LPTv4 Module 15 Pre Penetration Testing Checklist_NoRestriction
-
Upload
mahmoud-eladawi -
Category
Documents
-
view
137 -
download
5
description
Transcript of LPTv4 Module 15 Pre Penetration Testing Checklist_NoRestriction
/ECSA/LPT
EC CouncilModule XV
EC-CouncilPre-Penetration Testing
ChecklistChecklist
List of Steps
1• Gather information about the client’s organization history and background
2• Visit the client organization premises to become familiar with the surroundings, car park,
facilities, restaurants
• List the client organization’s penetration testing requirements 3
List the client organization s penetration testing requirements
4• Obtain penetration testing permission from the company’s stakeholders
5• Obtain detailed proposal of test and services that are proposed to be carried out
6• Identify the office space/location your team would be working on for this project
6
7• Obtain temporary identification cards from the organization for the team members involved in
the process
Id if h ill b l di h i i j ( hi f i )
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
8• Identify who will be leading the penetration testing project (chief penetration tester)
List of Steps (cont’d)
9• Request from the client organization for previous penetration testing report/ vulnerability
assessment reports (if possible)
10• Prepare rules of engagement that lists the company’s Core competencies/ limitations/
timescales
11• Hire a lawyer who understands information technology and can handle your penetration testing
legal documents11 legal documents
12• Prepare penetration testing legal document and get it vetted with your lawyer
13• Prepare Non-disclosure Agreement (NDA) and have the client sign them
14• Obtain (if possible) liability insurance from a local insurance firm
4
15• Identify your core competencies/limitations
All b d f h i i j (X f d ll )
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
16• Allocate a budget for the penetration testing project (X amount of dollars)
List of Steps (cont’d)
17 • Prepare a tiger team
18 • List the security tools that you will be using for the penetration testing project
19 • List the hardware and software requirements for the penetration testing project
20 • Identify the clients security compliance requirements
21 • List the servers, workstations, desktops, and network devices that need to be tested21
22 • Identify the type of testing that would be carried out - Black Box or White Box testing
• Identify the type of testing that would be carried out - announced/ unannounced 23 de t y t e type o test g t at wou d be ca ed out a ou ced/ u a ou ced
24 • Identify local equipment required for pen test
Id tif l l i d f t t
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
25 • Identify local manpower required for pen test
List of Steps (cont’d)
26• List the contact details of key personnel of the client organization who will be in charge of the
penetration testing project
27• Obtain the contact details of the key person at the client company during an emergency
8• Points of contacts during an emergency
28Points of contacts during an emergency
29• List the tests that WILL NOT BE carried out at the client network
30• Identify the purpose of the test you are carrying out at the client organization
31• Identify the network topology in which the test would be carried out
31
32• Obtain special permission if required from local law enforcement agency
Li k i / i
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
33• List known waivers/exemptions
List of Steps (cont’d)
34 • List the contractual constraints in the penetration testing agreement
35 • Identify the reporting timescales with the client organization
36 • Identify the list of penetration testers required for this project3
37 • Negotiate per day per hour fee that you will be charging for the penetration testing project
38 • Draft the timeline for the penetration testing project38 p g p j
39 • Draft a quotation for the services that you be providing to the client organization
• Identify how the final penetration testing report will be delivered to the client organization40 • Identify how the final penetration testing report will be delivered to the client organization
41 • Identify the reports to be delivered after the pen test
• Identify the information security administrator of the client organization who will be helping you
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
42• Identify the information security administrator of the client organization who will be helping you
in the penetration testing assignment (if possible)
Step 1: Gather Information about Client Organization’s History and Background g y g
Penetration testing assesses the security model of the organization as a whole.
Before starting the penetration testing for an organization and gather Before starting the penetration testing for an organization and gather some information about that company.
S h h b i d h h hi d b k d f h li Search the websites and gather the history and background of the client organization which you are going to perform the penetration testing.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 2: Visit the Client Organization Premises to become Familiar with the Surroundings,
Parking Facilities RestaurantsParking, Facilities, Restaurants
Visit the premises of the client organization for moreinformation on its physical infrastructure.
Check for facilities like car parking levels, restaurant, restroom,lift, club, swimming pool.
Make yourself comfortable with all the facilities so that you willnot face difficulty while checking for the physical security of theclient organization as a part of your assignment (in case the
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
client wants you to do it).
Step 2: Visit the Client Organization Premises to become Familiar with the Surroundings, Parking Facilities and Restaurants (cont’d)Parking, Facilities, and Restaurants (cont d)
Examine the work areas where most employees would utilize the p yequipment.
Check the network equipment room where the routing set up is securedCheck the network equipment room where the routing set up is secured.
Alternately check the server roomAlternately, check the server room.
Inspect the area where the testing team carries out its work.Inspect the area where the testing team carries out its work.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 3: List the Client Organization’s Penetration Testing Requirements g q
Requirements of a penetration test vary with different clientsRequirements of a penetration test vary with different clients.
Penetration testing requirement depend on the nature of work criticality of Penetration testing requirement depend on the nature of work, criticality of data, legal issue, and business model of the client organization.
A li t i ti k th t ti t t t
• Internal/external testing
A client organization may ask the penetration tester to conduct some or all the tests listed below:
/ g• Whitebox/Blackbox testing• Announced/unannounced testing• Testing according to the number of IPs• Physical/security policy testing
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Physical/security policy testing• Testing a particular server/service
Step 4: Obtain Penetration Testing Permission from the Company’s Stakeholdersp y
A corporate stakeholder is a party who affects or can be affected by theA corporate stakeholder is a party who affects, or can be affected by, thecompany's actions.
A l d fi d li t f t k h ld i ht i l d
• Employees. • Customers
A narrowly defined list of stakeholders might include:
• Customers.• Shareholders. • Investors.
The company stakeholders must give a go ahead for your penetration test. Request the client organization to obtain permission from the stakeholders in order to avoid future litigations.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 5: Obtain Detailed Proposal of Test and Services that are Proposed to be carried out p
The nature and intensity of a penetration test should be mentioned in y pdetailed by the client organization.
A k th li t t b it d t il d l f th t ti t t th t Ask the client to submit a detailed proposal for the penetration test that is to be carried out.
Th l h t h ld li t th b f IP th t d t b t t d The proposal sheet should list the number of IPs that need to be tested; the type of test; the number of tests that need to be carried out, specifying the test details.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 6: Identify the Office Space/Location your Team would be Working in for this
ProjectProject
Penetration testing is a time consuming process (depending on the Penetration testing is a time consuming process (depending on the client organization’s testing requirements).
You need to make sure that the space provided for you and your team at the office premises of the client organization is comfortable, spacious, and airy.
The location should have easy access to restrooms, cafeteria and should have restricted access for other employees of the client organizationhave restricted access for other employees of the client organization.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 7: Obtain Temporary Identity Cards from the Organization for the Team who
are Involved in the Processare Involved in the Process
After getting the physical location to carry out the test process, request h i i id h id i d ll hthe organization to provide the temporary identity card to all the
penetration testers.
Use this identity card as access card to get into the company.
Make sure that all the testers who are involved in the penetration testing at the client’s organization contains an unique identity or access cardat the client s organization contains an unique identity or access card.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 8: Identify who will be Leading the Penetration Testing Project (Chief
P t ti T t )Penetration Tester)
Your penetration testing team should have a mixYour penetration testing team should have a mixof qualified professional from different domains.
The testing team will be lead by a chiefpenetration tester who will lead the project andb i f f h f hbe a point of contact for the management of theclient organization.
The chief penetration tester plays a key role indelivering the project, handling issues related totesting and maintaining the team
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
testing and maintaining the team.
Step 9: Request from the Client Organization for Previous Penetration Testing Report/ Vulnerability
Assessment Reports ( If Possible)Assessment Reports ( If Possible)
Organizations retain a copy of the penetration testing report for future Organizations retain a copy of the penetration testing report for future reference.
R t th li t i ti f i t ti t ti t Request the client organization for previous penetration testing report so that you will have a clear idea of the problems that existed in the past.
Most of the organizations will not be willing to share their penetration Most of the organizations will not be willing to share their penetration test report with you.
TRY YOUR LUCK!
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 10: Prepare Rules of Engagement that Lists the Company’s Core Competencies/
Limitations/ Timescales Limitations/ Timescales
Identify the core competency of the client organization:
• Core competency is something that a firm can do well and that meets the following three conditions specified by Hamel and Prahalad (1990):• It provides customer benefits.
organization:
• It is hard for competitors to imitate. • It can be leveraged widely to many products and markets.
Identify limitation of the client organization:
• Your rules of engagement should list points that limit your testing ability due to restrictions (if any) from the client organization.
Identify limitation of the client organization:
i l i h i i hi h h i i i i
List the timescale:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Time scale is the time in which the organization carry out its operation. Tester should be ready for a flexible timing which will not affect the organization.
Step 11: Hire a Lawyer who Understands Information Technology and can Handle
your Penetration Testing Legal Documentsyour Penetration Testing Legal Documents
Hire a lawyer who can understand technology and Hire a lawyer who can understand technology and related matters.
A legal document related to the penetration testing needs to be signed by you before you start your penetration testing assignment. Get the document vetted by your lawyer before you sign.
A lawyer who understands information technology and risks associated with the penetration testing will be able to render his/her professional service more
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
able to render his/her professional service more efficiently.
Step 12: Prepare PT Legal Document and get Vetted with your Lawyer g y y
Aft tti l l d t f th li t After getting legal document from the client organization, study it with the help of lawyer.
Based on the document given by the organization, prepare a penetration testing document and check it p p p gwith the lawyer you have appointed.
This document contains information related to legal aspects of testing and the scope of the project.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 13: Prepare Non Disclosure Agreement (NDA) and have the Client Sign
themthem
A di l t i t th t t i fid ti l A non-disclosure agreement is an agreement that contains confidential information.
Your lawyer should vet the NDA form before you ask the client to sign.
Include clauses which will highlight the fact that you and your team will not disclose any information divulged by the client during the course of penetration test.penetration test.
The NDA should also be aimed at protecting your interests.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 14: Obtain ( if possible) Liability Insurance from a Local Insurance Firm
T t bt i li bilit i f th l l i Try to obtain a liability insurance from the local insurance company to protect your interest incase there the client organization files a lawsuit against you for bringing their network down during the penetration test.penetration test.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 15: Identify your Core Competencies/Limitations Competencies/Limitations
Identify the core competencies and limitations of the tester who is going f h to perform the test.
Core competencies of the tester mainly contains:
• Network Management• Program Management
Data Administration
contains:
• Data Administration• Risk Management
Limitations of penetration testers:
• Configuration problems.• No technical knowledge of new acquired technologies by the client.
F l i h b fi i i Wi d Pl f b ill
Limitations of penetration testers:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
For example, you might be proficient in Windows Platform but will not be in Sun Solaris.
Step 16: Allocate a Budget for the Penetration Testing Project ( X amount of $ )g j ( $ )
P b d h i h f i d Prepare a budget that contains the cost of expenses required to perform the testing.
T li f ffi i l
Budget includes:
• Traveling expenses for official purposes.• Lodging expenses.• Food expenses.• Stationary expenses. y p• Expenses spent for entire team.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 17: Prepare a Tiger Team
A tiger team consists of licensed penetration testers taken from different A tiger team consists of licensed penetration testers taken from different disciplines.
Thi t i l i t f This team mainly consists of:
• Database penetration testers.• Firewall penetration testers• Firewall penetration testers.• Cisco penetration testers.• Oracle penetration testers.• Report writers, and so on.Report writers, and so on.
This tiger team is managed by the chief penetration tester.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 18: List the Security Tools that you will be using for the Penetration Testing
ProjectProject
Tools required to perform the penetration
• Port scanner (i.e., Nmap, Firewalk, Superscan).
Tools required to perform the penetration testing are:
• Vulnerability scanners (i.e., Nessus, SAINTexploit and Metasploit, X-scan).
• Application scanners (i.e., Appscan, Webinsect).Fi ll t l (i Fi t t F l t h)• Firewall tools (i.e., Firestarter, Fwlogwatch).
• Sniffers (i.e., Wireshark, Kismet).• VPN/tunneling tools.• Access control tools• Access control tools.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 18: List the Security Tools that you will be using for the Penetration Testing
Project (cont’d)
The list of penetration tools required to f th t ti f ll
Project (cont d)
• Cryptography tools.• DNS tools.
perform the testing are as follows:
DNS tools.• Fingerprint/OS detection tools (i.e., queso, siphon-v.666, and
Winfingerprint).• Hijacking tools (i.e., pasvagg.pl, sw-mitm tool).• HTML tools (i.e., WebSnake).• IDS tools (i.e., AIDE, HostSentry, Logcheck, PortSentry, Snort,
Swatch, Tripwire).• Miscellaneous tools (i e Copernic Genius and ucd-snmp)• Miscellaneous tools (i.e., Copernic, Genius, and ucd-snmp).• NetBIOS Tools (i.e., enum, nbnbs, NetBios Auditing Tool).• Network Management/Monitoring Tools (i.e., analyzer, cheops,
ciscoconf, IP-Watcher, ipaudit, iplog, netsaint, and sting).
