Written authorization

It is illegal to hack into systems without proper authorization from the owner of the asset being compromised. As a penetration tester, you have to remember this. Before any pentest can start, you must first get written permission in the form of a signed contract from the customer in order to conduct the work. Once the contract is signed, you then schedule a planning and scoping meeting with the customer so that you can identify the goals for the penetration test, identify what should be tested, and understand how far the testing should go.

The planning and scoping phase of the penetration testing process is also known as the pre-engagement phase. In this phase you want to be sure to get authorization that allows the organization’s systems to be tested and compromised.

It is important to understand that often this authorization cannot come from an office manager, IT manager, or local network administrator, as they are not the owners of the assets being tested. It is critical you get authorization from the owners of the assets, such as the company owner, or from a member of upper-level management who has signing authority.

If some of the company resources are being hosted by a third-party company, you must get authorization from that third party as well. For example, if the company’s website is hosted on its ISP’s web server, or the ISP hosts the domain name system (DNS) service for the company, it is important to get authorization from the ISP if you are going to perform penetration testing on those resources. If you do not get authorization to perform the penetration test on those systems, you must ensure they are not in the scope of the penetration test.

In addition, virtualization technology in the cloud has become a huge resource for companies to leverage, as it allows a company to get high availability and access to resources from anywhere. During pre-engagement activities and discussions, verify if there are any resources that are in the cloud, because you will need to get authorization from the cloud provider to perform a pentest on the cloud resources.

For the PenTest+ certification exam, remember that you must obtain a signature from a proper signing authority to perform the penetration test. Also remember to check if any resources are hosted by third parties such as an ISP or cloud provider because you will need third-party provider authorization to test those resources.

Contracts

Before starting the penetration test and typically before you start scoping out the project, you will receive a signed contract that is essentially hiring you for the service. These contracts are designed to protect the contractor from liability if something goes wrong with the penetration test, and protect the customer from sensitive data leakage on the part of the contractor.

The CompTIA PenTest+ certification exam refers to three main types of contracts:

• SOW: A statement of work (SOW) is a contract created by the penetration testing company that specifies the type of work its pentesters are providing, the timeline for performing the work, the cost of the work, the payment schedule, and any terms and conditions covering the work.
• MSA: A master service agreement (MSA) is a useful contract if you are performing repeat work for a company. The MSA acts as a standard boiler plate contract for the business relationship between the contractor and customer saving time when repeat work is needed from the contractor. With the MSA, you can define the terms of the work in the MSA and then refer to that from the SOW for each reoccurring engagement. Examples of terms in the MSA include payment terms, working conditions, remediation processes, and ownership of intellectual property.
• NDA: A non-disclosure agreement (NDA) is a common document outlining the importance of confidentiality in regard to the relationship of the two parties and the work performed. It identifies what information should be kept confidential and how confidential information should be handled. The NDA is created by the customer and given to the contractor to sign. The NDA is designed to protect the confidentiality of sensitive information that the contractor may come across while doing the penetration test.

For the PenTest+ certification exam, be familiar with the three different types of contracts, and know that they are usually signed before the scoping discussion.

Disclaimers

During the pre-engagement discussions and in the SOW, it is important to include two disclaimers that outline two important points about the penetration test.

First, you should have a disclaimer that states that the penetration test is a point-in-time assessment — meaning you have tested against known vulnerabilities and exploits as of the current date. As time goes on and new software and systems are installed on the network, your assessment would not have tested those new items.

Second, you should have a disclaimer that indicates that the comprehensiveness of the penetration test is based on the types of tests authorized by the customer and the known vulnerabilities at the time. For example, if the customer requests that no denial of service (DoS) attacks are performed (which is common), your penetration test would not have tested how the company stands up against a DoS attack. This disclaimer will help protect you if the customer is hit with a DoS attack after the penetration test is performed.

