Rules of engagement

General checklist

  1. Ensure all questionnaire information has been completed. Need in-scope IP addresses the business day before testing. If scope IP addresses have been provided:

  2. Confirm that ALL IP addresses provided are in-scope, especially if they provided subnet ranges (i.e. 10.0.0.0/24, where /# is a subnet range).

  3. Check to see if the scope is for a max of 'X' number of hosts but the client handed you a larger number of hosts. In that case, you'll need to remind the client of the scope and ask them to narrow the target hosts/networks down to match what they paid for and the assessment window

  4. Are any targets legacy or fragile systems which may need additional care to preserve uptime?

  5. What is your biggest priority in protecting?

  6. What is your account lockout policy? Should we encounter a login interface and attempt password spraying attacks, we would like to avoid causing lockout disruptions. Note: The easiest way for the client to find this if unknown is to open a cmd prompt and enter net accounts.

  7. Also check:

    Lockout threshold
Lockout duration
Lockout observation window

  8. Does your network or any web application store/process personal information data or pci data(credit cards,bank accounts, financial statements)?Should this be prioritized?

  9. Does the network have any segmentation that we should be aware of?

  10. Will a valid domain user account be provided for testing, simulating the initial compromise of a single employee's credentials/workstation?

  11. When onsite, are we permitted to interact with unlocked employee workstations?

  12. Will we be facing controls such as Cisco ISE or NAC (Network Access Controls)? If yes - are we allowed to physically bypass these controls by moving around the building and searching for unsecured ports / hijacking ports from other devices such as printers/phones/audio equipment?

  13. Can we test into the evening / after normal business hours?

  14. On arrival to the site, should we immediately introduce ourselves to a receptionist? Or are we permitted to simply walk in, see if we are stopped, and if not find a desk/open network port and begin initial testing?

  15. Dress code?

PreviousInternal Pentest ChecklistNextRecon

Last updated