Penetration Testing mailing list archives
RE: Limited vs full blown testing
From: "Markowsky, Tyler" <tmarkowsky () seccuris com>
Date: Fri, 25 Jun 2004 10:03:45 -0500
I agree with Martin: the object of the analysis is to determine weaknesses within the environment. However, it is feasible to avoid 'destructive' scanning with appropriate preliminary network analysis in concert with predefined procedures and expectations. **I encourage you to spend a significant amount of time defining these with the client.** Regards, Tyler Markowsky Principal Economist Seccuris http://www.seccuris.com -----Original Message----- From: Martin Mačok [mailto:martin.macok () underground cz] Sent: Thursday, June 24, 2004 4:02 PM To: pen-test () securityfocus com Subject: Re: Limited vs full blown testing On Wed, Jun 23, 2004 at 09:27:58AM -0700, Toby Barrick wrote:
During my many years of pen testing one common thread when dealing with customers has been the request to not perform any destructive or DOS type testing.
Tell them that the purpose of the test is *to test* (i.e. to try something) and the only thing you can do to not break anything is to not try anything at all. Maybe they want an audit instead of a pen-test and they just don't know the terms and the meanings. If they are so scared, negotiate the exact time of potentially destructive/aggressive tests. Use Nessus with "safe checks" turned on for "polite" scans... You can also disable all "DoS" family plugins in Nessus. Martin Mačok IT Security Consultant
Current thread:
- Limited vs full blown testing Toby Barrick (Jun 24)
- RE: Limited vs full blown testing Jerry Shenk (Jun 24)
- Re: Limited vs full blown testing Richard Rager (Jun 24)
- Re: Limited vs full blown testing Peter Wood (Jun 24)
- Re: Limited vs full blown testing R. DuFresne (Jun 24)
- RE: Limited vs full blown testing Jerry Shenk (Jun 27)
- RE: Limited vs full blown testing R. DuFresne (Jun 27)
- Re: Limited vs full blown testing R. DuFresne (Jun 24)
- Re: Limited vs full blown testing Martin Mačok (Jun 25)
- RE: Limited vs full blown testing Markowsky, Tyler (Jun 27)
- <Possible follow-ups>
- RE: Limited vs full blown testing Bénoni MARTIN (Jun 24)
- RE: Limited vs full blown testing Martin Murray-Brown (Jun 24)
- Re: Limited vs full blown testing El C0chin0 (Jun 24)
- IE caching issue jatkinson (Jun 27)
- Re: IE caching issue Daniel Staal (Jun 28)
- IE caching issue jatkinson (Jun 27)
- RE: Limited vs full blown testing Thompson, Jimi (Jun 27)
- RE: Limited vs full blown testing Wayne Wooley (Jun 27)
- RE: Limited vs full blown testing R. DuFresne (Jun 27)
- RE: Limited vs full blown testing Alan Davies (Jun 27)
- RE: Limited vs full blown testing Martin Murray-Brown (Jun 28)