Skip to main content

Scenario and Kickoff

Our client, Keym4ker Inc., has contracted our company, Clo4k & D4gger Security, Ltd., to perform a full-scope External Penetration Test to assess their perimeter security. The customer has asked us to identify as many vulnerabilities as possible; therefore, evasive testing is not required. They would like to see what sort of access can be achieved by an anonymous user on the Internet. Per the Rules of Engagement (RoE), if we can breach the DMZ and gain a foothold into the internal network, they would like us to see how far we can take that access, up to and including Active Directory domain compromise. The client has not provided web application, VPN, or Active Directory user credentials. The following domain and network ranges are in scope for testing:

External TestingInternal Testing
192.168.x.x ("external" facing target host)172.16.x.x/23

The customer has provided the primary IP and internal networks but has not given specifics on the exact subdomains within this scope nor the "live" hosts we will encounter within the network. They would like us to perform discovery to see what type of visibility an attacker can gain against their external network (and internal if a foothold is achieved).

Automated testing techniques such as enumeration and vulnerability scanning are permitted, but we must work carefully not to cause any service disruptions. The following are out of scope for this assessment:

  • Phishing/Social Engineering against any Keym4ker employees or customers
  • Physical attacks against Keym4ker facilities
  • Destructive actions or Denial of Service (DoS) testing
  • Modifications to the environment without written consent from authorized Keym4ker IT staff

Project Kickoff

At this point, we have a Scope of Work (SoW) signed by both our company management and an authorized member of the Keym4ker IT department. This SoW document lists the specifics of the testing, our methodology, the timeline, and agreed-upon meetings and deliverables. The client also signed a separate Rules of Engagement (RoE) document, commonly known as an Authorization to Test document. This document is crucial to have in hand before beginning testing and lists out the scope for all assessment types (URLs, individual IP addresses, CIDR network ranges, and credentials, if applicable). This document also lists key personnel from the testing company and Keym4ker (a minimum of two contacts for each side, including their cell phone number and email address). The document also lists out specifics such as the testing start and stop date, and the allowed testing window.

We have been given one week for testing and two additional days to write our draft report (which we should be working on as we go). The client has authorized us to test 24/7 but asked us to run any heavy vulnerability scans outside regular business hours (after 18:00 Manila time). We have checked all necessary documents and have the required signatures from both sides, and the scope is filled in entirely, so we are good to go from an administrative perspective.

Start of Testing

It is first thing Monday morning, and we are ready to begin testing. Our testing VM is set up and ready to go, and we've set up a skeleton notetaking and directory structure to take notes using our favorite notetaking tool. While our initial discovery scans run, as always, we will fill in as much of the report template as possible. This is one small efficiency we can gain while waiting for scans to complete to optimize the time we have for testing. We have drafted the following email to signal the start of testing and copied all necessary personnel.

Good morning,

This email is to notify you that the External Penetration Testing against Keym4ker internet-facing network assets has begun. All testing traffic will orginate from the following IP address: 192.168.x.x

While we do not anticipate disruptions during testing, if any issues arise, please do not hesitate to reach out via the mobile number or email address in my signature line.

If I'am unavailable for any reason, the secondary contact for this engagement will be:

Neo Teh 
Security Consultant
(02)-123-4567


As discussed during the kickoff call, I will send out a vulnerability notification for any high-risk vulnerabilities uncovered against your public-facing hosts. The assessment will begin with manual and automated information gathering and enumeration scripts, then proceed to manual testing and validation of scan results.

Thank you, and I look forward to a productive assessment.

Best,

Jason Bourne, OSCE3
Principal Security Consultant