Preinteractions

The very first phase of a penetration test, preinteractions, involves a discussion of the critical factors regarding the conduct of a penetration test on a client's organization, company, institute, or network with the client itself. This phase serves as the connecting line between the penetration tester, the client, and his/her requirements. Preinteractions help a client get enough knowledge on what is to be performed over his or her network/domain or server.

Therefore, the tester will serve here as an educator to the client. The penetration tester also discusses the scope of the test, gathers knowledge on all the domains under the scope of the project, and any special requirements that will be needed while conducting the analysis. The requirements include special privileges, access to critical systems, network or system credentials, and much more. The expected positives of the project should also be the part of the discussion with the client in this phase. As a process, preinteractions discuss some of the following key points:

• Scope: This section reviews the scope of the project and estimates the size of the project. The scope also defines what to include for testing and what to exclude from the test. The tester also discusses IP ranges and domains under the scope and the type of test (black box or white box). In case of a white box test, the tester discusses the kind of access and required credentials as well; the tester also creates, gathers, and maintains questionnaires for administrators. The schedule and duration of the test, whether to include stress testing or not, and payment, are included in the scope. A general scope document provides answers to the following questions:
  • What are the target organization's most significant security concerns?
  • What specific hosts, network address ranges, or applications should be tested?
  • What specific hosts, network address ranges, or applications should explicitly NOT be tested?
  • Are there any third parties that own systems or networks that are in the scope, and which systems do they hold (written permission must have been obtained in advance by the target organization)?
  • Will the test be performed in a live production environment or a test environment?
  • Will the penetration test include the following testing techniques: ping sweep of network ranges, a port scan of target hosts, vulnerability scan of targets, penetration of targets, application-level manipulation, client-side Java/ActiveX reverse engineering, physical penetration attempts, social engineering?
  • Will the penetration test include internal network testing? If so, how will access be obtained?
  • Are client/end user systems included in the scope? If so, how many clients will be leveraged?
  • Is social engineering allowed? If so, how may it be used?
  • Is Denial of Service attacks allowed?
  • Are dangerous checks/exploits allowed?
• Goals: This section discusses various primary and secondary objectives that a penetration test is set to achieve. The common questions related to the goals are as follows:
  • What is the business requirement for this penetration test?
  • Is the test required by a regulatory audit or just a standard procedure?
  • What are the objectives?
    • Map out vulnerabilities
    • Demonstrate that the vulnerabilities exist
    • Test the incident response
    • Actual exploitation of a vulnerability in a network, system, or application
    • All of the above
• Testing terms and definitions: This phase discusses basic terminologies with the client and helps the client in understanding the terms well
• Rules of engagement: This section defines the time of testing, timeline, permissions to attack, and regular meetings to update the status of the ongoing test. The common questions related to rules of engagement are as follows:
  • At what time do you want these tests to be performed?
    • During business hours
    • After business hours
    • Weekend hours
    • During a system maintenance window
  • Will this testing be done in a production environment?
  • If production environments should not be affected, does a similar environment (development or test systems) exist that can be used to conduct the penetration test?
  • Who is the technical point of contact?

For more information on preinteractions, refer to: http://www.pentest-standard.org/index.php/File:Pre-engagement.png.