Agreement forms - Beginners guide to hacking and penetration testing (2017)

Beginners guide to hacking and penetration testing (2017)

Agreement forms:

With any penetration test or assessment it is critical to have written authorization prior to beginning. This should outline the scope, goals, time, who authorized, start and end dates, etc. Included in this book are some sample templates.

For additional templates SANS offer's a number of free ones. resources/policies/general

Below is a sample authorization form that can be used for penetration testing. It is also important to note that when presenting your findings at the end of the penetration test it is important to remember that pointing blame at a user or users has no place. Penetration testing is not about "Got you" moments, rather they should be used as a teaching opportunity to help and secure the network and users

Authorization of penetration test issued by: Job title:

Authorizes to conduct security verification of the following system and applications:





Start date:

End date:

Days to exclude: Hours to exclude: IP rage to exclude:

Computer/system(s)/People to exclude: Scope of work:

Additional notes and request by customer:


The customer should have a full backup of the services and server that will be tested. These backups should be in an offsite state and verified before testing.

The customer should be aware that during any penetration test that there are risks involved. The penetration tester(s) will proceed with caution, however there is always a risk that files and systems can become corrupt during testing. The penetration tester(s) will not be liable for lost/stolen/or otherwise corrupted data that occurs during the penetration test.

What this scope of work is:

An audit to determine the safety of the network and employees.

To find potential issues that may lead to the compromise of the network that can result in data


To potentially increase the of the safety of the network and its employees.

A learning experience for the company and employees.

What this scope of work is not:

Jeff M at 6/10/2017 7:37 AM

This audit is not In any way to point blame at any individual(s).

Specific names of employees that "failed" (ie opened a phishing email) will not be disclosed.

This audit is not intended as a tool for firing or disciplining individual employees unless said employees are knowingly endangering the network and employees.

Client signature (by signing, I the client acknowledge and accept the above): Sign name:

Print name:


Penetration Test Report (Final report)

Investigator(s): Authorization from: Emergency contact number: Start Date:

End Date:

Exclusion times:

Exclusion dates:

Permission to record video during engagement: Permission to record audio during engagement: Additional exclusion notes:

Information obtained through search engines: Employee Details:

Login pages: Internet portals:

Technology platforms: Others:

Information through people search: Date of birth:

Contact details: Email ID: Photos: Others:

Information through Google:

Advisories and server vulnerabilities:

Error messages that contain sensitive information: Files containing sensitive information:

Files containing passwords:

Pages containing network or vulnerable data: Others:

Information obtained through social networking sites: Personal Profiles:

Work related information:

News and potential partners of the target company/person: Education and employment backgrounds:


Information obtained through website footprinting: Operating environment:

Filesystem structure: Scripting platform used: Contact details:

CMS details: Others:

Information obtained through email footprinting: IP address:

GPS Location:

Authentication system used by mail server: Others:

Information obtained through competitive intelligence: Financial details:

Project plans: Others:

Information obtained through WHOIS footprinting: Domain name details:

Contact details of domain owner: Domain name servers:


When a domain has been created: Others:

Information obtained through DNS footprinting:

Location of DNS server: Type of servers: Others:

Information obtained through network footprinting:

Range of IP addresses:

Subnet mask used by the targeted organization: OS' in use:

Firewall location: Firewall type: Others:

Information obtained through social engineering: Personal information:

Financial information: Operating environment:

User name(s) and password(s): Network layout information:

IP addresses and names of servers:

Final notes and recommendations:

Request by: Sensitivity level: Start Date:

End Date: Investigator: Report to: Issue:

First responder:

Involved party:

Chain of custody:


Physical evidence and handling: Additional findings:

Conclusion: Recommendation(s):