that would be carried out - Announced/ Unannounced

Testing can be done in the following ways:

• Announced • Unannounced

Announced: An announced testing is done by an proper announcement to the employees/administrative heads of the organization before starting the test.

Unannounced: In this process, testing is carried out with out any p , g ygiving any information to the employees/administrative head of organization.



Step 24: Identify Local Equipments Required for Pen Testq

The list of local equipments required to perform

• Category5 (CAT5) taps and speed• Fibre taps/converter

q p q pthe penetration test is as follows:

b e taps/co e te• Local Internet access:

• Filtered • Unfiltered

D l d / t ll d• Downloads/exports allowed

• Separate allocation of office space for the testing team• 24 hours power availability with generator facility• Places for refreshment like cafeterias bakeries confectionaries and Places for refreshment like cafeterias, bakeries, confectionaries, and

so on.



Step 25: Identify Local Manpower Required for Pen Testq

The list of local manpower requirements to perform th t ti t ti i f ll

• Application administrator.• Database administrator.

the penetration testing is as follows:

• Network administrator.• Operating system administrator.



Step 26: List the Contact Details of Key Personnel of the Client Organization who will be in Charge of

the Penetration Testing Projectthe Penetration Testing Project

A key personnel will be appointed by the organization to take lead of the y p pp y gproject from their side.

Some important contact details include the risk manager, database administrator, network administrator, or a system administrator.

• Name of the personnel.Department

The contact details may include:

• Department.• Role.• Mobile number.• Email address



Email address.• Office contact number.

Step 27: Obtain the Contact Details of the Key Personnel for Approaching in case of

an Emergencyan Emergency

Gather the contact details from the key personnel for approaching him/her in case of emergency.

Emergency situations include fire, electric breakdown, etc.



Step 28: Points of Contacts During an Emergencyg y

Note the contact details of penetration testers:

• Risk manager• Database administrator

p

• Local security officer• System administrator• Networking administrator

I t t S i P id (ISP)• Internet Service Provider (ISP)



Step 29: List the Tests that will not be carried out at the Client Network

The type and timeline for the tests to be conducted depend on the yp pclient organization.

You cannot expect a ecommerce company to allow a DoS service You cannot expect a ecommerce company to allow a DoS service test on their website.



Step 30: Identify the Purpose of the Test you are carrying out at the Client Organization

h f h

• Safeguard the organization from failure.P i fi i l l h h f d

The main purpose of the test is to:

• Preventing financial loss through fraud.• Identifying the key vulnerabilities.• Improving the security of technical systems.



Step 31: Identify the Network Topology in which the Test would be carried out

Network topologies include:

Bus.

StStar.

Mesh.

Ring .

TreeTree.



Step 32: Obtain Special Permission if Required from Local Law Enforcement Agency

Testers usually work on an intranet to test the network but if we want toTesters usually work on an intranet to test the network, but if we want toperform the test outside a network then we have to obtain specialpermission from the local law enforcement agency.

Sign-in



Step 33: List known Waivers/Exemptions/ p

A waiver is the voluntary relinquishment or surrender of some known y qright or privilege. While a waiver is often in writing, sometimes a person's actions can act as a waiver. An example of a written waiver is a disclaimer, which becomes a waiver when accepted. Other names for

i l t l l h ld h l lwaivers are exculpatory clauses, releases, or hold harmless clauses.

Sometimes the elements of "voluntary" and "known" are established by a legal fiction. In this case, it is presumed one knows his or her rights and that those rights are voluntarily relinquished if they are not

t d t th tiasserted at the time.



Step 34: List the Contractual Constraints in the Penetration Testing Agreementg g

Ch k f i l l t i th j t th t Check for service level agreements in the project that may affect scope of the test.

Accept an waiver or privilege letter to perform this testing from the contractual partners.



Step 35: Identify the Reporting Timescales with the Client Organizationg

d if h i i l f h li i iIdentify the reporting timescales from the client organization.

This reporting timescales include:

• Normal timescale for project.Normal timescale for project.• Local requested timescale for project.• Distribution list of the project.



Step 36: Identify the List of Penetration Testers Required for this Projectq j

Different testers required to perform this

• Database penetration testers

testing are as follows:

• Firewall penetration testers• Application penetration testers



Step 37: Negotiate per Day/per Hour Fee that you will be Charging for the

Penetration Testing ProjectPenetration Testing Project

Based on the work performed by the team of testers, negotiate the fee either hourly based or daily based.

Salary negotiation will be handled by the chief penetration tester and it will be distributed as per the rules of the client organization. p g



Step 38: Draft the Timeline for the Penetration Testing Projectg j

Based on the size of the organizations and number of IPs to be tested Based on the size of the organizations and number of IPs to be tested, prepare a timeline for the completion of testing.

This timeline draft into three parts:

• Stating time of the projectg p j• Project milestones• Project completion

A timeline is the total time required to finish the project.



Step 39: Draft a Quotation for the Services that you be Providing to the Client Organization

Prepare a quotation that contains the details of services that you are p q ygoing to provide for the client organization.

Q i i l d h l i f f i h i h Quotation includes the total services for performing the test in the organization like size and scope of the project.

List the services in the form of quotation that includes all the amenities that are required to perform the test.



Step 40: Identify how the Final Penetration Testing Report will be Delivered to the Client

OrganizationOrganization

The final report is prepared based on the test performed in the The final report is prepared based on the test performed in the organization.

Discuss with the client organization about the report format that they expect you to give at the end of your penetration test.

• Reports can be given in any of the below listed formats:• PDF• HTMLHTML• Hard copy



Step 41: Identify the Reports to be Delivered After Pen Test

Th i id d f l i f The various reports provided after completion of the penetration testing process are as follows:

• Network test reports• Client-side test reports• Web application test reportsWeb application test reports



Step 42: Identify the Information Security Administrator of the Client Organization who will be helping you in the

Penetration Testing Assignment ( if possible)Penetration Testing Assignment ( if possible)

Identify an administrator who is responsible for securing information in the Identify an administrator who is responsible for securing information in the organization.

During the assignment of penetration testing, take the help of the information security administrator .



You Are Ready to Start the Penetration TestPenetration Test

Get Ready for the Drivey



lptv4 module 15 pre penetration testing checklist_norestriction

Documents

understands information technology

obtain special permission

white box testing

black box testing

information security administrator

penetration testers required

penetration testing assignment

client organization premises