Penetration Testing mailing list archives
Re: [PEN-TEST] Penetration X Auditing Teste & other misteries
From: "St. Clair, James" <JStClair () VREDENBURG COM>
Date: Fri, 6 Oct 2000 10:03:50 -0700
Personally, I would set the time and date of the test. If they run around and spend the night installing patches, then they end up doing their job anyway. A pen test is not a game to embarrass your client or impress them with your hacking skills - either they have properly administered security or they haven't, and you are there to assist them in fixing it. James St. Clair -----Original Message----- From: Mark Teicher [mailto:mark.teicher () NETWORKICE COM] Sent: Friday, October 06, 2000 9:51 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] Penetration X Auditing Teste & other misteries This is a very good point, since an adverserial pen test can create a very different dynamic with the customer than coming in as a consultant to work on a particular project. Use some made up project name, set up a tap and start your penetration testing. Remember the whole goal of penetration assessment is to gather information and provide helpful information to the organization you have been engaged by to help them get healthy not sick.. :) /mark At 05:03 PM 8/25/00 -0400, Christopher M. Bergeron wrote:
I can still guarantee that 'agreed' test will be much more productive
than
the 'stealth' one.Vanja HrusticIs it possible that if the Net admins 'know' you'll be trying to get, they may try even harder to make it difficult for you? I.e. they go out of their way to apply the last 42 patches that they've been neglecting before you can find something... and thus produce an "inaccurate" portrait of the network. Had the admins not been aware of the test, the network would have been left in a "truer" state. A state more like what a potential black-hat would find in a real world scenario. Or do you consider this a "special case" and not typical?
Current thread:
- Re: [PEN-TEST] Penetration X Auditing Teste & other misteries Mark Teicher (Oct 06)
- <Possible follow-ups>
- Re: [PEN-TEST] Penetration X Auditing Teste & other misteries St. Clair, James (Oct 06)