TuX^ Posted February 15, 2012 Share Posted February 15, 2012 Hi guys, I was wanting to carry out a penetration test at work and just wanted to know the process of going about it. Specifically: Do I need to have any certification Who do I need to contact to get permission How do I find out about local laws about such actions etc etc. Can anybody help me with this? I must stress that I have not started doing anything other than a little research into the processes of a pen-test. I want to equip myself with as much knowledge as possible and get permission before I try and do anything. Thanks, TuX^ Quote Link to comment Share on other sites More sharing options...
digininja Posted February 15, 2012 Share Posted February 15, 2012 Get permission in writing from as high up in the company as possible, just because your boss says it is OK over lunch get it written down and preferably by his boss or his bosses boss just in case. As for certs, you don't need anything here in the UK. Your company looks like it is a pretty tech based one so they would hopefully welcome it. I would however suggest before you do anything on a real network that you practise it and learn all about it in a lab environment first, it is very easy to go wrong somewhere an accidentally take out a network or machine. Quote Link to comment Share on other sites More sharing options...
TuX^ Posted February 15, 2012 Author Share Posted February 15, 2012 Yeah, I know you have to get written permission about it. In regards to laws in the UK about it, is there anything I should be aware of? This may seem like a daft question but how do you know that my company is tech based? ... TuX^ Quote Link to comment Share on other sites More sharing options...
digininja Posted February 15, 2012 Share Posted February 15, 2012 There are no specific UK laws beyond the computer misuse act and data protection laws which you won't be coming near if you are on networks you have permission for. And you are posting messages from your work IP. A whois on the IP shows a company name, google that name and you get a website. Quote Link to comment Share on other sites More sharing options...
TuX^ Posted February 15, 2012 Author Share Posted February 15, 2012 Excellent, cheers. How had I not worked that out? ;) TuX^ Quote Link to comment Share on other sites More sharing options...
flyingpoptartcat Posted February 15, 2012 Share Posted February 15, 2012 Good processes to follow: http://www.fieldsassociates.co.uk/media/images/diagram_steps.gif Quote Link to comment Share on other sites More sharing options...
digininja Posted February 16, 2012 Share Posted February 16, 2012 Or if you want even more in depth look at PTES http://www.pentest-standard.org/index.php/Main_Page We did a talk on it at Derbycon as well explaining the reasons behind it and what it hoped to achieve. Quote Link to comment Share on other sites More sharing options...
Tarbizkit Posted February 26, 2012 Share Posted February 26, 2012 you should also scope out exactly what you are going to be testing and the times that you will be testing, and if exploitation is authorized. As a side note and best practice, you will want to write down everything that you do and take as many screen shots as possible when performing the test. <---- extremely important by having an extremely detailed set of notes, you can save loads of time, and have all your evidence ready when you are starting your final report. Quote Link to comment Share on other sites More sharing options...
digip Posted February 26, 2012 Share Posted February 26, 2012 Or if you want even more in depth look at PTES http://www.pentest-standard.org/index.php/Main_Page We did a talk on it at Derbycon as well explaining the reasons behind it and what it hoped to achieve. Was going to recommend PTES but you beat me to it. Quote Link to comment Share on other sites More sharing options...
telot Posted February 26, 2012 Share Posted February 26, 2012 Was going to recommend PTES but you beat me to it. Link to the video: http://www.irongeek.com/i.php?page=videos/derbycon1/the-penetration-testing-execution-standard-ptes-panel God I love irongeek for posting all the hackercon videos...we need to get his ass in these forums. If you know him digininja, send him a note saying 1. To quit getting hacked ;) 2. To get in on hak5 forums - he may already be his own media mogul, but he should join this crew too! telot Quote Link to comment Share on other sites More sharing options...
digip Posted February 26, 2012 Share Posted February 26, 2012 Link to the video: http://www.irongeek.com/i.php?page=videos/derbycon1/the-penetration-testing-execution-standard-ptes-panel God I love irongeek for posting all the hackercon videos...we need to get his ass in these forums. If you know him digininja, send him a note saying 1. To quit getting hacked ;) 2. To get in on hak5 forums - he may already be his own media mogul, but he should join this crew too! telot Not sure how long you been following Hak5, but hes been on the forums since the beginning of the show and been on the show a number of times. Hes good friends with Darren and the crew. Quote Link to comment Share on other sites More sharing options...
telot Posted February 26, 2012 Share Posted February 26, 2012 Not sure how long you been following Hak5, but hes been on the forums since the beginning of the show and been on the show a number of times. Hes good friends with Darren and the crew. http://forums.hak5.org/index.php?showuser=4191 Last active :( telot Quote Link to comment Share on other sites More sharing options...
digip Posted February 27, 2012 Share Posted February 27, 2012 http://forums.hak5.org/index.php?showuser=4191 Last active :( telot Easiest way to speak with Adrian these days, is Twitter. If you really need to ask him a question, ping him @irongeek_adc. Quote Link to comment Share on other sites More sharing options...
digininja Posted February 27, 2012 Share Posted February 27, 2012 Or go to DerbyCon Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.