Attack and Penetration Test Plan
Part 1: Table of Contents
2. Scope
3 .Goals and Objectives
4. Tasks
5. Reporting
6. Schedule
7. Unanswered Questions
8. Authorization Letter
Part 2: Scope
Production e-commerce Web application server and Cisco network. Located on ASA_Instructor, the e-commerce web application server is acting as an external point-of-entry into the network:
• Ubuntu Linux 10.04 LTS Server (TargerUbuntu01)
• Apache Web Server running the e-commerce Web application server
• Credit Card transaction processing occurs
The test will be intrusive, meaning specific security points will be passed.
Part 3: Goals and Objectives
• If security software is up to speed, and penetration is not possible, a positive result will be given. If security software is not what it should be, penetration will be easy and the results will be explained to you in a separate report.
Part 4: Tasks
• Determine website size
• Determine code of the website
Part 5: Reporting
• Upon completion of the penetration test, all results found will be in a separate report written by the person whom is performing the test.
Part 6: Schedule
Phase One-Information Collection (2 days)
1. Client authorization letter
2. Further client information
3. Get IT infrastructure
Phase Two-Test Plan Development (3 days)
1. Determine scope
2. Use IT infrastructure to gain further knowledge about what is to be penetrated
3. List things to be penetrated and things that are off limits
Phase Three-Conduct Test and report deliverable (Saturday 2-6 AM & Sunday 2-6 AM (if needed))
Part 7: Unanswered Questions
• What code is the website written in?
• What security software is used?
• What parts of the server are not to be accessed?
• Are all of the files stored on an outside storage?
• Are the employees going to be notified of the penetration testing that is going to occur on the weekend between 2-6 AM?
• Will a list of usernames and...