Network penetration testing, or pentesting, is the practice of testing a computer network or web application to find security vulnerabilities that an attacker could exploit. Pentesting involves using automated tools and manual techniques to probe networks, identify weaknesses, and attempt to circumvent the security controls in place.
The scope of the network penetration testing is to assess the security posture of the CLIENT network infrastructure from an external and internal perspective. The testing will be conducted by a team of cybersecurity.
The testing scope will include:
- IP addresses owned by CLIENT, and domains associated with those IPs
- Web applications accessible via the CLIENT domains
- Email services running on CLIENT domains
- Network segments and routing at the border routers and firewalls
- Critical network services like DNS, DHCP, VPN, etc.
- High value internal systems identified by CLIENT (e.g., file servers, database servers, enterprise resource planning systems, etc.)
- Wireless network access points and the associated SSIDs
Pentesting Methodology There are several established methodologies for conducting a penetration test. They typically follow a cycle of the following steps:
- Planning and scoping – Determining the scope and objectives of the test, coordinating with stakeholders, and gathering necessary information about the target environment.
- Discovery and reconnaissance – Researching the target, discovering network boundaries and entry points, mapping the network architecture, and locating vulnerabilities and weaknesses.
- Threat modeling – Analyzing the potential threats and attacks that could be launched against the target based on the findings from discovery and reconnaissance.
- Vulnerability assessment – Systematically verifying the presence of known vulnerabilities in networks, systems, and applications.
- Exploitation – Attempting to compromise systems and gain access by exploiting vulnerabilities.
- Post-exploitation – Expanding access, pivoting to other systems, escalating privileges, and establishing persistence mechanisms.
- Reporting – Documenting the findings from the penetration test, evaluating the level of risk, and providing remediation recommendations to the stakeholders.
- Remediation and re-testing – Assisting the organization in applying security patches and other fixes, then re-testing to validate that the risks have been properly mitigated.
The penetration testing cycle is meant to be iterative, with the results from each phase informing the next. New vulnerabilities or misconfigurations may be discovered at any point, requiring the pentester to loop back and re-assess threats or attempt further exploitation. The process continues until the agreed upon objectives of the penetration test have been met.
The testing will be conducted as a black box penetration test to simulate an external hacking attempt. The final report with findings and recommendations will help CLIENT strengthen their cybersecurity defenses.
Please note the following constraints and scope considerations for the testing:
- DoS (Denial of Service) attacks will not be performed to avoid disrupting business operations.
- No social engineering will be done as a part of this testing.
- No physical security assessment will be included.
- Wireless networks in the vicinity of CLIENT offices may also be included to assess risks from adjacent network access.
- Cloud infrastructures like Office 365, AWS and Azure used by CLIENT will not be in the scope of this testing.
- Mobile devices, desktops and laptops used by CLIENT employees will not be targeted.
- Detailed vulnerability scanning of internal systems will only be performed on the high value targets approved by CLIENT.
- Attempts will be made to access sensitive data like PII, financial information, user credentials, and intellectual property. However, no sensitive data will be exfiltrated from the CLIENT network.
- Third party systems and networks accessed from CLIENT infrastructure will not be tested.
- Newly deployed systems or networks by CLIENT will be excluded from the testing scope.
The network penetration testing is scheduled to commence from [DATE] and will run for [TIMEFRAME]. The draft report with initial findings will be shared with CLIENT within [TIMEFRAME] after the completion of testing for review and remediation planning. The final report will be submitted within [TIMEFRAME] of this draft report.
Please review and confirm the scope and constraints defined for the network penetration testing. We can discuss any modifications to the scope based on your requirements.