17. Perform a pen-test

Task

Get Red Teaming assignments, pen-tests, vulnerability research from partners in education, partners in innovation, other project groups, your personal network. Organize and perform this assignment with a team of students. Set-up and deliver a pen-test report, present and discuss your findings with the client.

Introduction

During the midst of November, I was approached by one of the professors of the Cyber department with an interesting offer to perform a pen test on [REDACTED]. I shall refer to them as Company A for obvious reasons. Company A is pretty big, has a lot of applications under their management and they wanted to have student pen testers perform a pen test on one of their newer applications.

Meeting

I assembled a team of 3 including myself, Pim & Maxim to do perform this pentest. We setup a meeting with Company A to discuss the details of the pen test. During this meeting we were given an introduction to all of the relevent people for the pentest. It would be a digital pentest, we would get our own room & company laptops and the application manager would be on standby during the test. It seemed mostly standard.

Investigation

Before the details of the pentest were agreed upon by all relevant parties, I already did some OSINT research into the target application to see if there was anything interesting I could find out on the internet. There was very minor to be found, a couple of PDF’s containing something that this application processed.

Agreement

Before we could start with the pentest, me and Company A had communicated many times about some of the finer details; such as which applications would we require on the company laptop. In which I proposed an idea where each pen tester gets 2 laptops, one would be a standard laptop and the other would be modified with our pen test applications. Why? Because by having this setup we would simulate two types of threat actors; random internal employees & a malicious cyber criminal.

Contract

After mulling about the contract for a few weeks, a new lockdown was announced. The pentest date was postponed, and other details were added to the contract.

Conclusion

Employees of Company A were afraid they might be unable to work if they attract Covid; and their work is considered essential – thus during the last few weeks of December it was decided that the pentest would ensue after the lockdown. The lockdown didn’t end, and thus Company A cancelled the pentest from occuring. Stefan can give testimoney that this is indeed the case as Company A called to inform the teacher of this happening.