When it comes to pentesting, we have to do a lot more than just test of course. Documentation is a big part of the assignment but what to document and what those documents should contain can differ slightly from company to company. We can still define some general trends which we will try to go deeper into in this article.
Before any talks can even take place, an NDA needs to be signed. This is important because it protects both parties from leaking internal company information and data. This is a guarantee that the other party will not publish anything that can compromise the business such as databases or architecture documents.
Of course nobody in their right mind would do anything shady like this, even if it were legal. It would be shunned upon and soon that company would not be able to get another job. You never know what an ex employee with a grunt could try to do though.
Test plans come in a variety of forms and are often tailored made to the company doing the pentest. They have a specific format in mind which they use to guarantee a level of coverage. They use this document to convey their true intentions as well methods of testing. This document ensures every stakeholder is up-to-date on the proceedings of the test and who will be responsible.
Make sure you make this document readable by both a very technical stakeholder and one that is not. Your plan has to be read easily so it can be discussed in a board room where often big budgets are discussed. This document contains an estimate and a price.
Often the test plan and contract are put in one document. The contract will specify things like payment terms, legal coverage and more. Often a price is included and the test plan is used to defend the estimations.
When we engage our target, sometimes our customer will need to take down firewalls or be able to trace our steps in log files. To better clarify our attack start and endpoints we usually send over a small notice of engagement. This document will contain a public section and a private section, ensuring our customer can send a notice to their internal network without having to make something up.
Example:
This is a letter to inform any reader a pen test will commence at 15:00 lasting 1 week with 8 working hours per day every day of the week (7 days) on feb 31st 2099. The following person is to be contacted in case of any questions: Wesley Thijs - [email protected]
==================================
THE FOLLOWING PART IS NOT PUBLIC AND SHOULD NOT BE SHARED INTERNALLY AND EXTERNALLY
==================================
Attacking IPs:
127.0.0.1