Re: Penetration Test Assistance

[Bacon Zombie <baconzombie () gmail com>]

You should have a look at the Pentest Standards page, it was created
by some very skilled Pen Testers how are trying to create a minimum
standard for all tests and reporting.

http://www.pentest-standard.org/index.php/Main_Page

Also you should just have to give them your external net-block
allocation that is in scope unless it is a more forced test and not a
general external test.

On 5 June 2012 20:48, Brett Watson <brett () the-watsons org> wrote:
> On Jun 5, 2012, at 9:52 AM, Peter Kristolaitis wrote:
>
> > As far as horror stories... yeah.   My most memorable experience was a guy (with a CISSP designation, working for a 
> > company who came highly recommended) who:
> >    - Spent a day trying to get his Backtrack CD to "work properly".  When I looked at it, it was just a color depth 
> > issue in X that took about 45 seconds from "why is this broken?" to "hey look, I fixed it!".
> >    - Completely missed the honeypot machine I set up for the test.  I had logs from the machine showing that his 
> > scanning had hit the machine and had found several of the vulnerabilities, but the entire machine was absent from 
> > the report.
> >    - Called us complaining that a certain behavior that "he'd never seen before" was happening when he tried to nmap 
> > our network.  The "certain behavior" was a firewall with some IPS functionality, along with him not knowing how to 
> > read nmap output.
> >    - Completely messed up the report -- three times.  His report had the wrong ports & vulnerabilities listed on the 
> > wrong IPs, so according to the report, we apparently had FreeBSD boxes running IOS or MS SQL...
> >    - Stopped taking our calls when we asked why the honeypot machine was completely missing from the report.
> >
> > In general, my experience with most "pen testers" is a severe disappointment, and isn't anything that couldn't be 
> > done in-house by taking the person in your department who has the most ingrained hacker/geek personality, giving 
> > them Nessus/Metasploit/nmap/etc, pizza and a big ass pot of coffee, and saying "Find stuff we don't know about. 
> > Go.".   There is the occasional pen tester who is absolutely phenomenal and does the job properly (i.e. the guys who 
> > actually write their own shellcode, etc), but the vast majority of "pen testers" just use automated tools and call 
> > it a day.  Like everything else in IT, security has been "commercialized" to the point where finding really good 
> > vendors/people is hard, because everyone and their mom has CEH, CISSP, and whatever other alphabet soup 
> > certifications you can imagine.
>
> I agree with a lot of what you've said, but there are absolutely good security guys (pen tester, vulnerability 
> assessors, etc) that use both open source and commercial automated tools, but still do a fantastic job because they 
> understand the underlying technologies and protocols.
>
> I used to do a lot of this in the past, had lots of automated tools, and only occasionally wrote some assessment 
> modules or exploit code if necessary.
>
> But again, a person in that position has to understand technology holistically (network, systems, software, 
> protocols, etc).
>
> -b



-- 
BaconZombie

LOAD "*",8,1