.

Questionnaire for Pen Test.

<<

COm_BOY

User avatar

Full Member
Full Member

Posts: 129

Joined: Tue Feb 03, 2009 10:40 am

Post Thu May 26, 2011 2:14 pm

Questionnaire for Pen Test.

I require a formal questionnaire which would be provided to the client used for penetration test .

If no one is having it how about if some of you guys list up some of questions which you might ask considering the fact that pen test is of network + web app .
It has become appallingly obvious that our technology has exceeded our humanity.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Thu May 26, 2011 3:41 pm

Re: Questionnaire for Pen Test.

COm_BOY wrote:I require a formal questionnaire which would be provided to the client used for penetration test .

If no one is having it how about if some of you guys list up some of questions which you might ask considering the fact that pen test is of network + web app .


Take a look at the OSSTMM pentest framework, or the PTES framework. If there's absolutely nothing within these..

These are some questions I might ask, to make my life easier as a Penetration Tester:
- Where is the Web App hosted? In-house or outsourced?
- Which operating system is hosting the Web App?
- What kind of possible virtualization is being used on the Web App server?
- Are you using any known CMS's and similar Web Apps, or are you using custom coded applications or a mix?
- What type of database are you using, if any?
- Which server-side language is used on the Web App server? (PHP? ASP?)
- Are you using a well known webserver, if yes, which? If not, coded in-house or via 3rd party?
- Any particular modules / add-ons you have installed on your webserver?
- Is it possible for me / us to obtain a copy of the code you host on your webserver, so we can review it for vulnerabilities?

These are of course technical questions. You might ask these questions as well:
- Are there any critical web applications, we should avoid using dangerous attacks on?
- Is there a mirrored backup server, for us to test the web application(s)?

Well, there's a lot more and these are just some of my contributions. About networks in short: Topology, Switches, Routers, Protocols, etc.


Good luck, I hope some of these questions were useful even though you should use those you believe are the right to use  :)
I'm an InterN0T'er
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Fri May 27, 2011 7:42 am

Re: Questionnaire for Pen Test.

That really depends, are you talking about questions for a scoping exercise?

MaXe's questions are good, but before you get to that point you need to have a clear understanding of what they are trying to protect and why. What vectors are the likeliest threats? You want to model what the customer is most likely to face and attack the assets most likely to be attacked. What is the purpose of the test? Are you testing the blue team response times and capabilities or is this test announced? Not all pentests are created equal, you really need to understand the objectives before you can even begin to structure your test.

Some questions I like to ask include:

What is my target?
What systems are in scope?
What systems are off limits?
When can I test?
When must I never test?
What tools and techniques can I use (or not use, e.g. DDOS, social engineering, physical, etc)
Who is my PoC for the test?
Is the test announced?
Where can I test from? (internal, DMZ port, internet remote site, etc)

If doing a physical test, I like to know if the security guards are armed *gulp*

Also, if possible get copies of network diagrams, application maps, past risk assessments, audits and pentests relevant to the scope of your test. It will give you a good starting point and help you understand what you need to be doing and where the customer has been. Afterall, you are another step on their security journey and you want to move them further down the road, not backwards.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sat May 28, 2011 10:00 am

Re: Questionnaire for Pen Test.

tturner wrote:Some questions I like to ask include:

What is my target?
What systems are in scope?
What systems are off limits?
When can I test?
When must I never test?
What tools and techniques can I use (or not use, e.g. DDOS, social engineering, physical, etc)
Who is my PoC for the test?
Is the test announced?
Where can I test from? (internal, DMZ port, internet remote site, etc)


I completely agree that you should ask these questions first, when defining the scope  :)
I'm an InterN0T'er
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Sat May 28, 2011 8:20 pm

Re: Questionnaire for Pen Test.

I've seen some really badly defined scopes before. One I saw read something like "Exploit discovered vulnerabilities on organization machines" with no further clarification. Problem is target organizations often don't even understand why they are getting the test done, other than PCI or similar.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sun May 29, 2011 5:28 am

Re: Questionnaire for Pen Test.

tturner wrote:I've seen some really badly defined scopes before. One I saw read something like "Exploit discovered vulnerabilities on organization machines" with no further clarification. Problem is target organizations often don't even understand why they are getting the test done, other than PCI or similar.


Nice example  :)

I agree that such a scope, is too vast and should be avoided. Even if it's a simulated black hat attack (with legal permission of course). A scope with no clearly defined targets, could be extremely large if it's a large enterprise corporation, that is undergoing a penetration test. (The 10'000 PC's example: If scanning all TCP ports is required, with one single machine, then it may take a very long time. Especially if all UDP ports has to be scanned too.)
Last edited by MaXe on Sun May 29, 2011 5:31 am, edited 1 time in total.
I'm an InterN0T'er
<<

peta909

Newbie
Newbie

Posts: 3

Joined: Tue Apr 05, 2011 11:30 pm

Post Wed Jun 01, 2011 9:23 pm

Re: Questionnaire for Pen Test.

I group the questions into PPT.

1. People
Know the various groups of users of the system and their roles.
E.g. Sys admins,Monitoring team

2. People
Backup processes,patch processes Incident response processes

3. Technologies
Have a system architecture diagram and data flow diagram to show how the various machines communicate with one another.
<<

sgt_mjc

Sr. Member
Sr. Member

Posts: 294

Joined: Tue Feb 05, 2008 8:34 am

Location: AL

Post Sat Jun 04, 2011 10:38 pm

Re: Questionnaire for Pen Test.

Find out what the overall objective is.  Do they have a specific objective in mind or is it a free for all and just see what you can get? Oh and ask for a "Get out of jail free card".
Mike Conway
CISSP
CompTia Security +
C|EH
<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Thu Dec 15, 2011 2:26 am

Re: Questionnaire for Pen Test.

A sample questionnaire - this might help:

Penetration Testing - Scoping
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software