Exercises: Penetration Testing Methodology and Standards

Exercise 38.1: Methodology Comparison Matrix

Create a detailed comparison matrix of PTES, OSSTMM, and the OWASP Testing Guide. For each methodology, document:

  • Number and names of phases/sections
  • Primary focus area (network, application, comprehensive)
  • Whether it defines engagement lifecycle (scoping, reporting)
  • Whether it provides quantitative metrics
  • Last major update date
  • Licensing and availability

Then write a one-page recommendation for which methodology (or combination) you would use for: (a) an external network pentest, (b) a web application assessment, and (c) a full-scope assessment including physical and social engineering.

Exercise 38.2: Scoping a MedSecure Engagement

Using the MedSecure Health Systems scenario from this chapter, draft a complete scoping document for a penetration testing engagement. Include:

  1. Business context and testing objectives
  2. In-scope targets (be specific with IP ranges, domains, applications)
  3. Out-of-scope targets (with justification)
  4. Engagement type (black/gray/white box) and rationale
  5. Effort estimation (person-days) with breakdown by phase
  6. Testing schedule and milestones
  7. Required client provisions (VPN, credentials, contacts)
  8. Deliverables and delivery timeline

Your scoping document should be 2-3 pages and suitable for client review.

Exercise 38.3: Rules of Engagement Drafting

Draft a complete Rules of Engagement document for a penetration test of ShopStack's e-commerce platform. ShopStack's environment includes:

  • React frontend at shopstack.example.com
  • Node.js API at api.shopstack.example.com
  • Admin panel at admin.shopstack.example.com
  • AWS infrastructure (S3, Lambda, ECS)
  • PostgreSQL and Redis databases
  • Stripe payment integration (do NOT test Stripe's infrastructure)

Your RoE must include all six sections described in Section 38.3.1: Authorization, Scope Definition, Testing Parameters, Communication, Emergency Procedures, and Data Handling. Make realistic assumptions for contact information and testing windows.

Exercise 38.4: OSSTMM rav Calculation

Using the OSSTMM rav formula, calculate the Risk Assessment Value for the following scenario:

A small office network has: - 3 access points (porosity) - 5 security controls: firewall, antivirus, WPA2 encryption, access control list, IDS - 2 known limitations: unpatched web server, default credentials on printer - 4 attack surface elements: public web server, Wi-Fi network, VPN endpoint, email server

Calculate the rav and interpret the result. Then describe what changes would bring the rav above 100 (above par).

Exercise 38.5: Engagement Directory Setup

Set up a complete engagement directory structure for a fictional penetration test. Using your file system (or document it in markdown), create the directory structure shown in Section 38.4.1, including:

  • Separate directories for each testing phase
  • Evidence and screenshot subdirectories
  • A findings directory with a template for individual findings
  • A report directory with draft version tracking

Then create a sample finding file (finding-001.md) using the template format from Chapter 39, documenting a vulnerability you found in your home lab.

Exercise 38.6: PCI DSS Scope Analysis

MedSecure processes credit card payments through a dedicated payment terminal (10.10.30.10) connected to a payment processing server (10.10.30.20) in a separate VLAN (10.10.30.0/24). The following systems also exist:

  • Corporate LAN: 10.10.10.0/24
  • Server VLAN: 10.10.20.0/24
  • Medical Device Network: 10.10.50.0/24
  • Guest Wi-Fi: 10.10.100.0/24
  • Management VLAN: 10.10.200.0/24

Determine which systems and networks are in PCI DSS scope. For each network segment, explain whether it is in scope, out of scope, or "connected-to" scope, and what segmentation testing would be required.

Exercise 38.7: Phase Gate Review

You are halfway through a 10-day penetration testing engagement. You have completed reconnaissance and enumeration. Create a phase gate review document that includes:

  1. Summary of work completed in each phase
  2. Targets discovered and enumerated
  3. Preliminary vulnerability findings (list at least 5)
  4. Coverage assessment: percentage of in-scope targets tested
  5. Issues or blockers encountered
  6. Plan for the remaining phases
  7. Any scope questions or change requests

Exercise 38.8: Testing Quality Checklist

Create a daily quality assurance checklist that a penetration tester should complete at the end of each testing day. Include at least 15 items covering:

  • Evidence and documentation quality
  • Scope compliance verification
  • Finding completeness
  • Tool and environment status
  • Communication requirements
  • Time management

Format this as a reusable template that could be printed and used on actual engagements.

Exercise 38.9: PCI DSS 4.0 Pentest Requirements

Research PCI DSS version 4.0 Requirement 11.4 and its sub-requirements. For each sub-requirement, write a brief explanation of:

  1. What the requirement mandates
  2. How a penetration tester would satisfy it
  3. What evidence the tester should produce for the QSA
  4. Common ways organizations fail this requirement

Present your findings in a table format suitable for use as a quick-reference card.

Exercise 38.10: CREST Exam Preparation Plan

You are preparing for the CREST Registered Penetration Tester (CRT) exam. Research the exam syllabus and create a 90-day preparation plan that includes:

  1. Week-by-week study topics mapped to the CRT syllabus
  2. Practice activities for each topic (specific HTB machines, labs, exercises)
  3. Time allocation (hours per week)
  4. Practice exam or assessment milestones
  5. Resources for each topic (books, courses, blogs)

Exercise 38.11: Segmentation Testing Plan

Design a segmentation testing plan for a network with the following segments:

  • PCI CDE (cardholder data environment)
  • Corporate LAN
  • DMZ (public-facing servers)
  • Development environment
  • Guest network

For each pair of segments, describe: 1. What traffic should be blocked 2. How you would test the segmentation (specific tools and techniques) 3. What evidence you would capture to prove segmentation effectiveness

Exercise 38.12: Methodology Mapping Exercise

You receive an RFP from a UK-based bank requiring penetration testing under the TIBER-EU framework. Map the TIBER-EU phases to the PTES phases and identify:

  1. Which PTES phases align with TIBER-EU
  2. What additional requirements TIBER-EU adds beyond PTES
  3. What accreditations would be required
  4. How the threat intelligence component differs from standard pentesting

Exercise 38.13: Emergency Scenario Response

During a penetration test of MedSecure, you encounter the following situations. For each, describe the correct response based on the Rules of Engagement:

  1. Your SQL injection testing causes the Patient Portal to crash and not recover
  2. You discover that an attacker has already compromised the system you are testing
  3. You find a child exploitation image on a compromised server
  4. The client's sysadmin contacts you directly and asks you to test an additional server not in scope
  5. Your VPN connection drops during an active exploitation attempt, and you lose track of whether your payload is still running

Exercise 38.14: Statement of Work Critique

Review the following abbreviated Statement of Work and identify all issues, omissions, and improvements needed:

"Security Testing Agreement: We will test your network for vulnerabilities. Testing will take approximately one week. We will provide a report of our findings. Cost: $10,000. Signed: [Tester], [Client]."

Write a list of at least 10 critical elements this SOW is missing, and explain why each is important.

Exercise 38.15: NIST SP 800-115 Comparison

Read the executive summary and key sections of NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment). Compare its testing methodology to PTES by identifying:

  1. Phases that are present in both
  2. Phases unique to NIST 800-115
  3. Phases unique to PTES
  4. How the two methodologies differ in their approach to reporting
  5. Which regulatory contexts favor each methodology

Exercise 38.16: Testing Pitfall Analysis

For each of the six common testing pitfalls described in Section 38.4.5 (Rabbit Hole, Tool Dependency, Trophy Hunter, Poor Evidence, Scope Creep, Testing Fatigue), describe:

  1. A specific real-world scenario where this pitfall might occur
  2. The impact on the engagement if the pitfall is not addressed
  3. Two concrete strategies to prevent or mitigate the pitfall

Exercise 38.17: Multi-Framework Compliance Mapping

An organization is subject to PCI DSS, HIPAA, and SOC 2. Create a matrix that maps the penetration testing requirements from each framework, identifying:

  1. Testing frequency requirements
  2. Scope requirements
  3. Methodology requirements
  4. Reporting requirements
  5. Tester qualification requirements
  6. Areas where a single penetration test can satisfy multiple frameworks

Exercise 38.18: Engagement Kick-Off Presentation

Create a slide outline (5-7 slides) for an engagement kick-off presentation to be delivered to the MedSecure team at the start of the penetration test. Include:

  1. Engagement overview and objectives
  2. Scope summary (visual diagram)
  3. Testing methodology overview
  4. Schedule and milestones
  5. Communication plan
  6. Emergency procedures
  7. Questions and next steps

For each slide, note the key talking points (2-3 bullets per slide).