Penetration Testing mailing list archives
Re: [PEN-TEST] Lots of questions...my first paid pen-test.
From: Chris Tobkin <tobkin () INTERSEC COM>
Date: Mon, 4 Dec 2000 19:00:19 -0600
Well, I'll give this one a whack.
1) What is the usual team size used when performing a pen-test?
Depends on how many people the company is willing to pay for and what their goals are. Most times just one or two because they just want to find out what their problems are. If they are looking for incident response testing of their techies and are willing to pay for Tiger-team style, then it depends on how large you can get the group and have it still quickly and effectively share the results as they come in. In my experience about 5 or 6 in a small room with a lot of whiteboard space.
2) Do you prefer to test from a fixed or dynamic IP?
I'll interpret this as "single or multiple IP addresses". (IMHO, you should always scan from an IP that you own and control -- most effective to have a few IP's on different service providers) It depends if they're trying to find out whether their logs effectively identify an attack, or if their policies and procedures effectively stop an attacker when coming from multiple addresses. Again, all depends on WHY they want a pen-test. FYI, if you scan from a cablemodem or home DSL modem, don't be surprised if a techie catches this, says you're small beans, and doesn't use you again. You'll also want to make sure your ISP a) knows that you're legitimately doing this and won't shut you off if it's reported to them, and b) doesn't have a policy against it.
3) What sort of logging of activities takes place? How in depth should the logs be and does anyone have references or examples of pen-test logs? Are any specific tools (i.e. keystroke monitors) used during the test?
All depends on what you think your risk of being sued because you (incidentally) cause a denial of service or will be sued because they are intruded upon and you cannot prove it was not you. One may record each packet we send and receive to a client. That data is then dumped to tape and stored in a locked safe for about 6 months then destroyed.
4) Do you usually have a third-party/company representative present during the testing process? (i.e. for auditing purposes)
For what purpose?
5) Are any trophies taken off machines that are vulnerable to attack? This also brings up the question of whether non-destructive exploits >
should be run against a
known-to-be-vulnerable target.
Depends on what the client wants. It has more shock value when you show/tell them information they thought you'd never be able to get, but pulling that data across the internet is probably a bad thing. In addition, if you posess that information at any point in time and it's later circulated, you may have a legal problem on your hands trying to prove that it wasn't you that made it public.
6) Costing and Fees - How is a quotation for the assessment compiled. Obviously it is relative to the size of the organization and the number of machines scanned, out are there any other determining factors that should affect price? e.g. according to OS, machine type & value, value of information on machine... Any example/old/used/whatever quotes out there which I can get an idea from? In South Africa, pen-testing is an unknown service with no baseline standards / recommendations available.
Depends on what you're willing to settle for and they're willing to pay. I know we should be charging triple what we are, but we get a lot of repeat business for recurring tests and companies aren't willing to pay what we should be charging.
7) In the event of a physical pen-test, should this take place before or after the online test?
I'd suggest before -- reason being that one could take the information gleaned from a blind physical test and leverage it during the online test. Some companies will give you their network diagram, some will want you to do it blind and show them what you come up with. I know a few companies told us that if we didn't find enough during the initial information gathering phase, they'd have booted us out right then and there. // Chris tobkin () intersec com
Current thread:
- [PEN-TEST] Lots of questions...my first paid pen-test. Shaun Dewberry (Dec 05)
- Re: [PEN-TEST] Lots of questions...my first paid pen-test. Iván Arce (Dec 05)
- <Possible follow-ups>
- Re: [PEN-TEST] Lots of questions...my first paid pen-test. Chris Tobkin (Dec 05)
- Re: [PEN-TEST] Lots of questions...my first paid pen-test. Carskadden, Rush (Dec 06)