# CPENT iLab筆記 - Module 02: Penetration Testing Scoping and Engagement Methodology
Objective
The objective of this lab is to understand the pre-penetration testing steps and pre-execution administration issues.
Scenario
There is much more to an engagement than “throwing packets at the network” and, like most things in life, an engagement begins and ends with paperwork.
As an Engagement Team Leader (ETL) or Engagement Team Member (ETM), you perform several non-billable, administrative tasks in order to ensure a successful and profitable engagement. Although these tasks do not generate income in and of themselves, when executed properly, they help to ensure the greatest margin of profitability for engagements.
In the rush to begin billable time on an engagement, it is easy to succumb to the temptation of “cutting corners”, especially for non-billable activities and administration. Do not yield to this temptation. Profit is counted not only by the number of dollars in the bank but also by the customer loyalty, references and referrals resulting from a well planned and executed engagement.
The information technology security business is a business like no other. First, you are not selling a tangible item. You can't hold security in your hands. You can't smell it, taste it or feel it. It is an intangible “peace of mind” like the feeling you have when purchasing life or health insurance. Indeed, it is a form of insurance; insurance against an attack that could ruin your client's business or reputation. However, like insurance, there are no guarantees. You cannot “guarantee” to your client that they will never be attacked or that an attack will not be successful as a result of the work you perform on an engagement. You work in concert with the management at your clients to identify ways in which the security of their business information could be compromised and recommend appropriate mitigation strategies for discovered problems. However, you can help to ensure that the report presented to your clients is as accurate and comprehensive as possible, thereby diminishing the possibility of a successful attack. In addition, you must take every possible precaution to ensure that your clients' data is not compromised while it is in your possession.
Some of the administrative tasks may seem excessive or unnecessary to you. These tasks help ensure the security of client data and demonstrate to your clients that you and your company take security very seriously. Don't cut corners!
You start with reviewing the Engagement Letter (EL) to understand what you and your team members will be required to do during the engagement, set up the engagement folders you will need to store the engagement data, and perform due diligence for conflicts of interest. You prepare the initial draft copies of engagement control and other documents, establish contact with the client and, in coordination with the Target Organization (TORG), ensure that all documentation is correct and in compliance with the TORG's expectations as defined in the EL.
In addition to these administrative control activities, you also coordinate personnel and logistical issues.
You first prepare and then update, as required, a plan of how you will conduct the project, scheduling when various portions of the work specified in the EL will occur and which of your team members will participate in the engagement. Individual vulnerability discovery, analysis and penetration testers are assigned to the engagement, forming the penetration test team. Secure communication channels are established with the client to transmit communications containing sensitive information.
Transportation and lodging requirements are determined. At the conclusion of this phase, the Engagement Team Leader issues a mission briefing to the penetration test team to allow them the maximum amount of time to prepare for the next phase, the execution of the engagement.
------------------
## Exercise 1: Penetration Testing Project Planning and Scheduling Using GanttProject
Scenario
Project planning is part of project management, which relates to the use of schedules such as Gantt charts to plan and subsequently report progress within the project environment. GanttProject helps you to plan your penetration testing projects in an effective and timely manner. Project planning and scheduling projects will help you to in maximizing use of resources effectively and meeting deadlines. As an expert penetration tester, you must understand how to plan and schedule activities in penetration testing projects using GanttProject tool.
Lab Duration: 5 Minutes
1. Click Windows Server 2019 and click Ctrl+Alt+Delete.
2. In the password field click Pa$$w0rd and press Enter
Note: You can use the Type Password option from the Commands menu to enter the password.
3. To install GanttProject, navigate to E:\CPENT Module 02 Penetration Testing Scoping and Engagement Methodology\GanttProject, double-click ganttproject-2.8.11-r2396.exe and follow the steps to install GanttProject.
Notice: If an Open File - Security Warning window appears click Run.
4. To launch, GanttProject double-click the GanttProject icon on the Desktop.
5. The main window of GanttProject appears as shown in the screenshot.
6. In the GanttProject main window, go to Project and click New to create a new project for planning and scheduling.
7. The Create new project window appears, on the screen. In Step 1 enter the name of your project, the name of the target organization, its website and the Description of the project. Here we use SamplePentest as the name of the project, target organization as LuxuryTreats, Its URL as http://www.luxurytreats.com. Write something about the project in the Description text area. Click Next.
8. Leave the default value as it is in Step 2 and click Next.
9. Again, leave the default values as it is for Step 3 and click Ok.
10. Go to Tasks menu and click New task.
11. The New Task will be added under Gantt tab with its default name as shown in the screenshot.
12. Rename the default name with your penetration task as External Penetration Testing. Schedule this task by specifying the Begin date and End date for task completion.
Note: If your task is not displayed as a gantt chart in the right pane of the window, click Zoom Out in the upper left corner of the right tab until you view the task defined.
13. Similarly, repeat steps 10 to 12 to create and define the next task in your penetration testing project. Create another task and call it Information Gathering.
14. Repeat steps 10 to 12 to plan and schedule the next task in your penetration testing project. Create another task and call it Study and Analyze. If there is a relation between the two tasks defined, you can specify this relationship with directed arrows as follows.
15. In the right pane, click on the source task and drag it to next task in the relationship. The arrow will be established between these two tasks as shown in the screenshot.