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Novell tools.
Step 18: List the Security Tools that you will be using for the Penetration Testing
Project (cont’d)Project (cont d)
NT-specific tools (i.e., ELDump, NetViewX, WsSes)
Password tools (i.e., ChkLock, MakePWL, ZipPassword)
Packet tools (i.e., isic, nemesis, NeoTrace, SendIP)
Phone tools (i.e., THC-PBX, ToneLoc)
Ping tools (i e icmpquery sping netping Visual Route)Ping tools (i.e., icmpquery, sping, netping, Visual Route)
Promiscuous mode detection tools (i.e., CommView, sentinel)
R lRemote tools
Root kits
St h t l (i Bli d id if h ffl Hid PGP JPHIDE d
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steganography tools (i.e., Blindside, gifshuffle, Hide4PGP, JPHIDE and JPSEEK, SteganoGifPaletteOrder , Steganos, Stego, wbStego)
Step 19: List the Hardware and Software Requirements for the Penetration Testing Project
The configuration mentioned below is meant for a laptop.
• Intel Core Duo Processor
Ideal hardware configuration includes:
• Intel Core Duo Processor.• 2 GHZ speed.• 2 GB RAM.• 120 GB storage capacity.120 GB storage capacity.
IIS
Ideal software configuration includes:
• IIS server.• Application servers.• Ms-Office 2007.• Operating systems: Windows 2003 Server Vista Linux and
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Operating systems: Windows 2003 Server, Vista, Linux and Macintosh.
Step 20: Identify the Clients Security Compliance Requirementsp q
Major requirements for client security compliance are:
Administrative proceduresAdministrative procedures.
Physical safeguards.
Technical security services.
Technical security ec ca secu ymechanism.
Standards.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 21: List the Servers, Workstations, Desktops and Network Devices that need to be Tested
• IIS servers
Servers that need to be tested includes:
• IIS servers.• Application servers:
• Client application server.• Web application server.
• Windows servers• Windows servers.• Unix/Linux servers.
Workstations and desktops required to test includes:
• Number of workstations per department incase there are multiple departments within the organization.
Some network devices that need to be tested are:
• Routers.• Hubs.• Switches.
d
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Modems.• Network load balancers.
Step 22: Identify the Type of Testing that would be carried out - Black Box or White Box Testing
• White box testing.• Black box testing.
The two basic tests typically performed are:
• Is carried out with a complete knowledge on the infrastructure such as IP address range of the t t t k d t k d i OS i Whit b t ti target network and network devices, OS version, etc.
• Is also called a complete-knowledge test.
White box testing:
• Is carried out with out any prior knowledge on the infrastructure.I l ll d k l d t ti
Black box testing:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Is also called zero-knowledge testing.
Step 23: Identify the Type of Testing that would be carried out - Announced/ Unannounced
Testing can be done in the following ways:
• Announced • Unannounced
Announced: An announced testing is done by an proper announcement to the employees/administrative heads of the organization before starting the test.
Unannounced: In this process, testing is carried out with out any p , g ygiving any information to the employees/administrative head of organization.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 24: Identify Local Equipments Required for Pen Testq
The list of local equipments required to perform
• Category5 (CAT5) taps and speed• Fibre taps/converter
q p q pthe penetration test is as follows:
b e taps/co e te• Local Internet access:
• Filtered • Unfiltered
D l d / t ll d• Downloads/exports allowed
• Separate allocation of office space for the testing team• 24 hours power availability with generator facility• Places for refreshment like cafeterias bakeries confectionaries and Places for refreshment like cafeterias, bakeries, confectionaries, and
so on.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 25: Identify Local Manpower Required for Pen Testq
The list of local manpower requirements to perform th t ti t ti i f ll
• Application administrator.• Database administrator.
the penetration testing is as follows:
• Network administrator.• Operating system administrator.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 26: List the Contact Details of Key Personnel of the Client Organization who will be in Charge of
the Penetration Testing Projectthe Penetration Testing Project
A key personnel will be appointed by the organization to take lead of the y p pp y gproject from their side.
Some important contact details include the risk manager, database administrator, network administrator, or a system administrator.
• Name of the personnel.Department
The contact details may include:
• Department.• Role.• Mobile number.• Email address
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Email address.• Office contact number.
Step 27: Obtain the Contact Details of the Key Personnel for Approaching in case of
an Emergencyan Emergency
Gather the contact details from the key personnel for approaching him/her in case of emergency.