Your agreement should also make it clear that a penetration test uses hacking tools that a hacker would use, and although you have tested these tools, it is possible that they could have unpredictable results due to the additional software installed on the systems or the configuration of the systems. Unpredictable results in this case is referring to the fact that it is possible that the target systems could crash and be unavailable. For example, I have heard cases where performing a vulnerability scan of the network caused the print servers to drop off the network. This is not something that happens all the time, but the point is that different products from different vendors respond differently to the scanning and attack tools. One way to help prevent disruption on the network is to perform the penetration test on virtual machines within a test environment that are copies of the production systems.

Ensure you have a disclaimer in the agreement that specifies that the pentest is a point-in-time assessment and that the comprehensiveness is based on the scope of the assessment.

General questions

• What is the goal of the penetration test? (Why is it being done?)
• Is the pentest being performed for compliance reasons?
• What hours of the day can the penetration test be performed (business hours/non-business hours)?
• What are the internal and external target IP addresses?
• Are security controls in place such as firewalls and intrusion detection systems?
• If a system is compromised, what actions should be taken next (for example, no action, elevate privileges, and so on)?

Web application testing questions

• How many web applications/sites are being tested?
• How many of those require authentication?
• How many static pages are in those sites?
• How many dynamic pages are in those sites?
• Is the source code available for review?
• Is authentication testing to be performed?

Wireless network testing questions

• How many wireless networks are there?
• What wireless encryption protocol(s) are being used?
• What is the area covered by wireless?
• Should detection of rogue devices be performed?
• Should wireless attacks against clients be performed (or just focus on the access point)?
• How many wireless clients are there?

Physical security testing questions

• Is physical security testing part of the pentest?
• How many locations are there?
• Are the locations shared with other businesses? If so, what floors do you occupy?
• Are lock picks and bump keys allowed to bypass a locked door?
• Are video cameras being used? If so, does the customer own those devices?

Social engineering testing questions

• Is social engineer testing part of the pentest?
• Does the customer have email addresses for social engineering?
• Does the customer have phone numbers for social engineering?

Testing questions for IT staff

• Are there fragile systems that are easy to crash?
• What is the mean time to repair from a system outage?
• What are the business-critical servers and applications?
• Are backups tested regularly?
• Is there a disaster recovery procedure in place for devices and systems being tested?
• When was the last backup performed?

Target audience and reason for the pentest

During the pre-engagement activities, it is important to determine the target audience for the penetration test and the reason the pentest is being performed. Many companies state that the primary goal of the penetration test is to verify that their systems are secure by seeing how they hold up to real-world attacks. Another goal may be to see how the security team (known as the blue team) defends against the attacks, and to verify the effectiveness of the security controls in place (such as intrusion detection systems and firewalls). As a secondary goal, the company may need to be compliant to regulations stating that the company must have a penetration test performed regularly.

It is important to know why the pentest is being performed, but also who it is being performed for. The pentest report will need to be written to satisfy the goals of the pentest and be written to include information for the intended audience. For example, upper-level management may just want an executive summary that states how the company held up to the pentest, while the network administrators and security team may want more details on the vulnerabilities that still exist within their systems.

Communication escalation path

In addition to determining the target audience for the penetration test and the reason the pentest is being performed, it is also important to determine who the penetration testing team is to communicate with during the pentest. This includes determining when updates are delivered to the contact person and also who to contact when there is an emergency (such as a system or network crashes due to the pentest).

Following are some common questions you can ask during the pre-engagement phase to determine communication paths:

• How frequently should updates on the progress of the penetration test be communicated?
• Who is the main point of contact in the company for communication updates?
• Are the penetration testers allowed to talk to network administrators and the security team, or is this a silent pentest?
• Who should be the point of contact in case of emergency?

As a pentester you also want to be sure you have collected proper contact information in case there is an emergency, such as a system goes down or an entire network segment goes down. Following is the key information you should collect about the customer in case of emergency:

• Name of the company contact
• Job title and responsibility of the contact
• Does the contact have authorization to discuss details of the pentest activities?
• Office phone number, mobile phone number, and home phone number of the contact

Another reason to communicate with the customer is to let the customer know if something unexpected arises while doing the pentest, such as if a critical vulnerability is found on a system, a new target system is found that is outside the scope of the penetration test targets, or a security breach is discovered when doing the penetration test. You will need to discuss how to handle such discoveries and who to contact if those events occur. In case of such events, you typically stop the pentest temporarily to discuss the issue with the customer, then resume once a resolution has been determined.

