Pen Test Basic Needs

["Stephane Auger" <sauger () pre2post com>]

Hi list,

I recently sent this email on the security-basics list, and afterwards discovered this list.  I thought I'd repost it, 
since this is probably the best place for it.

A quick couple of questions out of curiosity...

1) If you had to do a pen-test, what type of information would you need to begin with?  External IP?  Web site name?  
Anything else I'm forgetting?
2) What tools would you use for the pen-test?  Nessus, Snort, Cain&Abel.  Anything else that would be useful?
3) Any good docs on where to start?  I can find my way around once I'm in, but it's the first step that's the problem.
4) Any templates on good contracts to cover myself?

This pen-test will probably be for a network, but also for a web site that's hosted elsewhere.  Both the network's and 
the hosing site's owners are aware and ready to sign off on it, so I'm pretty much aware of the legal ramifications, 
which is why I'd love to see some contract templates.  I'll be backed up by others, but would still like the info on 
how to start so I can prepare.

Thanks everyone!

Stephane