PTK Suggested Deployment Guide
The purpose of this document is to recommend Penetration Testing Kit (PTK) and physical Penetration Testing Kit (pPTK) deployment guidance based on your expectations of the assessment and meeting your testing goals. These are Rapid7’s PTK best practices. There may be situations where guidance should be provided by an additional party (i.e., QSA) or where it may not be possible to deploy based on restrictions.
Internal Network Penetration Test
Network Adapter Setting Considerations - NAT vs Bridged
If deploying the vPTK using a Type 2 hypervisor such as VMware Workstation or Oracle VirtualBox, please configure the vPTK network adapter in a 'Bridged' configuration. Please DO NOT deploy the vPTK with the network adapter in a 'NAT' configuration.
Deploying the vPTK in 'Bridged' mode will ensure that the vPTK receives its own IP address from the network's DHCP server, that it can communicate directly with other devices on the same network as the host, and that other machines on the network can access the vPTK directly. This configuration optimally ensures proper communication between the vPTK and in-scope assets.
Deploying a vPTK in 'NAT' networking mode results in the host creating a virtual network for the vPTK and placing it on a separate subnet. This can induce unexpected behavior; dropping of traffic during heavy scanning operations due to filling of the hypervisor's NAT translation table; and an inability to properly route traffic from in-scope assets to the vPTK without configuring port forwarding on the hypervisor.
Standard Internal Network Penetration Test:
For an internal network penetration assessment, we recommend that the PTK deployment is guided by the following suggestions:
Simulate the PTK deployment as if the consultants were on-site for the internal network assessment. For example, if you would typically place a visiting consultant on a corporate office network, please consider deploying the PTK on that same office network and virtual LAN (VLAN).
If you have multiple office networks for consideration, you may prefer a user network that generates active network traffic, such as a corporate IT network rather than a conference room network that may be segmented from other user networks. The higher traffic “user” network segments will provide for a more comprehensive “real world” testing environment.
Network Segmentation Test:
Please use guidance from your QSA for where to deploy a PTK on your internal network. Deploying a PTK outside of your Cardholder Data Environment (CDE) network segment is the most standard approach.
Internal Network Vulnerability Assessment:
You will need to deploy a PTK on an internal network to provide Rapid7 access to the internal assets for testing. Additionally, we will provide you with a Nexpose Open Virtualization Appliance (OVA) image to deploy as a Virtual Machine (VM). The PTK and Nexpose VM should both be deployed on the same network.
Wireless Network Penetration Test
Physical Placement
We recommend deploying the pPTK where the most coverage of your wireless network(s) will be available.
Additionally, you may need to coordinate with the testing consultants during the assessment to move the pPTK between physical locations for better wireless coverage, such as between an office floor to the building lobby.
Internal Application Testing and Miscellaneous Items
Internal Application Testing:
For internal application testing, please deploy the PTK on the same network and VLAN as the application to ensure that there will be no accessibility issues.