Resources and requirements

When defining the rules of engagement for the pentest, you also want to ensure that you discuss key points surrounding the company’s different resources such as the targets to focus on and who to communicate the results with. You learn earlier in this chapter about a few questions you should ask in relation to resources, but let’s discuss a bit more about resources and requirements.

Confidentiality of findings

A key point to discuss is the confidentiality of the updates given and the results of the penetration test. Determine with the customer who are the authorized persons to receive updates on the progress of the penetration test, who to go to in case of emergency, and who the penetration results (the report) should go to. Be clear that you will be unable to communicate details of the penetration test to anyone not on this authorized list.

You should also set up a secure communication channel so that all communications in regard to the penetration test are encrypted. This includes the actual report file as well. Be sure that the report file is encrypted so that unauthorized persons cannot view the file. You could use the Secure Shell protocol (SSH) for secure file transfers, or a tool like GNU Privacy Guard for Windows (Gpg4win) to encrypt files and email messages. You can download the latest version of Gpg4win from www.gpg4win.org. Figure 2-1 shows how you can encrypt a file with Gpg4win on a Windows system.

Remember to encrypt the penetration testing report and all communication with the customer that pertains to the penetration testing report.

Budget

A big part of the pre-engagement activities is determining the cost of the penetration test. Once you have an idea of the size of the organization and the target resources for the penetration test, you can then work on calculating the cost of the pentest based on the man-hours you expect it to take and the cost per hour for the consultants. As the Penetration Testing Execution Standard (PTES) recommends, you should add 20 percent additional time to the estimated man-hours to accommodate any incidents that may slow down the penetration test. This will help the customer better understand the budget for the penetration test, and you can always lower the cost if you like once the job is complete. Customers are usually okay with the final cost ending up lower than what was quoted, but not happy if the cost goes up.

You also need to determine how payments are going to be scheduled. For smaller projects, you could do a net 30 days after the final report has been delivered, or for medium-sized and larger projects, you could go with a regular ongoing payment schedule that has the customer paying quarterly throughout the duration of the project. For larger jobs, some consultants ask for half of the payment upfront and then additional payments later on.

Impact analysis and remediation timelines

As discussed in “Disclaimers” earlier in this chapter, during the pre-engagement phase, it is critical that you communicate to the customer the risk or impact a penetration test can have on the company’s systems and the network. It is important that you try not to crash systems, and that you test all tools and techniques before using them on your customer’s systems, but in the end, the tools you are using are hacking tools, and they may have unexpected results in different environments. You must state that there is a risk to crashing a system or network in your contract, but stress during your discussions with the customer that you have tested the tools and will not intentionally try to crash systems.

You can minimize the risk by performing the penetration test on exact clones of the systems in a test environment. This environment could be a set of VMs that are exact copies of the production systems.

The penetration test report will include remediation steps that the customer needs to take to better secure their assets. It is critical that after the customer implements these fixes that the assets are retested to make sure the penetration test is not successful. Make sure you accommodate for this retesting in your budget estimate. It is also important to make sure you give a deadline on when the remediation steps need to be completed — and how long after report delivery retesting is covered in the price.

For the PenTest+ certification exam, remember that it is critical the pentest report contains remediation steps to better secure the asset. It is also important to specify a due date for when the remediation steps need to be completed if retesting is going to be performed.

Internal and external targets

When performing a penetration test, you will be working with internal targets, external targets, or both. An internal target is a system that exists inside the corporate network and is not accessible from the Internet because it is behind firewalls. An external target is a system that is reachable from the Internet and resides in the demilitarized zone (DMZ) network or in the cloud.

You will need to determine what internal systems (targets) should be tested and obtain the internal IP addresses or domain names for these assets. For example, you’ll need to obtain the internal addresses of the intranet servers, mail servers, file servers, or network-attached storage (NAS) devices, to name just a few. When identifying the internal assets and IP ranges, it is important to identify if those assets are on-site or off-site. On-site resources are systems and devices that exist on the network at the location being assessed, while off-site resources could be systems in the cloud, at an alternate site, or maybe resources that are mobile like a network on a boat or other vehicle. When conducting a pentest of the internal network, you may have to visit different locations to perform the penetration test, which should be reflected in the budget.

You will also want to be sure to determine the external IP addresses and domain names of systems to pentest. This is critical to verify as you do not want to try to exploit an external address not owned by the customer.

First-party versus third-party hosted

As I mention earlier in this chapter, you need to verify where the targets are being hosted, whether by the customer (first party) or by an outside company (third party). If systems are hosted by a third-party company such as an ISP or cloud provider, you need to get authorization from the third party to perform the pentest on those assets.

Other targets

When performing a penetration test, in addition to identifying the IP addresses of the hosts you are going to perform the penetration test on, you should also identify the following resources:

• Applications: Determine what applications and services are in scope of the penetration test. Some common applications and services may be the intranet site, Internet site, email services, remote desktop services, file transfer protocol (FTP) service, internal websites, and external websites.
• Physical security controls: Determine if testing the physical security controls is in scope of the pentest. This includes social engineering attacks on security guards, exploiting surveillance equipment, and testing locking systems with a lock pick or bump key.
• SSIDs: Determine if there are wireless networks that you are authorized to exploit. Make sure you find out what wireless networks, or SSIDs, are owned by the company that are in scope of the pentest.
• Users: Determine what user accounts are in scope for password cracking. Be sure to determine if you are allowed to attempt to compromise administrative accounts as well.

Target considerations

When working on exploiting target systems, applications, and services, you must make different considerations when conducting a white box test versus a black box test. With a white box test, the company will grant the pentester access to the system by allowing the pentester to pass through any security controls, but with a black box test, the pentester will need to figure out how to bypass the security controls as part of the test.

Here are some considerations to keep in mind when performing the pentest on the identified targets:

• Whitelisted versus blacklisted: As a pentester you can seek to have your system whitelisted by security controls so that the system is not blocked when performing the assessment. A blacklisted system, which is a system that is blocked by a security control, can slow down the assessment dramatically.
• Security exceptions: You can add the pentester’s IP address or account to security exceptions within security controls so that the pentester is not blocked. For example, on a firewall you can add the pentester’s IP address to the firewall exception list so that the pentester’s traffic can pass through the firewall.
• IPS/WAF whitelist: You can add the pentester’s IP address to the whitelist on the intrusion prevention system (IPS) and the web application firewall (WAF) so that it is not blocked and the pentester can test the web application.
• NAC: The customer may have network access control (NAC) features implemented that only allow devices in a secure state to connect to the network. As a pentester, this could affect your capabilities to connect to the network and perform the pentest. You may have to be placed on an exception list so that you can access the network from your pentest system.
• Certificate pinning: Certificate pinning refers to the process of associating a host with the expected server it will receive certificates from. If the certificate comes from a different system, the communication session will not occur. You may need to disable certificate pinning on the network to allow communication.
• Company’s policies: You should review the company security policy to determine if there are any policies in place that would put limits on the actions the penetration testers can take.
• Technical constraints: Be aware of any technical constraints that may limit your capabilities to perform the penetration test. For example, there may be firewalls blocking your scans during discovery of targets or there may be network segments controlling communication.
• Environmental differences: When performing the penetration test, it is important to be aware of any differences in the environment, as any differences could change how the pentest tools respond. Be aware of export restrictions when it comes to crossing borders with any encrypted content and any other local and national government restrictions that may be in place with regard to encryption and penetration testing tools. When performing a pentest on large global companies, know that the laws are different in these different companies with regard to using pentest tools. Also, review any corporate policies so that you are aware of the pentesting rules.
• Special scoping considerations: There may be other special scoping considerations that may arise during the pre-engagement phase, such as premerger testing and supply chain testing considerations. Premerger testing refers to assessing the security of a business the company is going to acquire. Supply chain testing refers to assessing the security of a supplying company, or multiple supplying companies, before the customer does business with those companies.

Scheduling

When discussing the details of the pentest with the customer during the pre-engagement phase, be sure to determine when the penetration test is to occur. Generally, pentests are scheduled to occur during any of the following timeframes:

• During work hours (for example, 8 a.m. to 5 p.m.)
• After work hours (for example, 6 p.m. to 6 a.m.)
• On weekends (for example, 8 a.m. to 12 a.m.)

Be sure your emergency contacts are readily available during the penetration testing hours so that you can contact the appropriate person should any issues arise during the penetration test.

When preparing the budget, be sure to have a schedule set up for how long it will take to perform the penetration test. Table 2-1 illustrates a sample schedule, but know that the schedule will vary depending on the size of the organization being assessed and the number of resources you have available to perform the penetration test.

Scope creep

An important discussion to have during the planning and scoping phase of the penetration test is how to handle scope creep. Scope creep occurs when the size of the project — in this case the penetration test — continues to change or grow as the project continues. As the consulting pentester, scope creep is a nightmare, as you have given a quote to the customer on the cost to perform the penetration test based on how long you estimate the pentest will take. The length of time is dependent on the number of targets defined for the project, and if that changes while the penetration test is occurring, the cost will go up! Increased costs typically do not sit well with the customer, so be very clear at the start that the cost is for the targets that have been defined within the scope of the project and that any newly discovered targets that arise while the penetration test is occurring will be an additional cost. Make sure the pentest team knows who to contact when a new target has been discovered during the pentest that was not specified in the scope of the project so that you can determine how to continue.

If you discover additional company assets that are out of scope while performing the penetration test, be sure to bring it to the attention of the customer. If the customer wants the newly discovered asset added to the target list, let the customer know that doing so will increase the time and cost to complete the project.

1. What type of contract outlines the requirements of confidentiality between the two parties and the work being performed?

(A) SOW

(B) NDA

(C) MSA

(D) SLA

2. Bob is performing a penetration test for Company XYZ. During the planning and scoping phase, the company identified two web servers as targets for the penetration test. While scanning the network, Bob identified a third web server. When discussing this new finding with the customer, the customer states that the third server runs critical web applications and needs to be assessed as well. What is this an example of?

(A) Statement of work

(B) Master service agreement

(C) Disclaimer

(D) Scope creep

3. You are drafting the agreement for the penetration test and working on the disclaimer section. What two key points should be covered by the disclaimer? (Choose two.)

(A) Compliance-based

(B) Point-in-time

(C) WSDL document

(D) Comprehensiveness

4. What type of contract is a description of the type of job being performed, the timeline, and the cost of the job?

(A) SOW

(B) NDA

(C) MSA

(D) SLA

5. You have been hired to do the pentest for Company XYZ. You acquired proper written authorization, performed the planning and scoping phase, and are ready to start discovery. You connect your laptop to the customer network and are unable to obtain an IP address from the company DHCP server. Which of the following could be the problem?

(A) MSA

(B) SSID

(C) SOW

(D) NAC

6. You are performing the penetration test for a company and have completed the planning and scoping phase. You wish to do the pentest on the wireless networks. What scoping element would you need?

(A) MSA

(B) NDA

(C) SSID

(D) NAC

7. What type of contract is used to define the terms of the repeat work performed?

(A) MSA

(B) NDA

(C) SOW

(D) NAC

8. You drafted the agreement to perform the penetration test, and you are now looking to have the agreement signed by the customer. Who should sign the agreement on behalf of the customer?

(A) Office manager

(B) IT manager

(C) Security manager

(D) Signing authority

9. You are working on the planning and scoping of the penetration test, and you are concerned that the consultants performing the pentest will be blocked by security controls on the network. What security feature would you look to leverage to allow the pentesters’ systems to communicate on the network?

(A) Blacklisting

(B) Whitelisting

(C) NAC

(D) Certificate pinning

10. You are performing a penetration test for a company that has requested the pentest because it is processing credit card payments from customers. What type of assessment is being performed?

(A) Goal-based assessment

(B) Security-based assessment

(C) Compliance-based assessment

(D) Credit card–based assessment