Emergency situations include fire, electric breakdown, etc.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 28: Points of Contacts During an Emergencyg y
Note the contact details of penetration testers:
• Risk manager• Database administrator
p
• Local security officer• System administrator• Networking administrator
I t t S i P id (ISP)• Internet Service Provider (ISP)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 29: List the Tests that will not be carried out at the Client Network
The type and timeline for the tests to be conducted depend on the yp pclient organization.
You cannot expect a ecommerce company to allow a DoS service You cannot expect a ecommerce company to allow a DoS service test on their website.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 30: Identify the Purpose of the Test you are carrying out at the Client Organization
h f h
• Safeguard the organization from failure.P i fi i l l h h f d
The main purpose of the test is to:
• Preventing financial loss through fraud.• Identifying the key vulnerabilities.• Improving the security of technical systems.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 31: Identify the Network Topology in which the Test would be carried out
Network topologies include:
Bus.
StStar.
Mesh.
Ring .
TreeTree.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 32: Obtain Special Permission if Required from Local Law Enforcement Agency
Testers usually work on an intranet to test the network but if we want toTesters usually work on an intranet to test the network, but if we want toperform the test outside a network then we have to obtain specialpermission from the local law enforcement agency.
Sign-in
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 33: List known Waivers/Exemptions/ p
A waiver is the voluntary relinquishment or surrender of some known y qright or privilege. While a waiver is often in writing, sometimes a person's actions can act as a waiver. An example of a written waiver is a disclaimer, which becomes a waiver when accepted. Other names for
i l t l l h ld h l lwaivers are exculpatory clauses, releases, or hold harmless clauses.
Sometimes the elements of "voluntary" and "known" are established by a legal fiction. In this case, it is presumed one knows his or her rights and that those rights are voluntarily relinquished if they are not
t d t th tiasserted at the time.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 34: List the Contractual Constraints in the Penetration Testing Agreementg g
Ch k f i l l t i th j t th t Check for service level agreements in the project that may affect scope of the test.
Accept an waiver or privilege letter to perform this testing from the contractual partners.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 35: Identify the Reporting Timescales with the Client Organizationg
d if h i i l f h li i iIdentify the reporting timescales from the client organization.
This reporting timescales include:
• Normal timescale for project.Normal timescale for project.• Local requested timescale for project.• Distribution list of the project.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 36: Identify the List of Penetration Testers Required for this Projectq j
Different testers required to perform this
• Database penetration testers
testing are as follows:
• Firewall penetration testers• Application penetration testers
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 37: Negotiate per Day/per Hour Fee that you will be Charging for the
Penetration Testing ProjectPenetration Testing Project
Based on the work performed by the team of testers, negotiate the fee either hourly based or daily based.
Salary negotiation will be handled by the chief penetration tester and it will be distributed as per the rules of the client organization. p g
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 38: Draft the Timeline for the Penetration Testing Projectg j
Based on the size of the organizations and number of IPs to be tested Based on the size of the organizations and number of IPs to be tested, prepare a timeline for the completion of testing.
This timeline draft into three parts:
• Stating time of the projectg p j• Project milestones• Project completion
A timeline is the total time required to finish the project.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 39: Draft a Quotation for the Services that you be Providing to the Client Organization
Prepare a quotation that contains the details of services that you are p q ygoing to provide for the client organization.
Q i i l d h l i f f i h i h Quotation includes the total services for performing the test in the organization like size and scope of the project.
List the services in the form of quotation that includes all the amenities that are required to perform the test.
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 40: Identify how the Final Penetration Testing Report will be Delivered to the Client
OrganizationOrganization
The final report is prepared based on the test performed in the The final report is prepared based on the test performed in the organization.
Discuss with the client organization about the report format that they expect you to give at the end of your penetration test.
• Reports can be given in any of the below listed formats:• PDF• HTMLHTML• Hard copy
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 41: Identify the Reports to be Delivered After Pen Test
Th i id d f l i f The various reports provided after completion of the penetration testing process are as follows:
• Network test reports• Client-side test reports• Web application test reportsWeb application test reports
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Step 42: Identify the Information Security Administrator of the Client Organization who will be helping you in the
Penetration Testing Assignment ( if possible)Penetration Testing Assignment ( if possible)
Identify an administrator who is responsible for securing information in the Identify an administrator who is responsible for securing information in the organization.
During the assignment of penetration testing, take the help of the information security administrator .
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
You Are Ready to Start the Penetration TestPenetration Test
Get Ready for the Drivey
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited