Penetration Testing mailing list archives
RE: Email Pen-testing
From: "Reava, Jeffrey" <jeffrey.reava () pfizer com>
Date: Sun, 21 Mar 2004 23:32:41 -0500
"Doing a pen-test...A friend of mine suggested [sending] a backdoor trojan attachment via an email. If they clicked on it, the backdoor performs [miscellaneous evil things] ... I think this type of testing is becoming more relevant nowadays, especially with whats out there..."
Absolutely more relevant. Why would an attacker do any more work then
they have to in order to get what they want? Every organization with assets worth protecting should fully expect that they're going to get Googled, their staff and operations profiled, and their end users attacked directly. It happened to Valve software last September, rather spectacularly: http://mac.ign.com/articles/453/453038p1.html?fromint=1 "I spoke with a previous customer of mine about the idea. He said he would be very upset if he was not told prior to that type of test as part of normal pen-testing...Generally speaking, my code of ethics doesn't allow me to social engineer. I don't like lying and misleading people. Also people tend to hate you after they've been punk'd."
With the IE and Outlook holes, it may not even be necessary to
socially engineer anyone. You'd just need a small number of "high value" targets to send messages to. What's your ideas on the email pen-tesing?
Even if it puts the success of your efforts at risk, I think you need
to get permission to go this road. You can still mine for information without lying, but walking that line will take some serious effort. Check out http://www.csoonline.com/read/050103/snooping.html If you make people feel stupid, they'll definitely hate you. But if you approach it within some reasonable bounds and they give you small pieces that individually appear innocent and yet make your technical attack much more focused and effective, your client will benefit by recognizing the problem because the gap in their policies and practices will be painfully evident. Jeff ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- RE: Email Pen-testing, (continued)
- RE: Email Pen-testing Brad . Murray (Mar 23)
- Re: Email Pen-testing Michael Richardson (Mar 23)
- RE: Email Pen-testing R. DuFresne (Mar 23)
- RE: Email Pen-testing Mike Sues (Mar 22)
- Re: Email Pen-testing Joe Blatz (Mar 22)
- Re: Email Pen-testing Al Smolkin (Mar 22)
- Re: Email Pen-testing Andreas (Mar 22)
- Re: Email Pen-testing Michael Richardson (Mar 22)
- Re: Email Pen-testing Rainer Duffner (Mar 23)
- Re: Email Pen-testing hwertz (Mar 22)
- RE: Email Pen-testing Reava, Jeffrey (Mar 22)
- RE: Email Pen-testing Eric McCarty (Mar 22)
- FW: Email Pen-testing Intel96 (Mar 22)
- RE: Email Pen-testing Reava, Jeffrey (Mar 23)