Pre-Engagement

Since we're talking about penetration testing and not hacking, we need to first have a conversation with our client (target) to find out what they want from the test.  Given that we're the good guys we should only be doing this type of testing after we have a customer requesting a test of their systems.

Like most things there are different levels of a penetration test.  It could be as simple as testing a specific set of IP addresses, a single physical location, or even just one web application.  Or the testing could be as complex as performing a full simulation of an attack and do exactly what a real attacker would do.

The complexity will also be guided by how much information the client gives us.  If this is a smaller assessment they may give us all the information we need; username/password, IP addresses, etc.  This would be known as a "white box" test.  On the other end of the spectrum there is what's known as a "black box" test.  In this scenario little to no information is given, and we must go gather all the information ourselves.  The client may also choose to limit the number of internal people who know about the test.  This gives the added advantage of testing their response mechanisms.

Regardless of the complexity of the test, you should require a written and signed document giving us permission to perform these tests.  Since some of our actions can boarder on illegal activities, it is extremely important to have written permission from you customer up front, before beginning any work.

To learn more about pre-engagement activities please see the Penetration Testing Execution Standard.