Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: How to setup penetration testing exercises. - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
How to setup penetration testing exercises.
Based on the many responses we got regarding the 'Packetslinger' diary, here a few notes on how to setup a penetration/cracking exercise.

As a remark: Laws change from area to area. Whatever you do, check your local laws and regulations. Corporate policies, university ethics guidelines and ISP contracts may have to be consulted.

  1. Avoid the use of public networks if possible. Its just too easy to 'fat finger' an IP address. It is all too easy to unintenionally shut down a critical system using an attack as simple as a portscan.
  2. If you have to use a public network, try to setup a VPN to isolate the sources and targets involved.
  3. Ask participants to remove or turn off additional network interfaces (in particular wireless interfaces).
Any attack, even as simple as a portscan, should only be performed with written permission. Even in a lab environment, it may be a good exercise to go through the motions of obtaining written permission from the instructor. It is not always easy to identify the person who has to provide permission. But in general, this should be the 'network owner'. Remember that part of a corporate network may be owned by an ISP, and not the company (or university).

Can you go to jail for running a portscan? Unlikely. But the fact that you consider this question is a good hint that you should get written permission. Internal teams may be given permission  via policy documents. See for templates (e.g. the Audit Vulnerability Scanning Policy or the Risk Assessment Policy).

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4473 Posts
ISC Handler
Mar 1st 2006

Sign Up for Free or Log In to start participating in the conversation!