Syslifters Handbook

English

Deutsch

English

Deutsch

Appearance

Pentest operation rules

  • Don't use your private computer for any activity with company or customer data!
  • Prepare the pentest.
    • At the beginning of the week, check if you have everything for the next week's project.
    • Send a reminder to the customer if not.
  • Work together as a team.
    • Exchange ideas with your colleagues at least once a day during the test by calling each other in person.
    • Create a Signal group with disappearing messages (match the duration of the testing time frame e.g. 1 week) at the start of the test. Use this group for ongoing communication and sharing test-related information.
    • Be available for your colleagues (via Signal, Signal Desktop, and NextCloud).
    • Clarify who is responsible for testing and reporting what, so everyone knows their tasks at all times.
  • Take notes in SysReptor.
    • This allows collaboration with other pentesters.
    • Notes will be archived automatically.
  • Store all files relevant for a pentest in one dedicated directory.
    • If you store files elsewhere, remove customer and project related information
    • Use Windows Storage Sense to auto-delete projects three months after last access.
  • Save Burp projects on disk; don't use temporary projects.
    • Burp states might serve as evidence.
    • You will probably need the state for retests.
    • If possible, use repeater tabs to document attacks to be able to reproduce them.
  • Use the Chromium Browser integrated with Burp.
    • You can install the BitWarden extension there to have your passwords available.
    • Use multiple user profiles (e.g., for testing authorizations of multiple users).
  • If you need to use Chrome, here's the command to launch it from PowerShell: & "C:\Program Files\Google\Chrome\Application\chrome.exe" --proxy-server="http://127.0.0.1:8080" --ignore-certificate-errors
  • Use a VPN exit node with static IP address 91.99.251.12 (if applicable, e.g., if public web application).
    • This allows the customer to identify your activities.
  • Disable email notifications.
    • Don't be distracted by email notifications and envelope symbols in app icons.
    • You may use Signal to keep in touch with your colleagues.
  • Answer customer mails within 24 hours.
    • No real time communication needed for emails
    • Still, check your mails twice a day and respond to urgent or potentially long-to-prepare topics (like infrastructure/user setup for pentest preparation).
    • If your response will take longer than 24 hours, write back you will contact them later.
  • Write efficiently, e.g.
    • Someone asks for a meeting; instead of answering "yes" provide three time slots.
  • Customers should have the phone number of at least one pentester.
    • Sending an email incl. email signature is sufficient.
    • Be reachable during pentests for emergency cases.
  • We try to present intermediate results to the customers during the pentest.
    • This allows us and the customer to gain knowledge, we demonstrate that we have insights to the application already and did some actual testing.
  • We also do debriefing calls if customers ask for them.
  • We never decline customers' ask for presentation meetings. This is our chance to demonstrate the value of our work.