Pre-Engagement

Proper pre-engagement sets the foundation for a successful internal penetration test. This phase covers scoping, authorization, network architecture review, and establishing rules of engagement.

Danger

Never begin testing without signed authorization documents. Unauthorized network access is a federal crime under the CFAA and similar laws internationally.

Scoping Considerations

Network Scope Definition

Scope Element Questions to Ask
IP Ranges Which subnets are in scope? Any exclusions?
Domains Which AD domains/forests are included?
Systems Production vs. test? Critical systems excluded?
Cloud Azure AD, AWS, GCP resources in scope?
Accounts Test accounts provided or start from zero?

Test Types

flowchart TD subgraph "Black Box" BB[No prior knowledge] BB --> BB1[No credentials] BB --> BB2[No network diagrams] BB --> BB3[Simulates external attacker] end subgraph "Gray Box" GB[Limited knowledge] GB --> GB1[Standard user account] GB --> GB2[Basic network info] GB --> GB3[Simulates insider threat] end subgraph "White Box" WB[Full knowledge] WB --> WB1[Admin credentials available] WB --> WB2[Full documentation] WB --> WB3[Maximum coverage] end style BB fill:#ff6b6b,stroke:#000,color:#000 style GB fill:#fbbf24,stroke:#000,color:#000 style WB fill:#00ff00,stroke:#000,color:#000

Authorization Documents

Required Documentation

1. Statement of Work (SOW)

  • • Detailed scope and objectives
  • • Timeline and milestones
  • • Deliverables and report format
  • • Pricing and payment terms

2. Rules of Engagement (ROE)

  • • Authorized testing hours
  • • Allowed attack techniques
  • • Escalation procedures
  • • Communication protocols

3. Authorization Letter

  • • Signed by authorized executive
  • • Explicit permission to test
  • • Tester indemnification
  • • Emergency contacts

Sample Authorization Template

PENETRATION TEST AUTHORIZATION

Organization: [Company Name]

Test Period: [Start Date] to [End Date]

Test Type: Internal Network Penetration Test

SCOPE
  • IP Ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
  • Domains: corp.company.com, dev.company.com
  • Excluded: 10.0.1.0/24 (Production Database Servers)
AUTHORIZED ACTIVITIES
  • Network scanning and enumeration
  • Vulnerability scanning
  • Password attacks (spraying, cracking)
  • Exploitation of discovered vulnerabilities
  • Privilege escalation attempts
  • Lateral movement
  • Data exfiltration (simulated)
PROHIBITED ACTIVITIES
  • Denial of Service attacks
  • Physical security testing
  • Social engineering (without separate approval)
  • Modification of production data
EMERGENCY CONTACTS
  • Primary: [Name] - [Phone] - [Email]
  • Secondary: [Name] - [Phone] - [Email]
  • SOC: [Phone] - [Email]

Authorization Signature: _____________________

Name: [Authorizing Executive]

Title: [CTO/CISO/VP IT]

Date: _______________

Network Architecture Review

Information

Request network documentation upfront to plan your attack paths and identify high-value targets.

Information to Gather

Network Topology

  • • Network diagrams
  • • VLAN segmentation
  • • Firewall rules (internal)
  • • VPN configurations
  • • DMZ architecture

Active Directory

  • • Domain/forest structure
  • • Trust relationships
  • • Domain controller locations
  • • GPO overview
  • • Service accounts

Critical Assets

  • • Database servers
  • • File servers
  • • Email servers
  • • Backup systems
  • • Crown jewels

Security Controls

  • • EDR/AV solutions
  • • SIEM deployment
  • • NAC implementation
  • • MFA coverage
  • • PAM solutions

Test Environment Setup

Attacker Machine Checklist

setup-attacker.sh
bash 
# Kali Linux / Parrot OS Setup
sudo apt update && sudo apt upgrade -y

# Essential tools
sudo apt install -y nmap masscan crackmapexec impacket-scripts \
  bloodhound neo4j responder mitm6 ntlmrelayx hashcat john \
  smbclient enum4linux-ng ldapsearch

# Impacket (latest)
git clone https://github.com/fortra/impacket
cd impacket && pip install .

# BloodHound (latest)
# Download from: https://github.com/BloodHoundAD/BloodHound/releases

# PowerShell Empire
git clone https://github.com/BC-SECURITY/Empire
cd Empire && ./setup/install.sh

# Verify tools
which nmap crackmapexec impacket-secretsdump bloodhound-python

Network Access Requirements

Access Method Pros Cons
On-site Direct access, no latency, physical testing possible Travel required, limited flexibility
VPN Remote access, convenient May limit some attacks, network dependency
Jump Box Controlled access point, audit trail Limited toolset, performance constraints
Drop Box Persistent access, simulates insider Physical deployment needed, detection risk

Communication Plan

flowchart TD A[Daily Standups] --> B[Critical Finding?] B -->|Yes| C[Immediate Notification] B -->|No| D[Include in Daily Report] C --> E[Client Acknowledgment] E --> F[Continue Testing] D --> F F --> G[Test Complete?] G -->|No| A G -->|Yes| H[Final Debrief] style A fill:#00ff00,stroke:#000,color:#000 style C fill:#ff6b6b,stroke:#000,color:#000 style H fill:#00ffff,stroke:#000,color:#000

Escalation Matrix

Severity Example Response Time Contact
Critical Domain Admin compromise, active breach indicators Immediate (phone) CISO + SOC
High Unpatched critical CVEs, credential exposure 4 hours Primary Contact
Medium Misconfigurations, weak passwords Daily report Email
Low Informational findings Final report N/A

Pre-Engagement Checklist