Design a pen test

Your task

Using one or more of the methodologies discussed earlier, design a penetration testing project of the target network and systems, by planning all steps in the project. Use the comments area below if you wish to share your observations.

_{© Coventry University. CC BY-NC 4.0. Selecting the image above will open the image, which you can then zoom in on.}

The diagram here shows the office IT infrastructure of a software development company. The main network consists of 50 PCs running Windows version 8.1 or 10, a Code Repository server and a File & Printing server both running Windows 2008, two laserjet printers (CM4540 and M4555) and a database server running MS SQL 2005. The firewall is segmenting the network into an internal network, Wi-Fi network and a DMZ. The web server is located in the DMZ and is using the MS SQL server as a backend database. You are given access to the Wi-Fi network (the SSID and password are provided).

Your scope includes the entire IT infrastructure, systems and employees, but excludes physical security. The description in the diagram is at a relatively high level, so you would need to make a few assumptions around the specific systems/software and people working there.

This is an exercise to help you get to know a standard penetration testing methodology. There is no right or wrong answer here. Try to be as complete and as thorough as possible in identifying the individual relevant steps. You do not have to identify the tools or perform any of the actual tests yet.

If you do not yet have preferences for a specific methodology, PTES is a good one to start with. However, you will find interesting and useful information in the other methodologies too, so it is a good idea to familiarise yourself with them as well.

We are not expecting to see too much detail. What we are looking for is that all important points and issues of the penetration testing project have been addressed in some way.

Here is some guidance on what to include:

• A plan that includes all relevant phases, including pre- and post-engagement, as per one of the complete methodologies. Some initial threat modelling should also be included, including type of attackers, their motivation and level of sophistication.
• The scope should include an initial list of the critical assets of the company as far as possible to identify from the diagram. For example, there is a code repository server, indicating that it is probably a development company, and this server holds one of their high value assets. Similarly, there is a back-end database on their server, likely to store a list of products as well as clients’ data – the company will have a legal obligation to protect that.
• Try to use multiple methodologies to complement the different phases of the assessment. For example, the company has a web server, hence it would be good practice to consult the OWASP Testing Guide which is particularly strong on webapps testing. Another good idea would be the use of NIST SP800-115 to guide the interviews and examination.