1. When working as a pen-tester, why is it important to
stay within the pen-test scope?
- During a network pentest
engagement, time is of the essence. A pentester has a fixed amount
of time, typically two weeks, to evaluate an application. The key
to meeting that deadline while delivering the highest quality test
is proper scoping.
- In any penetration testing
engagement, one of the most critical aspects is defining the scope:
what networks, applications, databases, accounts, people, physical
security controls and other assets are fair game for the
penetration tester to attack.
- Getting the scope right is key to
deriving maximum business value from the assessment; likewise,
defining the wrong scope can severely limit the usefulness of the
test.
- Deciding what scope is right for
you should be part of the initial discussion with whoever will
conduct the assessment and anyone who has a stake in the
results.
- Testers want the test to have
sufficient scope to tell you what you need to know about your
controls and defences, while maximizing the value of your limited
resources.
- Without careful scoping, it’s
difficult for them to give you a definitive answer. Even if the
test covers all the required IP addresses, the pentester may be
unable to test each one comprehensively.
- With a clear scope, a tester can be
confident that you’re on the same page with the pentester and that
they will thoroughly test what’s most important to you.
2. When working as a
pen-tester you determine you have exceeded the scope of your
agreement. What should you do next?
Ethically, you should always disclose your findings. Legally,
you cannot go outside your scope. You may end up in a position
where your report is not as thorough as you would like.
- It is appropriate to advise the customer
immediately that you found a vulnerability but could not
investigate it fully without exceeding your scope. Maybe
your scope can be adjusted, even if it's only a singular exception
for this particular vulnerability. You should make it clear to your
client that more information allows you to deliver a better
assessment---but do so politely since they may be unwilling to
consider taking any risks at all with a critical system. Some
clients take time to decide on scope changes, so these issues
should be communicated as soon as feasible.
- If you have an employer, they may have a
policy. This situation is not unheard of, and you probably
have a ready-made answer if you work for an established
company.
- Whether your scope is expanded or not, you would
normally address the vulnerability in your report to the extent
that your data permits. If further investigation is not
authorized, you should note that. If you can suggest any
mitigations/fixes based on what you do know, you still do that. If
not, you should explicitly state that no suggested mitigations or
fixes are possible without further investigation.
3. Is it ok to perform a limited scope pen-test against
your bank's servers?
Yes, it is ok to perform a limited scope
pen-test against your bank's servers.
- Networks are often divided into
segments and the penetration testing has access to only those
specific segments that have servers or are accessible from the
internet so that the team can simulate a real-work attack.
- Pen test with limited access will
not be able to reveal configuration issues and potential
vulnerabilities on its entire network.
4. What is the purpose of using nmap during a
pen-test?
If the target network is unknown and fairly large you
will need to focus your efforts in discovering live
hosts, open ports etc.One of the most popular and widely
used network scanning tool is NMAP.
- Network mapper (Nmap) is an
open-source tool for vulnerability scanning of systems
and networks. This freeware can also monitor host
uptime, service uptime and map network attacks.
- It Helps in identifying targets,
live hosts, open ports, services (and their version)
running on these live hosts, possible vulnerabilities on these
hosts (e.g by running various NSE scripts) etc.
- When doing network penetration
testing, knowing what ports are open and what services are running
on the target network is very important as it helps to focus your
attack scenarios.
Using Nmap command for target
specifications, host discovery, scans techniques and etc:

Using Nmap –sL [IP of target OS] for
list scanning:

Using Nmap -sn [IP of target OS] for
ping scan:

Using Nmap –PE [IP of target OS] for
true ping (ICMP echo request) packet:

Using Nmap –Pn [IP of target OS] for
scan selected ports:
