RE: Pentesters getting owned?

["Steve W. Manzuik" <steve () security-sensei com>]

I've done a lot of pen-tests (not so many anymore) but I have always ran
keyloggers on my boxes to record everything I do.  Obviously a lot of
screenshots are taken and bash histories are kept so I am very careful to
remove any back doors left behind.  The clean up is always the worst and
hardest part though.  Lately I have noticed less and less clients wanting a
full pen-test and going more the route of a vuln assessment -- which 

I remember a conversation Dave and I had in Tokyo about how Pen-tests are a
complete waste of money -- they are.  Not because there is no value in them
but because most companies do them at the wrong time.  I mean instead of
paying the huge rates people still get away with charging (that I wont
understand as they are WAY overvalued and I still do this as a business line
but for much cheaper than the rest) companies should be spending their money
building their security infrastructure or framework (whatever marketing
buzzword you want to use) and then have it tested.  Doing a Pen-Test before
this is done is stupid -- you might as well burn your money because I can
almost guarantee that if you haven't spent budget on building security you
will get owned with a pen-test.

> -----Original Message-----
> From: jan.muenther () nruns com [mailto:jan.muenther () nruns com] 
> Sent: Tuesday, May 04, 2004 11:07 AM
> To: Steve W. Manzuik
> Cc: dailydave () lists immunitysec com
> Subject: Re: [Dailydave] Pentesters getting owned?
>
>
> Hi there,
>
> > story.  I have experienced network admins monitoring and 
> attempting to 
> > drop connections as the team performs the pen-test.
>
> Well, that is totally common practice. I've seen this 
> happening over and over, they're watching and changing things 
> on the fly while you're at work.
> One time I was actually kicked out (they shut down the 
> machine, hah hah) while being logged on... 
>
> One thing that always concerns me is pen testers forgetting 
> their temporary backdoors and listeners. I usually check 
> twice that I didn't forget anything, but hey, others might 
> not or you may just have a bad day. One of the reasons why 
> you should always thoroughly document what you've done and how...
>
> I also recall a story of a fellow pen tester who conducted a 
> pen test on the wireless infrastructure of a client who 
> arrived one day early and already commenced the testing, 
> totally ripping them apart. They didn't notice it and had 
> shut down a lot of systems overnight and were quite surprised 
> by him showing them their passwords on a sheet of paper. 
>
> Cheers, J.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave