HTB CPTS: Pre-Engagement Stage
It’s a stage where we prepare for the actual pentesting. It’s a place to ask questions. As many as you can.
It’s also a stage where we communicate with our client. We ask what needs does he have. After that we make a Kick-Off meeting.
To start any of the process you need to first sign Non-Disclosure Agreement (NDA).
We must know who in the company is permitted to contract us for a penetration test. There can be employees who wants to do sabotage against the company that they work for.
There are some documents that we need to prepare:
| Document | Timing Of Creation |
1. Non-Disclosure Agreement (NDA) | After Initial Contact |
2. Scoping Questionnaire | Before the Pre-Engagement Meeting |
3. Scoping Document | During the Pre-Engagement Meeting |
4. Penetration Testing Proposal (Contract/Scope of Work (SoW)) | During the Pre-engagement Meeting |
5. Rules of Engagement (RoE) | Before the Kick-Off Meeting |
6. Contractors Agreement (Physical Assessments) | Before the Kick-Off Meeting |
7. Reports | During and after the conducted Penetration Test |
These documents should be reviewed by a lawyer after preparation.
We also need to be sure that we can deliver the assessment our client requires.
Here’s a list of questions that are worth of being asked:
| How many expected live hosts? |
| How many IPs/CIDR ranges in scope? |
| How many Domains/Subdomains are in scope? |
| How many wireless SSIDs in scope? |
| How many web/mobile applications? If testing is authenticated, how many roles (standard user, admin, etc.)? |
| For a phishing assessment, how many users will be targeted? Will the client provide a list, or we will be required to gather this list via OSINT? |
| If the client is requesting a Physical Assessment, how many locations? If multiple sites are in-scope, are they geographically dispersed? |
| What is the objective of the Red Team Assessment? Are any activities (such as phishing or physical security attacks) out of scope? |
| Is a separate Active Directory Security Assessment desired? |
| Will network testing be conducted from an anonymous user on the network or a standard domain user? |
| Do we need to bypass Network Access Control (NAC)? |
Final question to ask is what kind of pentest it will be - black box, grey box or white box?
This information is important for us to determine the timeline.
After that we prepare a Scoping Document.
Pre-Engagement Meeting
This meeting discusses all relevant and essential components with our customer before the penetration test. We explain them to our customer.
This phase typically occurs via e-mail and during an online conference call or in-person meeting.
We may encounter clients during our career that are undergoing their first ever penetration test, or the direct client PoC (Proof Of Concept) is not familiar with the process. It is not uncommon to use part of the pre-engagement meeting to review the scoping questionnaire either in part or step-by-step.
Other important parts
It is important to get written agreements from third parties that they are aware of the penetration test happening
It’s also important to determine Limitations and restrictions.
We must prioritize our client’s wishes. Don’t do more than our client wants.
Rules of Engagement
Here’s a check list for the Rules of Engagement:
Checkpoint | Contents |
| Description of this document. |
| Company name, contractor full name, job title. |
| Company name, pentesters full name. |
| Mailing addresses, e-mail addresses, and phone numbers of all client parties and penetration testers. |
| Description of the purpose for the conducted penetration test. |
| Description of the goals that should be achieved with the penetration test. |
| All IPs, domain names, URLs, or CIDR ranges. |
| Online conferences or phone calls or face-to-face meetings, or via e-mail. |
| Start and end dates. |
| Times of the day to test. |
| External/Internal Penetration Test/Vulnerability Assessments/Social Engineering. |
| Description of how the connection to the client network is established. |
| OSSTMM, PTES, OWASP, and others. |
| Users, specific files, specific information, and others. |
| Encryption, secure protocols |
| Configuration files, databases, and others. |
| Strong data encryption |
| Cases for contact, pentest interruptions, type of reports |
| Frequency of meetings, dates, times, included parties |
| Type, target readers, focus |
| Start and end dates |
| System damage, data loss |
| Signed contract, contractors agreement |
We must also inform our customers about potential risks during a penetration test
We must say that customers must contact us immediately if the penetration test performed negatively impacts their network.
Explaining process demonstrates our professional approach.
Contractors Agreement
If pentest is also physcial, different kind of laws apply here. We need to sign another agreement as “get out of jail for free” card.
Here’s a checklist:
☐ Introduction |
☐ Contractor |
☐ Purpose |
☐ Goal |
☐ Penetration Testers |
☐ Contact Information |
☐ Physical Addresses |
☐ Building Name |
☐ Floors |
☐ Physical Room Identifications |
☐ Physical Components |
☐ Timeline |
☐ Notarization |
☐ Permission to Test |
Outro
I’m learning for a HTB CPTS certificate. Information that you’ve read is my knowledge base for the future.
I invite you to check Hack The Box for amazing courses and challenges.
