s0merset7's Blog

Pre-Pentration Test Checklist

Published on

Note: Much of the below information is summarized from Gus Khawaja’s Pluralsight course “Pentration Testing and Ethical Hacking with Kali Linux”. Much credit goes to Gus’s expertise! Check out his blog in the sources and how to get started with Pluralsight

Penetration testing is defined as the process of assessing the security model of an organization. When we perform a pentest, we want to make sure we not only do proper research, but also ensure that we are conducting the pentest properly and within the bounds of the client’s needs, as well as making sure to protect ourselves in the process. As such, here is a checklist to follow prior to any pesntest:

  1. Gather Information About the Client Organization: Before stating a pentest, you need to gather information about the company that will be tested in order to have an in-depth understanding about the organization. Information should include:
    Foundation
    Objectives of the Company
    Company Products
    Employee/Stakeholder Information
    Business Partners
    Clients
  2. Visit the Client Organization Premises: Make sure you physically check out basic facilities like parking areas, restaurants, restrooms, elevators, etc. Don’t forget to pay close attention to:
    Network Equipment (is there sufficient security?)
    Server Room (if different from network room)
  3. List Contact Details of Key Personnel of Client Organization: Make sure you not only have the contact info of the important people of the organization, but also the people who you will need to contact immediately in case of emergency and the best way to contact them. Information should include:
    Name
    Department
    Role
    Mobile/Office Number
    Email
  4. Identify Office/Space Location: Inspect the area where the pentesting team will work (if the test is in person) and ensure that it is close to the network equipment room along with easy restroom access and that it is restricted from other general employees
  5. Obtain Temporary Identification Cards for the Team
  6. Ask the Client to Create Domain Accounts: Accounts must be made for the team (both with limited and administrator access) to allow for completion of internal network tests
  7. Ask the Client for Previous Penetration Testing Reports: This will allow the team to understand past problems, as well as allow your team to check how past solutions have held up, the reputation of past testers, and timeline of when the last test was completed
  8. Identify Client’s Security Compliance Requirements
    Physical Safeguards (access cards, active guards, etc.)
    Security Mechanisms (Technical)
    Company Standards
  9. Ask the Client for a List of Servers, OS, and Network Devices
  10. Hire a Lawyer: Make sure it is someone who understands technology that will be able to make sure proper legal documents are created/verified relating to the penetration test BEFORE the test is started
  11. Prepare a Legal Penetration Testing Document: Normally this is provided by the client, but it should be reviewed closely with the pentesting team and their lawyer. Normally this will include information related to the legality of the test as well as the project scope
  12. Prepare a Nondisclosure Agreement(NDA): AKA Confidential Disclosure Agreement, will be prepared to protect the client’s sensitive data by preventing the team from talking about selected information. Make sure it is reviewed by the team and their lawyer
  13. Obtain Liability Insurance: Make sure to have liability insurance from a local insurance agency. This makes sure you are protected in the case that a client sues for any damages caused
  14. Allocate a Budget for the Project: The main purpose here is to estimate the overall expenses required for the project and should not forget to include:
    Travel
    Lodging
    Food
  15. List the Time Scale: This scale should be in relation to the client’s needs. You as a pentester need to accommodating in order to not negatively affect the client’s organization
  16. Daily/Hourly Fees Negotiation: Make sure that this fee is clearly established and negotiated PRIOR to beginning the pentest
  17. Timeline fo the Project: This timeline should be in relation to your needs as a pentester, estimating how long it will take. This should include:
    Start Time
    Project Milestones
    Completion Date (Estimated)
  18. Draft a Cost for the Project: You must prepare a quote that will include the estimated cost of services that will be provided to your client
  19. Discuss the Test Workflow: A document must be prepared and given to the client (which the client will give an approval signature BEFORE the test) that will provide an outline of what you plan to do and how including:
    Steps (what kind of tests will be done, ex: Denial of Service)
    Tools
    Software
    Special Equipment
  20. Discuss the Final Report: Make sure your clients understand and are ok with how you plan to structure your final report. In general, a report should follow the chronological order in which tests were carried out and their results. Any vulnerabilities should be ranked according to their importance along with any recommendations for counter measures

Sources