Powered by Blogger.
Home » » Module 02: Penetration Testing Scoping and Engagement Methodology - Preparation

Module 02: Penetration Testing Scoping and Engagement Methodology - Preparation

Written By AKADEMY on Thursday, July 4, 2019 | 9:49 PM

Preparation

Scenario

In the first step, the Engagement Team Leader reviews the Engagement Letter to determine what services the team will provide to the client, creates a record copy of the Engagement Letter and opens his or her engagement log. The ETL or his or her designated representative creates a system to maintain the data gathered during the engagement process, performs “due diligence” to determine if any of the members who might potentially be assigned to the engagement have direct or indirect financial interest in the client that would preclude their participation, and makes initial modifications to the standard engagement project plan.
Lab Duration5 Minutes

  1. A pen testing engagement begins with the receipt of the Engagement Letter (EL). The Engagement Team Leader (ETL) reviews the EL and extracts the information necessary to perform the remaining tasks in this step.
    1. The name of the client is the first item extracted. This information is located throughout the EL and appears in every document connected with the engagement.
    2. The second item of information extracted from the EL is contained in the Expected Time Duration and Schedule section. This paragraph tells the Engagement Team Leader (ETL) the length of the engagement.
    3. The third item of importance is the Acceptance of Proposed Services section. This section tells the Engagement Team Leader (ETL) what services will be provided to this client during this engagement.
    Note:
    The ETL maintains control of the Engagement Letter until after the next task has been completed, then scans the EL into electronic format, produces an MD5 hash of the document for integrity purposes and places both items in the appropriate folders created in Task 2below.

  2. Copy the MasterEngagementFolders from the ECSA Report Templates to your local system's desktop. ECSA Report Templates.zip file is available in the Training section of EC-Council Certified Security Analyst v10 course (under My Courses) within the Aspen Portal.
    Alternatively, you can also find ECSA Report Templates folder (for your reference) in E:\ of Windows Server 2012 (External Network)machine.
    Note:
    1) In this exercise, we are using Desktop to store the MasterEngagementFolders for convenience. In real-time pen test engagement, you should create the engagement folder in an empty drive that can be wiped safely after the engagement.
    2) ECCU students can download the ECSA Report Templates.zip file from the Introduction section of their course.

  3. Rename the MasterEngagementFolders using the naming convention YY-MM-DD-ABCD where YY is the last two digits of the current calendar year, MM is the two digit number of the current month, DD is the current calendar date and ABCD is an abbreviated version of the client organization's common name.
    For the ECSA Classroom Pen Testing Challenge, as an example rename the MasterEngagementFolders folder to 15-01-11-FNBF (change the date appropriately).
    Note:
    This is the naming convention suggested by EC-Council. You are free to decide your own naming convention or follow your company’s naming convention.

    1. Navigate to YY-MM-DD-FNBF\00_Administration\ETL_Notesfolder and rename ETL_Log.docx to YY-MM-FNBF_ETL.docx.
    2. Open the YY-MM-FNBF_ETL.docx file and replace “YY-MM-ABCD” in the document header with the engagement number (YY-MM-DD-FNBF) created in the Task 2.2 above.
    Note:
    Record all important activities concerning the engagement in this log until the engagement ends.

  4. Navigate to YY-MM-DD-FNBF\00_Administration\00A_EL folder and rename the Engagement Letter YY-MM-ABCD_EL.pdf to YY-MM-FNBF_EL.pdf.
    Note 1:
    We receive the final Engagement Letter from the client. For this exercise, we have created a sample Engagement Letter and placed in the YY-MM-DD-FNBF\00_Administration\00A_EL folder.
    Note 2:
    In real time pen testing engagements, we generally receive a hard copy of Engagement Letter. In those cases:
    1. Use an optical scanner to create an electronic copy of the EL.
    2. Save the file in TIF format. Name the file using the naming convention YY-MM-ABCD_EL.tif and place it in the YY-MM-XX-ABCD**\00_Administration\00A_EL** folder.

