Question

1. When working as a pen-tester, why is it important to stay within the pen-test scope?

2. When working as a pen-tester you determine you have exceeded the scope of your agreement. What should you do next?

3. Is it ok to perform a limited scope pen-test against your bank's servers? (You are an account holder at the bank). Why/Why not and explain your answer.

4. What is the purpose of using nmap during a pen-test?

Answer 1

1. When working as a pen-tester, why is it important to stay within the pen-test scope?

1. During a network pentest engagement, time is of the essence. A pentester has a fixed amount of time, typically two weeks, to evaluate an application. The key to meeting that deadline while delivering the highest quality test is proper scoping.
2. In any penetration testing engagement, one of the most critical aspects is defining the scope: what networks, applications, databases, accounts, people, physical security controls and other assets are fair game for the penetration tester to attack.
3. Getting the scope right is key to deriving maximum business value from the assessment; likewise, defining the wrong scope can severely limit the usefulness of the test.
4. Deciding what scope is right for you should be part of the initial discussion with whoever will conduct the assessment and anyone who has a stake in the results.
5. Testers want the test to have sufficient scope to tell you what you need to know about your controls and defences, while maximizing the value of your limited resources.
6. Without careful scoping, it’s difficult for them to give you a definitive answer. Even if the test covers all the required IP addresses, the pentester may be unable to test each one comprehensively.
7. With a clear scope, a tester can be confident that you’re on the same page with the pentester and that they will thoroughly test what’s most important to you.

2. When working as a pen-tester you determine you have exceeded the scope of your agreement. What should you do next?

Ethically, you should always disclose your findings. Legally, you cannot go outside your scope. You may end up in a position where your report is not as thorough as you would like.

1. It is appropriate to advise the customer immediately that you found a vulnerability but could not investigate it fully without exceeding your scope. Maybe your scope can be adjusted, even if it's only a singular exception for this particular vulnerability. You should make it clear to your client that more information allows you to deliver a better assessment---but do so politely since they may be unwilling to consider taking any risks at all with a critical system. Some clients take time to decide on scope changes, so these issues should be communicated as soon as feasible.
2. If you have an employer, they may have a policy. This situation is not unheard of, and you probably have a ready-made answer if you work for an established company.
3. Whether your scope is expanded or not, you would normally address the vulnerability in your report to the extent that your data permits. If further investigation is not authorized, you should note that. If you can suggest any mitigations/fixes based on what you do know, you still do that. If not, you should explicitly state that no suggested mitigations or fixes are possible without further investigation.

3. Is it ok to perform a limited scope pen-test against your bank's servers?

Yes, it is ok to perform a limited scope pen-test against your bank's servers.

• Networks are often divided into segments and the penetration testing has access to only those specific segments that have servers or are accessible from the internet so that the team can simulate a real-work attack.
• Pen test with limited access will not be able to reveal configuration issues and potential vulnerabilities on its entire network.

4. What is the purpose of using nmap during a pen-test?

If the target network is unknown and fairly large  you will need to focus your efforts  in discovering live hosts, open ports etc.One of  the most popular and widely used network scanning tool is NMAP.

1. Network mapper (Nmap) is an open-source tool  for vulnerability scanning of systems and networks. This freeware can also monitor host uptime,  service uptime and map network attacks.
2. It Helps in identifying targets, live hosts, open ports,  services (and their version) running on these live hosts, possible vulnerabilities on these hosts (e.g by running various NSE scripts) etc.
3. When doing network penetration testing, knowing what ports are open and what services are running on the target network is very important as it helps to focus your attack scenarios.

Using Nmap command for target specifications, host discovery, scans techniques and etc:

Using Nmap –sL [IP of target OS] for list scanning:

Using Nmap -sn [IP of target OS] for ping scan:

Using Nmap –PE [IP of target OS] for true ping (ICMP echo request) packet:

Using Nmap –Pn [IP of target OS] for scan selected ports: