The very first phase of a penetration test, preinteractions, involves a discussion of the critical factors regarding the conduct of a penetration test on a client's organization, company, institute, or network; this is done with the client. This serves as the connecting line between the penetration tester and the client. Preinteractions help a client get enough knowledge on what is about to be done over his or her network/domain or server. Therefore, the tester will serve here as an educator to the client. The penetration tester also discusses the scope of the test, all the domains that will be tested, and any special requirements that will be needed while conducting the test on the client's behalf. This includes special privileges, access to critical systems, and so on. The expected positives of the test should also be part of the discussion with the client in this phase. As a process, preinteractions discuss some of the following key points:
Scope: This section discusses the scope of the project and estimates the size of the project. Scope also defines what to include for testing and what to exclude from the test. The tester also discusses ranges and domains under the scope and the type of test (black box or white box) to be performed. For white box testing, what all access options are required by the tester? Questionnaires for administrators, the time duration for the test, whether to include stress testing or not, and payment for setting up the terms and conditions are included in the scope. A general scope document provides answers to the following questions:
What are the target organization's biggest security concerns?
What specific hosts, network address ranges, or applications should be tested?
What specific hosts, network address ranges, or applications should explicitly NOT be tested?
Are there any third parties that own systems or networks that are in the scope, and which systems do they own (written permission must have been obtained in advance by the target organization)?
Will the test be performed against a live production environment or a test environment?
Will the penetration test include the following testing techniques: ping sweep of network ranges, port scan of target hosts, vulnerability scan of targets, penetration of targets, application-level manipulation, client-side Java/ActiveX reverse engineering, physical penetration attempts, social engineering?
Will the penetration test include internal network testing? If so, how will access be obtained?
Are client/end-user systems included in the scope? If so, how many clients will be leveraged?
Is social engineering allowed? If so, how may it be used?
Are Denial of Service attacks allowed?
Are dangerous checks/exploits allowed?
Goals: This section discusses various primary and secondary goals that a penetration test is set to achieve. The common questions related to the goals are as follows:
What is the business requirement for this penetration test?
This is required by a regulatory audit or standard
Proactive internal decision to determine all weaknesses
What are the objectives?
Map out vulnerabilities
Demonstrate that the vulnerabilities exist
Test the incident response
Actual exploitation of a vulnerability in a network, system, or application
All of the above
Testing terms and definitions: This section discusses basic terminologies with the client and helps him or her understand the terms well.
Rules of engagement: This section defines the time of testing, timeline, permissions to attack, and regular meetings to update the status of the ongoing test. The common questions related to rules of engagement are as follows:
At what time do you want these tests to be performed?
During business hours
After business hours
Weekend hours
During a system maintenance window
Will this testing be done on a production environment?
If production environments should not be affected, does a similar environment (development and/or test systems) exist that can be used to conduct the penetration test?
Who is the technical point of contact?
For more information on preinteractions, refer to http://www.pentest-standard.org/index.php/File:Pre-engagement.png.