Getting started guide
Whether you're going through a Test Trial or purchased a vPenTest subscription, the steps below will help you get started with our platform. Happy PenTesting!
Overview
Welcome to the vPenTest User Guide. Before we get started, let's cover some terms that will be used in and throughout vPenTest:
- Organization: An organization is basically your client. If you're performing an assessment for Walgreens, then this is your organization in the vPenTest portal.
- My User: These are your consultants/coworkers that will have access to the portal. They will be able to schedule assessments, etc.
- Organization User: These are the user accounts that belong to the organization (aka your client's user accounts). You can invite these users into the portal and they'll only have the ability to watch their assessments, view their organization's trending vulnerabilities, and see reports that you release to them. They won't be able to schedule any assessments
- Agent: An Agent is simply an internal virtual machine or physical device that vPenTest will connect to in order to perform a penetration test on-prem or in the cloud.
- Schedules: A schedule is simply a schedule for your security assessment. You can create scheduled assessments to run assessments based on your preferred time and date preferences.
NOTE If you are performing an internal security assessment, you will need to have an agent deployed. Refer to IP Estimator prior to continuing with this process.
Step 1: Create an organization
An organization is essentially a client that you’d like to perform a security assessment on.
When creating an organization, it’s important to fill out as many details as possible.
Things such as the organization’s domain name can be used for open source intelligence (OSINT) gathering.
Follow these steps to create an organization:
- Click Organizations in the left navigation menu.
- Click the New Organization button.
- Fill out the New Organization pop-up modal. The following options are presented:
| Field | Description |
|---|---|
| Full Name | The full name of the organization. |
| Short Name | The organization’s abbreviation (if any). If none exists, you can use the organization’s full name. |
| Industry | Provide your client’s industry category. |
| Domain | Used for Open Source Intelligence (OSINT) gathering, this textbox should contain the domain name of the organization. |
| Support Email | Optional field, but can be used to send support-related information to the client if necessary (e.g., Agent offline, etc.). |
| Time Zone | Provide the organization’s time zone. |
| Use Vonahi Security branded deliverables | If you ever want to use Vonahi Security branded deliverables, you can select the checkbox for “Yes”. Otherwise, the reports for this organization will be branded using your organization’s branding (e.g. logo, colors, etc.). |
NOTE If you are conducting an internal security assessment, such as an internal penetration test or vulnerability assessment, then filling out the second tab could be helpful by providing an email address as opposed to memorizing a UUID generated by the Agents.
EXAMPLE For example, for organization A, you could create an alias here called vPenTest@organizationa.com. For organization B, you can use vPenTest@organizationb.com. When you go to register an agent, you'll simply provide these email addresses for their respective organizations, and vPenTest will automatically associate the agents to the appropriate organizations.
It should be noted that this value must be unique, otherwise you'll end up registering agents to the wrong organizations.
Step 2: Schedule an assessment
A Scheduled Assessment is where you’ll go to configure the necessary requirements for your client’s security assessment. Follow the steps below to schedule an assessment:
- Click Assessments in the left navigation.
- Next, you’ll be presented with a page that allows you to select the Current Assessments or the Future Assessments tab. On the Future Assessments tab, click the New Scheduled Assessment button.
- Fill out the 6-Step Assessment wizard. The wizard that pops up will guide you through setting up your assessment for your client.
-
Step number Step name Instructions 1 Project Details Select the organization that you created in the first part of this guide. Once you select a organization you’ll notice that a list of security assessments will populate on the right side of the page. 
While you may hover the i icon to get more information about each assessment, let’s summarize what each assessment consists of:
- A penetration test excludes a vulnerability assessment. A penetration test replicates the entire role of a consultant by attempting to identify security weaknesses that could be used directly in conjunction with an attack against the environment.
- A vulnerability assessment excludes a penetration test, and only attempts to identify security vulnerabilities based on the publicly documented and known security vulnerabilities.
- A security assessment includes both a penetration test and a vulnerability assessment.
An internal and external security assessment follows the same methodology, with the exception of the external penetration test performing open source intelligence (OSINT) gathering. OSINT gathering is performed to attempt identifying information on the public internet that could be used to conduct an attack against the organization. Such information could include disclosed usernames in files’ metadata, employee names, doppelganger domains, and more.
NOTE If you opt to perform an internal assessment of any kind, you’ll need to first deploy a vPenTest agent, which you can find in the Support Info page.
2 Frequency Next, you’ll select the frequency. For the purpose of the trial, select One Time. The calendars will appear and you’ll be able to select a date of your choosing. 3 Scan Times Select a time zone for your customer. Then, select a time you’d like for the assessment to start. You can either click on a day, such as Monday, to select the entire day, or you can click on a column, such as 3, to select 3 PM (or 3 AM) for every day of the week.
4 IP Range In this step, provide the IP addresses that you’d like to perform an assessment on. You must either provide single IP addresses, CIDR notation, or IP address ranges in the following format: 192.168.1.1-255. You must also separate these IPs/ranges either by commas or new lines. You may also provide IP addresses to be excluded from all testing.
NOTE Domains and sub-domains provided in the organization’s profile will only be used for OSINT and not automatically included in this scope unless explicitly added.
5 Notifications In this step, you have the option to subscribe to notifications as the assessment progresses. You can either subscribe users who have been registered in the portal, or you can simply provide their email addresses.
See below for a list of project notifications and their meanings:
- Assessment Activities: As the penetration test and/or vulnerability assessment moves from phase to phase, such as Host Discovery to Enumeration, you’ll be notified by email.
- New report finding added: As new penetration test findings get added to the assessment, you’ll be notified with a brief summary of what was added to the assessment.
- Vulnerability count changes: As new vulnerabilities are added (from the vulnerability assessment), you’ll be notified on how many vulnerabilities were recently added to the assessment.
6 Summary On the final screen (step 6), you can see a finalized summary of the configuration options you’ve provided for the scheduled assessment.
- Finally, click Finish and your assessment will be queued.
If you’ve selected for your assessment to start immediately, then your assessment will start 30 minutes after you've confirmed the scheduled assessment. For more information, refer to How soon can I start an assessment?
If you're looking to perform an internal assessment, your next step will be to deploy the vPenTest VM using the Ubuntu ISO within your client's internal network environment. For more information, refer to vPenTest Agent Installation Guide.