Note: Similarly, define all the tasks and their relations in the Gantt chart. To show the relationship between the two tasks, drag towards the beginning of the associated project to connect. Click on the middle of the task icon and then drag the cursor to next task in the relation to display the relation between two tasks.
16. To define milestones, right-click any Task from left pane under Gantt tab, and click Task Properties from the context menu.
17. Properties for the Task window appears (here, Information Gathering), check Milestone and click Ok.
18. The Milestones are displayed as Diamond symbols in the Gantt chart as shown in the screenshot.
19. Click Resources Chart from the left pane and go to Resources and then click New Resource to assign the resources for your penetration testing project.
Note: Resources can be people, materials, equipment, budget amounts, or anything else. Typically, you might enter the names of people who will work on the tasks as resources.
20. The Resources window will appear. Specify the name, phone, email, role, etc. of the resource as shown in the screenshot, and click Ok.
21. The specified Resource will be added in the Resources Chart tab of the GanttProject.
Note: Similarly, you can add any number of resources and their roles working on your penetration project
22. Go to Project menu and click Export to export the planning and scheduling report.
23. Export Wizard appears, with Select exporter (Step 1 of 2) wizard as shown in the screenshot. It can publish the report in various formats such as Microsoft Project file, Raster image file, HTML report, Comma-Separated-Values file and PDF report. Choose PDF report format and click Next.
24. In Step 2 of Export wizard choose the location where you want to save the report (Here,C:\Users\Administrator) and click Ok to generate a planning and scheduling report in your chosen format.
25. In this task we are generating a pdf format report with the name SamplePentest.pdf and the report is saved in the default location C:\Users\Administrator.
26. The Penetration Planning and Scheduling report will be saved and displayed in .pdf format in the specified location. Double click SamplePentest.pdf
27. Close all the opened windows. You have successfully planned and scheduled the activities in the penetration testing project.
-----------------------------
## Exercise 2: Penetration Testing Project Planning and Scheduling Using OpenProj
Scenario
OpenProj software can help you in planning and scheduling the penetration testing assignment in well-structured and efficient manner. This software is used for controlling, tracking and managing the various projects in the organizations.
Lab Duration: 5 Minutes
1. Click Windows Server 2019 and click Ctrl+Alt+Delete.
Note: If you are already logged in skip to step 3.
2. In the password field click Pa$$w0rd and press Enter
Note: You can use the Type Password option from the Commands menu to enter the password.
3. To launch OpenProj, double-click OpenProj shortcut icon on the Desktop.
4. Serena OpenProj License window appears, click I Accept.
5. The OpenProj main window appears.
Note: The Serena OpenProj Customer Information pop-up appears, register with OpenProj using your email address and click Cancel.
6. The OpenProj main window appears, along with the Tip of the Day pop-up. Click Close.
7. Click Create Project on Welcome to OpenProj window in order to plan and schedule your penetration testing project.
Note: You can also create a new project from File menu i.e., from File -> New Project menu
8. The New Project window appears; enter the name of your project, Start date of project, Name of the Manager, and click OK. Here,
Project Name: RedTeamPlan_Project_Layout
Start date: Mention the date
Manager: John
Notes: Optional.
9. The empty new project is created as shown in the screenshot.
10. Enter the name of the task directly under the Name column and schedule the task by adding start date / time and finish date/time for the task under Start and Finish columns respectively.
Note: The Start date/time and Finish date/time may vary as you perform the tasks. You can also provide preferred Start and Finish date/time accordingly.
Drag the left pane to the right until all the column names are visible.
You can also double-click on column field to fill the task details with Task Information wizard. If the task completes within 8 hours, you can also change the number of hours the task will take with the help of Task Information wizard
11. Go to View -> Resources from the menu to add the resources that will be involved in the project.
12. Enter all the resources details that will be engaged in the activities of project.
13. Now click Gantt tab from the left-hand side (1st tab) and enter the name of the task directly under Name column and schedule the task by adding start date / time and finish date/time for the task under Start and Finish columns respectively.
Note: You can also directly enter the number of days that task will take with the help of Task Information
14. Right Click on the task that you want to have as a subtask, and then click Indent (>) from the context menu to create a new subtask as shown in the screenshot.
15. A new subtask is created as shown in the screenshot. The prior task will get a node option, with which you can expand the tasks.
16. Double-click on the task to which resources must be assigned. Task Information - 1 wizard will pop up. Go to Resources tab and click Assign Resources button. The Assign Resources window will appear; click Assign button to assign resources from available resources.
Note: Once you have assigned the resources, close the Assign Resources.
17. Double-click the task for which you want place notes. Under Task Information - 1 wizard, go to Notes tab and write your note about the task. Click Close.
18. The Note and Assignee will be added in the Task as shown in the screenshot.
19. Go to the File menu and click the Save As option to save the report in .xml format. Choose the file type as .xml from drop-down list and click Save
Note: As this is a free version you cannot save or import the pentest report.
A pop-up appears saying You should only use xml format when exchanging with another application as some data may be lost. Do you want to continue? Click Ok
20. Close all the opened windows. After completion of this lab, you will be aware of how to plan and schedule your penetration testing project with OpenProj.
Sign in with Wallet
Connect another wallet