Читать книгу CompTIA Pentest+ Certification For Dummies - Glen E. Clarke - Страница 54

During the pre-engagement activities, it is important to have an initial meeting with the customer that allows you to discuss the scope of the project and get an understanding of what the customer’s goals are for the penetration test.

When preparing for the initial meeting with the customer, you should plan out scoping questions that will help you understand the magnitude of the project. Some common questions to ask when determining the scope of the pentest are:

 What is the goal of the penetration test? (Why is it being done?)

 Is the penetration test going to test internal systems, external systems, or both?

 What are the Internet Protocol (IP) ranges of the internal and external systems that are being tested?

 What are the internal and external domain names of the systems to be tested?

 Does the company own the systems using those IP addresses?

 Are there any systems hosted by third-party companies such as an ISP or a cloud provider?

 What applications and services will be tested?

 What types of tests are to be performed? For example, are you testing physical security and/or social engineering, and are DoS attacks allowed?

If performing an unknown-environment (or black box) test, which is discussed in Chapter 1, the penetration tester is typically responsible for discovering target services, and some would say the target IP addresses. The important point here to remember is that you want the customer to give you the target IP addresses and domain names so that you can be sure you have proper authorization to perform testing on those systems. If it is up to the pentester to discover the IP addresses, especially external IP addresses, the tester runs the risk of performing the penetration test on an unauthorized IP address or system owned by someone else.