mirror of
https://github.com/The-Art-of-Hacking/h4cker
synced 2024-11-24 20:03:02 +00:00
59 lines
2.2 KiB
Markdown
59 lines
2.2 KiB
Markdown
# Planning and Scoping a Penetration Testing Assessment
|
|
|
|
### Planning Phase
|
|
|
|
#### Initial Client Meeting
|
|
- **Objective**: Understand what the client aims to achieve with the penetration test.
|
|
- **Key Questions**:
|
|
- What are the key assets you're concerned about?
|
|
- What types of attacks or threats are you most concerned with?
|
|
- Do you have any compliance requirements (e.g., PCI-DSS, HIPAA)?
|
|
|
|
#### Documentation Review
|
|
- **Objective**: Review existing documentation to understand the network topology, application architecture, and other relevant details.
|
|
- **Key Deliverables**:
|
|
- Network diagrams
|
|
- Application architecture diagrams
|
|
- Previous vulnerability assessments or pen test reports
|
|
|
|
#### Legal and Compliance Checks
|
|
- **Objective**: Ensure that all legal requirements are met and permissions are granted.
|
|
- **Key Deliverables**:
|
|
- Signed contract
|
|
- Non-disclosure agreement (NDA)
|
|
- Permission to test forms
|
|
|
|
### Scoping Phase
|
|
|
|
#### Define Scope
|
|
- **Objective**: Clearly outline what is in-scope and out-of-scope.
|
|
- **Key Deliverables**:
|
|
- List of target IP addresses
|
|
- List of target applications
|
|
- User roles for testing authenticated areas
|
|
|
|
#### Determine Timeframe
|
|
- **Objective**: Decide the duration of the test.
|
|
- **Key Questions**:
|
|
- When will the test start and end?
|
|
- Are there any blackout periods during which testing should not occur?
|
|
|
|
#### Resource Allocation
|
|
- **Objective**: Decide who will perform the test and what tools will be used.
|
|
- **Key Deliverables**:
|
|
- Names and credentials of the penetration testers
|
|
- List of tools that will be used
|
|
|
|
#### Success Criteria
|
|
- **Objective**: Define what will constitute a successful test.
|
|
- **Key Deliverables**:
|
|
- Expected outcomes
|
|
- Metrics for success (e.g., percentage of high-risk vulnerabilities identified)
|
|
|
|
#### Finalize Plan
|
|
- **Objective**: Consolidate all the above information into a formal test plan.
|
|
- **Key Deliverables**:
|
|
- Penetration Test Plan document
|
|
- Client approval on the plan
|
|
|
|
By spending ample time on planning and scoping, you're laying a solid foundation for a successful penetration test. This ensures that both the client and the testing team have clear expectations and guidelines, reducing the likelihood of misunderstandings or scope creep.
|