mirror of
https://github.com/The-Art-of-Hacking/h4cker.git
synced 2024-12-18 19:06:08 +00:00
Create scoping.md
This commit is contained in:
parent
bbd31319d6
commit
a25ba9cdfb
59
methodology/scoping.md
Normal file
59
methodology/scoping.md
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
Certainly! Planning and scoping are critical steps in a penetration testing assessment to ensure that the test achieves its objectives while minimizing risks. Here's how you might go about it:
|
||||||
|
|
||||||
|
### Planning Phase
|
||||||
|
|
||||||
|
#### Initial Client Meeting
|
||||||
|
- **Objective**: Understand what the client aims to achieve with the penetration test.
|
||||||
|
- **Key Questions**:
|
||||||
|
- What are the key assets you're concerned about?
|
||||||
|
- What types of attacks or threats are you most concerned with?
|
||||||
|
- Do you have any compliance requirements (e.g., PCI-DSS, HIPAA)?
|
||||||
|
|
||||||
|
#### Documentation Review
|
||||||
|
- **Objective**: Review existing documentation to understand the network topology, application architecture, and other relevant details.
|
||||||
|
- **Key Deliverables**:
|
||||||
|
- Network diagrams
|
||||||
|
- Application architecture diagrams
|
||||||
|
- Previous vulnerability assessments or pen test reports
|
||||||
|
|
||||||
|
#### Legal and Compliance Checks
|
||||||
|
- **Objective**: Ensure that all legal requirements are met and permissions are granted.
|
||||||
|
- **Key Deliverables**:
|
||||||
|
- Signed contract
|
||||||
|
- Non-disclosure agreement (NDA)
|
||||||
|
- Permission to test forms
|
||||||
|
|
||||||
|
### Scoping Phase
|
||||||
|
|
||||||
|
#### Define Scope
|
||||||
|
- **Objective**: Clearly outline what is in-scope and out-of-scope.
|
||||||
|
- **Key Deliverables**:
|
||||||
|
- List of target IP addresses
|
||||||
|
- List of target applications
|
||||||
|
- User roles for testing authenticated areas
|
||||||
|
|
||||||
|
#### Determine Timeframe
|
||||||
|
- **Objective**: Decide the duration of the test.
|
||||||
|
- **Key Questions**:
|
||||||
|
- When will the test start and end?
|
||||||
|
- Are there any blackout periods during which testing should not occur?
|
||||||
|
|
||||||
|
#### Resource Allocation
|
||||||
|
- **Objective**: Decide who will perform the test and what tools will be used.
|
||||||
|
- **Key Deliverables**:
|
||||||
|
- Names and credentials of the penetration testers
|
||||||
|
- List of tools that will be used
|
||||||
|
|
||||||
|
#### Success Criteria
|
||||||
|
- **Objective**: Define what will constitute a successful test.
|
||||||
|
- **Key Deliverables**:
|
||||||
|
- Expected outcomes
|
||||||
|
- Metrics for success (e.g., percentage of high-risk vulnerabilities identified)
|
||||||
|
|
||||||
|
#### Finalize Plan
|
||||||
|
- **Objective**: Consolidate all the above information into a formal test plan.
|
||||||
|
- **Key Deliverables**:
|
||||||
|
- Penetration Test Plan document
|
||||||
|
- Client approval on the plan
|
||||||
|
|
||||||
|
By spending ample time on planning and scoping, you're laying a solid foundation for a successful penetration test. This ensures that both the client and the testing team have clear expectations and guidelines, reducing the likelihood of misunderstandings or scope creep.
|
Loading…
Reference in New Issue
Block a user