Questionnaire for Pen Test.

Viewing 8 reply threads
  • Author
    Posts
    • #6432
      COm_BOY
      Participant

      I require a formal questionnaire which would be provided to the client used for penetration test .

      If no one is having it how about if some of you guys list up some of questions which you might ask considering the fact that pen test is of network + web app .

    • #39987
      MaXe
      Participant

      @COm_BOY wrote:

      I require a formal questionnaire which would be provided to the client used for penetration test .

      If no one is having it how about if some of you guys list up some of questions which you might ask considering the fact that pen test is of network + web app .

      Take a look at the OSSTMM pentest framework, or the PTES framework. If there’s absolutely nothing within these..

      These are some questions I might ask, to make my life easier as a Penetration Tester:
      – Where is the Web App hosted? In-house or outsourced?
      – Which operating system is hosting the Web App?
      – What kind of possible virtualization is being used on the Web App server?
      – Are you using any known CMS’s and similar Web Apps, or are you using custom coded applications or a mix?
      – What type of database are you using, if any?
      – Which server-side language is used on the Web App server? (PHP? ASP?)
      – Are you using a well known webserver, if yes, which? If not, coded in-house or via 3rd party?
      – Any particular modules / add-ons you have installed on your webserver?
      – Is it possible for me / us to obtain a copy of the code you host on your webserver, so we can review it for vulnerabilities?

      These are of course technical questions. You might ask these questions as well:
      – Are there any critical web applications, we should avoid using dangerous attacks on?
      – Is there a mirrored backup server, for us to test the web application(s)?

      Well, there’s a lot more and these are just some of my contributions. About networks in short: Topology, Switches, Routers, Protocols, etc.

      Good luck, I hope some of these questions were useful even though you should use those you believe are the right to use  🙂

    • #39988
      tturner
      Participant

      That really depends, are you talking about questions for a scoping exercise?

      MaXe’s questions are good, but before you get to that point you need to have a clear understanding of what they are trying to protect and why. What vectors are the likeliest threats? You want to model what the customer is most likely to face and attack the assets most likely to be attacked. What is the purpose of the test? Are you testing the blue team response times and capabilities or is this test announced? Not all pentests are created equal, you really need to understand the objectives before you can even begin to structure your test.

      Some questions I like to ask include:

      What is my target?
      What systems are in scope?
      What systems are off limits?
      When can I test?
      When must I never test?
      What tools and techniques can I use (or not use, e.g. DDOS, social engineering, physical, etc)
      Who is my PoC for the test?
      Is the test announced?
      Where can I test from? (internal, DMZ port, internet remote site, etc)

      If doing a physical test, I like to know if the security guards are armed *gulp*

      Also, if possible get copies of network diagrams, application maps, past risk assessments, audits and pentests relevant to the scope of your test. It will give you a good starting point and help you understand what you need to be doing and where the customer has been. Afterall, you are another step on their security journey and you want to move them further down the road, not backwards.

    • #39989
      MaXe
      Participant

      @tturner wrote:

      Some questions I like to ask include:

      What is my target?
      What systems are in scope?
      What systems are off limits?
      When can I test?
      When must I never test?
      What tools and techniques can I use (or not use, e.g. DDOS, social engineering, physical, etc)
      Who is my PoC for the test?
      Is the test announced?
      Where can I test from? (internal, DMZ port, internet remote site, etc)

      I completely agree that you should ask these questions first, when defining the scope  🙂

    • #39990
      tturner
      Participant

      I’ve seen some really badly defined scopes before. One I saw read something like “Exploit discovered vulnerabilities on organization machines” with no further clarification. Problem is target organizations often don’t even understand why they are getting the test done, other than PCI or similar.

    • #39991
      MaXe
      Participant

      @tturner wrote:

      I’ve seen some really badly defined scopes before. One I saw read something like “Exploit discovered vulnerabilities on organization machines” with no further clarification. Problem is target organizations often don’t even understand why they are getting the test done, other than PCI or similar.

      Nice example  🙂

      I agree that such a scope, is too vast and should be avoided. Even if it’s a simulated black hat attack (with legal permission of course). A scope with no clearly defined targets, could be extremely large if it’s a large enterprise corporation, that is undergoing a penetration test. (The 10’000 PC’s example: If scanning all TCP ports is required, with one single machine, then it may take a very long time. Especially if all UDP ports has to be scanned too.)

    • #39992
      peta909
      Participant

      I group the questions into PPT.

      1. People
      Know the various groups of users of the system and their roles.
      E.g. Sys admins,Monitoring team

      2. People
      Backup processes,patch processes Incident response processes

      3. Technologies
      Have a system architecture diagram and data flow diagram to show how the various machines communicate with one another.

    • #39993
      Michael J. Conway
      Participant

      Find out what the overall objective is.  Do they have a specific objective in mind or is it a free for all and just see what you can get? Oh and ask for a “Get out of jail free card”.

    • #39994
      morpheus063
      Participant

      A sample questionnaire – this might help:

      Penetration Testing – Scoping

Viewing 8 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?