Chapter 2
EXAM OBJECTIVES
Good penetration testers know that before starting a penetration test, they must spend time with the customer scoping out the project and setting the rules of engagement. Planning and scoping is a critical phase of the pentest process, as too often penetration testers dive right into trying to compromise systems without giving any thought to the ramifications of their actions. Not planning the penetration test properly can result in crashing the customer’s systems or network (causing loss in production and revenue) and triggering intrusion detection systems. A lack of planning can also create legal problems due to a failure to obtain proper authorization to perform the penetration test.
In this chapter, you learn the importance of planning for the penetration test by jumping into the first phase of the CompTIA penetration testing process: planning and scoping.
The CompTIA PenTest+ certification exam is sure to have a few questions regarding the legal concepts surrounding a penetration test that come into play during the planning and scoping phase. The following sections outline the three most important concepts you should be aware of: obtaining written authorization, contract types, and the importance of disclaimers.
It is illegal to hack into systems without proper authorization from the owner of the asset being compromised. As a penetration tester, you have to remember this. Before any pentest can start, you must first get written permission in the form of a signed contract from the customer in order to conduct the work. Once the contract is signed, you then schedule a planning and scoping meeting with the customer so that you can identify the goals for the penetration test, identify what should be tested, and understand how far the testing should go.
It is important to understand that often this authorization cannot come from an office manager, IT manager, or local network administrator, as they are not the owners of the assets being tested. It is critical you get authorization from the owners of the assets, such as the company owner, or from a member of upper-level management who has signing authority.
In addition, virtualization technology in the cloud has become a huge resource for companies to leverage, as it allows a company to get high availability and access to resources from anywhere. During pre-engagement activities and discussions, verify if there are any resources that are in the cloud, because you will need to get authorization from the cloud provider to perform a pentest on the cloud resources.
Before starting the penetration test and typically before you start scoping out the project, you will receive a signed contract that is essentially hiring you for the service. These contracts are designed to protect the contractor from liability if something goes wrong with the penetration test, and protect the customer from sensitive data leakage on the part of the contractor.
The CompTIA PenTest+ certification exam refers to three main types of contracts:
During the pre-engagement discussions and in the SOW, it is important to include two disclaimers that outline two important points about the penetration test.
First, you should have a disclaimer that states that the penetration test is a point-in-time assessment — meaning you have tested against known vulnerabilities and exploits as of the current date. As time goes on and new software and systems are installed on the network, your assessment would not have tested those new items.
Second, you should have a disclaimer that indicates that the comprehensiveness of the penetration test is based on the types of tests authorized by the customer and the known vulnerabilities at the time. For example, if the customer requests that no denial of service (DoS) attacks are performed (which is common), your penetration test would not have tested how the company stands up against a DoS attack. This disclaimer will help protect you if the customer is hit with a DoS attack after the penetration test is performed.
During the pre-engagement activities, it is important to have an initial meeting with the customer that allows you to discuss the scope of the project and get an understanding of what the customer’s goals are for the penetration test.
When preparing for the initial meeting with the customer, you should plan out scoping questions that will help you understand the magnitude of the project. Some common questions to ask when determining the scope of the pentest are:
If performing a black box test, which is discussed in Chapter 1, the penetration tester is typically responsible for discovering target services, and some would say the target IP addresses. The important point here to remember is that you want the customer to give you the target IP addresses and domain names so that you can be sure you have proper authorization to perform testing on those systems. If it is up to the pentester to discover the IP addresses, especially external IP addresses, the tester runs the risk of performing the penetration test on an unauthorized IP address or system owned by someone else.
Depending on the type of testing being performed, there are a number of other questions you can ask during the scoping of the project. The Penetration Testing Execution Standard (PTES) website found at www.pentest-standard.org
has an extensive list of questions you can ask. The following sections list example questions for each different type of test.
As part of the planning and scoping phase of the CompTIA penetration testing process, it is important to define the rules of engagement for the penetration test. The “rules of engagement” refer to any restrictions and details in regard to how the customer wants the penetration test performed. Following are some points covered by the rules of engagement:
During the pre-engagement activities, it is important to determine the target audience for the penetration test and the reason the pentest is being performed. Many companies state that the primary goal of the penetration test is to verify that their systems are secure by seeing how they hold up to real-world attacks. Another goal may be to see how the security team (known as the blue team) defends against the attacks, and to verify the effectiveness of the security controls in place (such as intrusion detection systems and firewalls). As a secondary goal, the company may need to be compliant to regulations stating that the company must have a penetration test performed regularly.
It is important to know why the pentest is being performed, but also who it is being performed for. The pentest report will need to be written to satisfy the goals of the pentest and be written to include information for the intended audience. For example, upper-level management may just want an executive summary that states how the company held up to the pentest, while the network administrators and security team may want more details on the vulnerabilities that still exist within their systems.
In addition to determining the target audience for the penetration test and the reason the pentest is being performed, it is also important to determine who the penetration testing team is to communicate with during the pentest. This includes determining when updates are delivered to the contact person and also who to contact when there is an emergency (such as a system or network crashes due to the pentest).
Following are some common questions you can ask during the pre-engagement phase to determine communication paths:
As a pentester you also want to be sure you have collected proper contact information in case there is an emergency, such as a system goes down or an entire network segment goes down. Following is the key information you should collect about the customer in case of emergency:
When defining the rules of engagement for the pentest, you also want to ensure that you discuss key points surrounding the company’s different resources such as the targets to focus on and who to communicate the results with. You learn earlier in this chapter about a few questions you should ask in relation to resources, but let’s discuss a bit more about resources and requirements.
A key point to discuss is the confidentiality of the updates given and the results of the penetration test. Determine with the customer who are the authorized persons to receive updates on the progress of the penetration test, who to go to in case of emergency, and who the penetration results (the report) should go to. Be clear that you will be unable to communicate details of the penetration test to anyone not on this authorized list.
During the pre-engagement phase, discuss the targets for the penetration test and how to handle the discovery of an unknown device on the network. An unknown device is a device not on the target list, or an unauthorized access point connected to the network, VPN server, or router. If any non-targeted device that makes the client network and security vulnerable is discovered, you should stop the penetration test to discuss with authorized persons on how they want to proceed.
When planning for the penetration test, be sure to request all potential resources available to help you determine the number of targets and to learn a bit more detail about the targets. The first important resource to request is documentation: ask for network diagrams identifying servers, routers, switches, and network segments to help you better prepare for the penetration test.
You can request a number of other support resources from the customer:
A big part of the pre-engagement activities is determining the cost of the penetration test. Once you have an idea of the size of the organization and the target resources for the penetration test, you can then work on calculating the cost of the pentest based on the man-hours you expect it to take and the cost per hour for the consultants. As the Penetration Testing Execution Standard (PTES) recommends, you should add 20 percent additional time to the estimated man-hours to accommodate any incidents that may slow down the penetration test. This will help the customer better understand the budget for the penetration test, and you can always lower the cost if you like once the job is complete. Customers are usually okay with the final cost ending up lower than what was quoted, but not happy if the cost goes up.
You also need to determine how payments are going to be scheduled. For smaller projects, you could do a net 30 days after the final report has been delivered, or for medium-sized and larger projects, you could go with a regular ongoing payment schedule that has the customer paying quarterly throughout the duration of the project. For larger jobs, some consultants ask for half of the payment upfront and then additional payments later on.
As discussed in “Disclaimers” earlier in this chapter, during the pre-engagement phase, it is critical that you communicate to the customer the risk or impact a penetration test can have on the company’s systems and the network. It is important that you try not to crash systems, and that you test all tools and techniques before using them on your customer’s systems, but in the end, the tools you are using are hacking tools, and they may have unexpected results in different environments. You must state that there is a risk to crashing a system or network in your contract, but stress during your discussions with the customer that you have tested the tools and will not intentionally try to crash systems.
