The document outlines the methodology, engagement plan, identification plan, and action plan for an ethical hacking penetration test. The methodology to be used is the Penetration Testing Execution Standard (PTES) which includes 7 phases from initial communication through vulnerability analysis, exploitation, post-exploitation, and reporting. The engagement plan details preparing tools, deciding timelines and locations, and providing daily updates and a final report. The identification plan is to test 350 workstations, 27 servers, 50 networking devices, and a Microsoft Azure platform. The action plan has three steps - preparation with tools, contracts and permissions; testing through reconnaissance, scanning, access, and analysis; and final reporting.

1. HETVI NAIK 101212340
Page | 1
ETHICAL HACKING
ASSIGNMENT 1
By:
HETVI NAIK
101212340

2. HETVI NAIK 101212340
Page | 2
1. PLAN AND TESTING METHODOLOGIES:
 The testing methodology we are going to use is Penetration Testing Execution
Standard (PTES) as it covers from initial communication and reasoning, through
threat modeling, vulnerability, security to final reporting.
 This test provides actual standard for business to have a raised bar of quality and
gives better understanding of the services.
 This test is divided in 7 phases:
o Engagement interaction
o Intelligence gathering
o Threat modeling
o Vulnerability analysis
o Exploitation
o Post-exploitation
o Reporting
 Tools used here are as follows:
o Linux as virtual machine
o IBM AppScan
o SEBUG Vurl DB
o Exploithub
o Firewall
2. ENGAGEMENT PLAN:
 The testers will prepare and gather the required tools, OS, and software to begin
the penetration test.
 The timesheet and location will be decided and provide to all the employees.
 The submission of work on end of every day with short meetings will be done.
 It will take 6 days to get the test done after 1st day used for proper tools and
division of work.
 If there is any vulnerability outside the original scope, then it will be resolved by
additional support extending the hourly rate of workers.
 Final reporting will be done on end of last day, where all the steps will be
checked, and outputs will be given clearance. The post exploitation will tell the
need of test to be done further or not.
 Final report will be in 2 parts: executive as well as technical.

3. HETVI NAIK 101212340
Page | 3
3. IDENTIFICATION PLAN:
 The main objective is to test in parts as:
i. 350 workstations
ii. 27 in-house servers
iii. 50 networking devices
iv. Microsoft azure platform
 The test will be performed in range of IP assigned to each employee.
 The permission will be taken from internet provider for testing at intervals.
 All 27 in-house servers along with some hosted server in Microsoft azure
platform will be tested.
 The after-test announcement and repaired devices will be informed to workers
and ISP as well.
4. ACTION PLAN:
 The overall action plan here is:
i. Preparation
ii. Testing
iii. Reporting
 PREPARATION:
o Service contract
o Permission agreements
o Memo permission from client
o Tools and threats
o Timesheet and division of work
 TESTING:
o Reconnaissance
o Scanning
o Gaining access
o Maintaining
o Analysis
o Reporting