Objectives

In a penetration test, there are implied boundaries. Depending on the breadth and scope of your testing, you may be limited to testing a certain number or type of hosts, or you may be free to test anything owned or operated by your client. If you are given a list of targets, or subnets, then some of your work has been done for you. However, you still may want to see if there are any other targets within trusted subnets that your client may not know about. Regardless of this, you need to follow a process to make sure that:

• You are only testing the approved targets.

• You are getting as much information as possible before increasing the depth of your attack.

• You can identify the purpose and type of your targets; in other words, what services do they provide your client.

• You have specific information about the version and type of services that are running on your client's systems.

• You can categorize your target systems by purpose and resource offering.

Once you figure out what your targets are, and how many may or may not be vulnerable, as a pen tester you move on to your tool selection and exploitation methods. Poor enumeration and system scanning decreases the efficiency of your testing, and the extra and unneeded traffic increases your chances of detection. In addition, attacking one service with a method designed for another is inefficient, and may create an unwanted denial of service (DoS), which unless you...