The penetration test report will include remediation steps that the customer needs to take to better secure their assets. It is critical that after the customer implements these fixes that the assets are retested to make sure the penetration test is not successful. Make sure you accommodate for this retesting in your budget estimate. It is also important to make sure you give a deadline on when the remediation steps need to be completed — and how long after report delivery retesting is covered in the price.
During the planning and scoping phase, you need to define the targets for the penetration test. The contract agreement should have a section on target selection that specifies the systems that are the targets of the pentest. Let’s take a look at common targets for a penetration test.
When performing a penetration test, you will be working with internal targets, external targets, or both. An internal target is a system that exists inside the corporate network and is not accessible from the Internet because it is behind firewalls. An external target is a system that is reachable from the Internet and resides in the demilitarized zone (DMZ) network or in the cloud.
You will need to determine what internal systems (targets) should be tested and obtain the internal IP addresses or domain names for these assets. For example, you’ll need to obtain the internal addresses of the intranet servers, mail servers, file servers, or network-attached storage (NAS) devices, to name just a few. When identifying the internal assets and IP ranges, it is important to identify if those assets are on-site or off-site. On-site resources are systems and devices that exist on the network at the location being assessed, while off-site resources could be systems in the cloud, at an alternate site, or maybe resources that are mobile like a network on a boat or other vehicle. When conducting a pentest of the internal network, you may have to visit different locations to perform the penetration test, which should be reflected in the budget.
You will also want to be sure to determine the external IP addresses and domain names of systems to pentest. This is critical to verify as you do not want to try to exploit an external address not owned by the customer.
As I mention earlier in this chapter, you need to verify where the targets are being hosted, whether by the customer (first party) or by an outside company (third party). If systems are hosted by a third-party company such as an ISP or cloud provider, you need to get authorization from the third party to perform the pentest on those assets.
When performing a penetration test, in addition to identifying the IP addresses of the hosts you are going to perform the penetration test on, you should also identify the following resources:
When working on exploiting target systems, applications, and services, you must make different considerations when conducting a white box test versus a black box test. With a white box test, the company will grant the pentester access to the system by allowing the pentester to pass through any security controls, but with a black box test, the pentester will need to figure out how to bypass the security controls as part of the test.
Here are some considerations to keep in mind when performing the pentest on the identified targets:
Earlier in this chapter, I discuss the importance of including a disclaimer in the SOW, and I want to stress again that as the penetration tester, you need to make the risk of performing a penetration test clear to the customer (in discussion and in the contract). Make sure the customer accepts those risks before starting the penetration test, as risk acceptance is critical to protecting yourself from legal action.
Some key points to communicate with the customer in relation to the acceptance of risk of the penetration test are:
It is also important to verify the customer’s tolerance to the impact the assessment will have on the company’s systems. Here are some questions you can ask to verify the customer’s acceptance of the impact of the assessment:
Scheduling and scope creep are two important points to remember for the CompTIA PenTest+ certification exam as well as when you conduct a penetration test in the real world.
When discussing the details of the pentest with the customer during the pre-engagement phase, be sure to determine when the penetration test is to occur. Generally, pentests are scheduled to occur during any of the following timeframes:
When preparing the budget, be sure to have a schedule set up for how long it will take to perform the penetration test. Table 2-1 illustrates a sample schedule, but know that the schedule will vary depending on the size of the organization being assessed and the number of resources you have available to perform the penetration test.
TABLE 2-1 A Sample Pentest Schedule
Activity |
Activity Name |
Duration |
---|---|---|
1 |
Initial preparation |
3 |
2 |
Planning and scoping |
3 |
3 |
Kick-off meeting |
1 |
4 |
Initial assessment of environment |
3 |
5 |
Information gathering |
5 |
6 |
Vulnerability assessment |
5 |
7 |
Exploitation of systems |
5 |
8 |
Physical security assessment |
3 |
9 |
Wireless security assessment |
3 |
10 |
Post-exploitation |
3 |
11 |
Clean-up |
3 |
12 |
Report preparation |
5 |
13 |
Report delivery and project closing |
1 |
An important discussion to have during the planning and scoping phase of the penetration test is how to handle scope creep. Scope creep occurs when the size of the project — in this case the penetration test — continues to change or grow as the project continues. As the consulting pentester, scope creep is a nightmare, as you have given a quote to the customer on the cost to perform the penetration test based on how long you estimate the pentest will take. The length of time is dependent on the number of targets defined for the project, and if that changes while the penetration test is occurring, the cost will go up! Increased costs typically do not sit well with the customer, so be very clear at the start that the cost is for the targets that have been defined within the scope of the project and that any newly discovered targets that arise while the penetration test is occurring will be an additional cost. Make sure the pentest team knows who to contact when a new target has been discovered during the pentest that was not specified in the scope of the project so that you can determine how to continue.
If the organization for which you are performing a penetration test is conducting a pentest to be in compliance with industry regulations, you may need to meet strict requirements when performing the assessment. It is important as a penetration tester to become familiar with the requirements of a compliance-based assessment. Know that the requirements are different in every industry, as they depend on the laws or regulations that govern each industry. Following are examples of industry-specific laws or regulations an organization must follow based on the industry the organization operates in:
Following are some limitations and caveats to keep in mind with regard to compliance-based assessments:
It is important to stress that there are clearly defined objectives based on regulations. For example, if the organization is processing credit cards, the organization must be compliant with PCI DSS by following the objectives and requirements set by PCI DSS. (You can view the Requirements and Security Assessment Procedures document at https://www.pcisecuritystandards.org/document_library
.)
This chapter highlights a number of important points to remember when planning and scoping the penetration test. Following is a quick review of some of the key points from this chapter:
1. What type of contract outlines the requirements of confidentiality between the two parties and the work being performed?
(A) SOW
(B) NDA
(C) MSA
(D) SLA
2. Bob is performing a penetration test for Company XYZ. During the planning and scoping phase, the company identified two web servers as targets for the penetration test. While scanning the network, Bob identified a third web server. When discussing this new finding with the customer, the customer states that the third server runs critical web applications and needs to be assessed as well. What is this an example of?
(A) Statement of work
(B) Master service agreement
(C) Disclaimer
(D) Scope creep
3. You are drafting the agreement for the penetration test and working on the disclaimer section. What two key points should be covered by the disclaimer? (Choose two.)
(A) Compliance-based
(B) Point-in-time
(C) WSDL document
(D) Comprehensiveness
4. What type of contract is a description of the type of job being performed, the timeline, and the cost of the job?
(A) SOW
(B) NDA
(C) MSA
(D) SLA
5. You have been hired to do the pentest for Company XYZ. You acquired proper written authorization, performed the planning and scoping phase, and are ready to start discovery. You connect your laptop to the customer network and are unable to obtain an IP address from the company DHCP server. Which of the following could be the problem?
(A) MSA
(B) SSID
(C) SOW
(D) NAC
6. You are performing the penetration test for a company and have completed the planning and scoping phase. You wish to do the pentest on the wireless networks. What scoping element would you need?
(A) MSA
(B) NDA
(C) SSID
(D) NAC
7. What type of contract is used to define the terms of the repeat work performed?
(A) MSA
(B) NDA
(C) SOW
(D) NAC
8. You drafted the agreement to perform the penetration test, and you are now looking to have the agreement signed by the customer. Who should sign the agreement on behalf of the customer?
(A) Office manager
(B) IT manager
(C) Security manager
(D) Signing authority
9. You are working on the planning and scoping of the penetration test, and you are concerned that the consultants performing the pentest will be blocked by security controls on the network. What security feature would you look to leverage to allow the pentesters’ systems to communicate on the network?
(A) Blacklisting
(B) Whitelisting
(C) NAC
(D) Certificate pinning
10. You are performing a penetration test for a company that has requested the pentest because it is processing credit card payments from customers. What type of assessment is being performed?
(A) Goal-based assessment
(B) Security-based assessment
(C) Compliance-based assessment
(D) Credit card–based assessment
18.222.117.109