  5. Use an MD5 calculator to create an MD5 checksum of YY-MM-FNBF_EL.pdf. Create a text file, copy the checksum to that file and save the text file as YY-MM-FNBF_EL_hash.txt.
    Note 1:
    In case of physical Engagement Letter:
    1. Use an MD5 calculator to create an MD5 checksum of YY-MM-ABCD_EL.tif. Create a text file, copy the checksum to that file and save the text file as YY-MM-ABCD_EL_hash.txt in the YY-MM-ABCD\00_Administration\00A_ELfolder.
    2. Return the hard copy of the EL to the person from whom you originally obtained it.

    1. Compose an email to all members of your EGS Security Solutions asking if anyone has a direct or indirect financial interest in the client you are preparing to engage.
    2. The subject line of the email should be “Independence Check: -<name of client>.”
    3. The wording of the email should be similar to the following:
    “Please send all replies to <your email address>.
    The <Licensed Partnership> office has proposed on <client's name>. If you have any direct or indirect financial interest in <client's name> please respond to this email by adding your surname and the words 'Possible Conflict' in the subject line. If you do not have a direct or indirect financial interest, please respond by adding your surname and the words 'No Conflict' in the subject line. Below are two examples. Thank you.”
    Possible conflict: Independence Check – ABCD Smith Possible Conflict
    No conflict: Independence Check – ABCD Smith No Conflict”
    Note:
    We will not conduct this task for this exercise. This task is given here for your reference in a real time pen testing assignment.

    1. As responses arrive, review the subject line of the email.
    2. Forward emails indicating a possible conflict of interest to the Human Resources Department for research.
    3. Save a copy of each email as an individual text file to the YY-MM-DD-ABCD\00_Administration\****00Y_ICfolder.
    4. Save all responses indicating no conflict of interest directly to the YY-MM-DD-ABCD\00_Administration\****00Y_ICfolder as individual text files.
    5. When all responses have been accounted for:
      1. Move the contents of the 00Y_ICfolder to an archive, naming the archive file as YY-MM-ABCD_IC.zip.
      2. Use an MD5 calculator to create an MD5 checksum for the archive file.
      3. Create a text file and copy the checksum to that file.
      4. Save the text file as YY-MM-ABCD_IC_hash.txt.
    Note:
    We will not conduct this task for this exercise. This task is given here for your reference in a real time pen testing assignment.

    1. Delete all emails concerning the Independence Check from the Inbox, Sent Items, and other email client folders of the email clients used to send or receive the emails.
    2. Use “privacy software” to wipe the free space on the local hard drives of the hosts used.
    Note:
    We will not conduct this task for this exercise. This task is given here for your reference in a real time pen testing assignment.

  6. Navigate to the YY-MM-DD-FNBF**\00_Administration\00B_ProjPlan** folder on the Desktop and rename Master_Plan.xml to YY-MM-FNBF**_ProjPlan.xml**.

  7. Open the YY-MM-FNBF**_ProjPlan.xml** file with OpenProj tool and review the tasks listed in the left pane of the Gantt chart. Delete or add tasks according to this engagement.
    Note 1:
    You need OpenProj software to open the .xml file. You can also download the OpenProj software from the http://sourceforge.net/projects/openproj/files/OpenProj%20Binaries/1.4link.
    Note 2:
    The sample .xml file contains only some of the tasks that need to be performed. You need to add or remove tasks and details to this project plan based on the Engagement Letter for this exercise.

  8. Assign resources (equipment and personnel) to project tasks.
    Note:
    The Exercise 2 of Module 03: Pre-penetration Testing Steps lab demonstrates how to install and use the OpenProj software.

  9. Once all modifications have been made, save the changes to the project plan.
After this lab, you understand the pre-execution administration tasks and how to organization a penetration testing engagement step-by-step
Share this article :

0 comments:

Post a Comment

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT