PTK Suggested Deployment Guide

The purpose of this document is to recommend Penetration Testing Kit (PTK) and physical Penetration Testing Kit (pPTK) deployment guidance based on your expectations of the assessment and meeting your testing goals. These are Rapid7’s PTK best practices. There may be situations where guidance should be provided by an additional party (i.e., QSA) or where it may not be possible to deploy based on restrictions.

Internal Network Penetration Test

Standard Internal Network Penetration Test:

For an internal network penetration assessment, we recommend that the PTK deployment is guided by the following suggestions:

Simulate the PTK deployment as if the consultants were on-site for the internal network assessment. For example, if you would typically place a visiting consultant on a corporate office network, please consider deploying the PTK on that same office network and virtual LAN (VLAN).

If you have multiple office networks for consideration, you may prefer a user network that generates active network traffic, such as a corporate IT network rather than a conference room network that may be segmented from other user networks. The higher traffic “user” network segments will provide for a more comprehensive “real world” testing environment.

Network Segmentation Test:

Please use guidance from your QSA for where to deploy a PTK on your internal network. Deploying a PTK outside of your Cardholder Data Environment (CDE) network segment is the most standard approach.

Internal Network Vulnerability Assessment:

You will need to deploy a PTK on an internal network to provide Rapid7 access to the internal assets for testing. Additionally, we will provide you with a Nexpose Open Virtualization Appliance (OVA) image to deploy as a Virtual Machine (VM). The PTK and Nexpose VM should both be deployed on the same network.

Wireless Network Penetration Test

Physical Placement

We recommend deploying the pPTK where the most coverage of your wireless network(s) will be available.

Additionally, you may need to coordinate with the testing consultants during the assessment to move the pPTK between physical locations for better wireless coverage, such as between an office floor to the building lobby.

Internal Application Testing and Miscellaneous Items

Internal Application Testing:

For internal application testing, please deploy the PTK on the same network and VLAN as the application to ensure that there will be no accessibility issues.