Module 02: Penetration Testing Scoping and Engagement Methodology Exercise 1: Penetration Testing Project Planning and Scheduling Using GanttProject

Module 02: Penetration Testing Scoping and Engagement Methodology

Objective

The objective of this lab is to understand the pre-penetration testing steps and pre-execution administration issues.

Scenario

There is much more to an engagement than “throwing packets at the network” and, like most things in life, an engagement begins and ends with paperwork.

As an Engagement Team Leader (ETL) or Engagement Team Member (ETM), you perform a number of non-billable, administrative tasks in order to ensure a successful and profitable engagement. Although these tasks do not generate income in and of themselves, when executed properly, they help to ensure the greatest margin of profitability for engagements.

In the rush to begin billable time on an engagement, it is easy to succumb to the temptation of “cutting corners”, especially for non-billable activities and administration. Do not yield to this temptation. Profit is counted not only by the number of dollars in the bank but also by the customer loyalty, references and referrals resulting from a well planned and executed engagement.

The information technology security business is a business like no other. First, you are not selling a tangible item. You can't hold security in your hands. You can't smell it, taste it or feel it. It is an intangible “peace of mind” like the feeling you have when purchasing life or health insurance. Indeed, it is a form of insurance; insurance against an attack that could ruin your client's business or reputation. However, like insurance, there are no guarantees. You cannot “guarantee” to your client that they will never be attacked or that an attack will not be successful as a result of the work you perform on an engagement. You work in concert with the management at your clients’ to identify ways in which the security of their business information could be compromised and recommend appropriate mitigation strategies for discovered problems. However, you can help to ensure that the report presented to your clients is as accurate and comprehensive as possible, thereby diminishing the possibility of a successful attack. In addition, you must take every possible precaution to ensure that your clients' data is not compromised while it is in your possession.

Some of the administrative tasks may seem excessive or unnecessary to you. These tasks help ensure the security of client data and demonstrate to your clients that you and your company take security very seriously. Don't cut corners!

You start with reviewing the Engagement Letter (EL) to understand what you and your team members will be required to do during the engagement, set up the engagement folders you will need to store the engagement data, and perform due diligence for conflicts of interest. You prepare the initial draft copies of engagement control and other documents, establish contact with the client and, in coordination with the Target Organization (TORG), ensure that all documentation is correct and in compliance with the TORG's expectations as defined in the EL.

In addition to these administrative control activities, you also coordinate personnel and logistical issues.

You first prepare and then update, as required, a plan of how you will conduct the project, scheduling when various portions of the work specified in the EL will occur and which of your team members will participate in the engagement. Individual vulnerability discovery, analysis and penetration testers are assigned to the engagement, forming the penetration test team. Secure communication channels are established with the client to transmit communications containing sensitive information.

Transportation and lodging requirements are determined. At the conclusion of this phase, the Engagement Team Leader issues a mission briefing to the penetration test team to allow them the maximum amount of time to prepare for the next phase, the execution of the engagement.

Exercise 1: Penetration Testing Project Planning and Scheduling Using GanttProject

Scenario

Project planning is part of project management, which relates to the use of schedules such as Gantt charts to plan and subsequently report progress within the project environment. GanttProject helps you to plan your penetration testing projects in an effective and timely manner. Project planning and scheduling projects will help you to in maximizing use of resources effectively and meeting deadlines.
As an expert penetration tester, you must understand how to plan and schedule activities in penetration testing projects using GanttProject tool.

Lab Duration: 5 Minutes

1. Click Windows Server 2012 (External Network). Click Ctrl+Alt+Delete.
   
2. In the password field click Pa$$w0rd and press Enter
   

   You can use the Type Password option from the Commands menu to enter the password.

   
3. To install GanttProject, navigate to E:\ECSAv10 Module 02 Penetration Testing Scoping and Engagement\GanttProject, double-click ganttproject-2.8.5-r2179.exe and follow the steps to install GanttProject.
   If an Open File - Security Warning window appears click Run.
   
4. To launch, GanttProject double-click the GanttProject icon on the Desktop.
   

   Alternatively you can also launch GanttProject from Start menu apps.

   
5. The main window of GanttProject appears as shown in the screenshot.
   
6. In the GanttProject main window, go to Projectand click New… to create a new project for planning and scheduling.
   
7. The Create new project window appears, on the screen. In Step 1 enter the name of your project, the name of the target organization, its website and the Description of the project. Here we use SamplePentest as the name of the project, target organization as luxurytreats, Its URL as http://www.luxurytreats.com. Write something about the project in the Description text area. Click Next. Leave the default value as it is in Step 2 and click Next. Again leave the default values as it is for Step 3 and click Ok.
   
8. Go to Tasks menu and click New task.
   
9. The New Task will be added under Gantt tab with its default name as shown in the screenshot.
   
10. Rename the default name with your penetration task as External Penetration Testing. Schedule this task by specifying the Begin date and End date for task completion.
    

    If your task is not displayed as a gantt chart in the right pane of the window, clickZoom Out in the upper left corner of the right tab until you view the task defined.

    
11. Similarly, repeat steps 9 and 10 to create and define the next task in your penetration testing project. Create another task and call it Information Gathering.
    
12. Repeat steps 9 and 10 to plan and schedule the next task in your penetration testing project.
    If there is a relation between the two tasks defined, you can specify this relationship with directed arrows as follows.
    In the right pane, click on the source task and drag it to next task in the relationship. The arrow will be established between these two tasks as shown in the screenshot.
    

    Similarly, define all the tasks and their relations in the Gantt chart.
    To show the relationship between the two tasks, drag towards the beginning of the associated project to connect.

    Click on the middle of the task icon and then drag the cursor to next task in the relation to display the relation between two tasks.

    
13. To define milestones, right-click any Task from left pane under Gantt tab, and click Task Properties from the context menu.
    Properties for the Task window appears (here, Information Gathering), check Milestone and click Ok.
    
14. The Milestones are displayed as Diamondsymbols in the Gantt chart as shown in the screenshot.
    
15. Click Resources Chart from the left pane, and go to Resources and then click New Resource to assign the resources for your penetration testing project.
    

    Resources can be people, materials, equipment, budget amounts, or anything else. Typically, you might enter the names of people who will work on the tasks as resources.

    
16. The Resources window will appear. Specify the name, phone, email, role, etc. of the resource, and click Ok.
    
17. The specified Resource will be added in the Resource Chart tab of the GanttProject.
    

    Similarly, you can add any number of resources and their roles working on your penetration project.

    
18. Go to Project menu and click Export… to export the planning and scheduling report, in various formats such as PDF, HTML, Raster image file, Microsoft Project file etc. In Step 1 of Export wizard, choose the format of the report and click Next. In Step 2 of Export wizard choose the location where you want to save the report and click Ok to generate a planning and scheduling report in your chosen format.
    In this task we are generating a pdf format report with the name document.pdf and the report is saved in the default location C:\Users\Administrator.
    

    The exported report will be saved in its default location, with the name document.pdf.

    
19. The Penetration Planning and Scheduling report will be saved and displayed in .pdf format in the specified location as shown in the screenshot.
    
20. Close all the opened windows.

You have successfully planned and scheduled the activities in the penetration testing project.