.. _shippentest:

17. Perform a pen-test
====================================================

Task
^^^^^

| Get Red Teaming assignments, pen-tests, vulnerability research from partners in education, partners in innovation, other project groups, your personal network. Organize and perform this assignment with a team of students. Set-up and deliver a pen-test report, present and discuss your findings with the client.

Introduction
^^^^^^^^^^^^^

| During the midst of November, I was approached by one of the professors of the Cyber department with an interesting offer to perform a pen test on [REDACTED]. I shall refer to them as Company A for obvious reasons. Company A is pretty big, has a lot of applications under their management and they wanted to have student pen testers perform a pen test on one of their newer applications.

Meeting
^^^^^^^^^
| I assembled a team of 3 including myself, Pim & Maxim to do perform this pentest. We setup a meeting with Company A to discuss the details of the pen test. During this meeting we were given an introduction to all of the relevent people for the pentest. It would be a digital pentest, we would get our own room & company laptops and the application manager would be on standby during the test. It seemed mostly standard. 

Investigation
^^^^^^^^^^^^^^
| Before the details of the pentest were agreed upon by all relevant parties, I already did some OSINT research into the target application to see if there was anything interesting I could find out on the internet. There was very minor to be found, a couple of PDF's containing something that this application processed. 

Agreement
^^^^^^^^^^
| Before we could start with the pentest, me and Company A had communicated many times about some of the finer details; such as which applications would we require on the company laptop. In which I proposed an idea where each pen tester gets 2 laptops, one would be a standard laptop and the other would be modified with our pen test applications. Why? Because by having this setup we would simulate two types of threat actors; random internal employees & a malicious cyber criminal. 

Contract
^^^^^^^^^
| After mulling about the contract for a few weeks, a new lockdown was announced. The pentest date was postponed, and other details were added to the contract.

Conclusion
^^^^^^^^^^^
| Employees of Company A were afraid they might be unable to work if they attract Covid; and their work is considered essential -- thus during the last few weeks of December it was decided that the pentest would ensue after the lockdown. The lockdown didn't end, and thus Company A cancelled the pentest from occuring. Stefan can give testimoney that this is indeed the case as Company A called to inform the teacher of this happening.