Penetration Testing mailing list archives
Re: Penetration testing scope/outline
From: robert () dyadsecurity com
Date: Wed, 6 Oct 2004 07:13:36 -0700
Anders Thulin(Anders.Thulin () tietoenator com)@Wed, Oct 06, 2004 at 08:34:44AM +0200:
The book "Hack I.T." by Klevinsky, Laliberte and Gupta (Addison-Wesley, 2002) is the best place I know to start. It does not give the latest hacks, but it will give you a good overview of the job, both as to contents, and as to administration. For some of the tricks of the trade, try the "Hacking Exposed" series of books (Osborne/McGraw-Hill) except perhaps the J2EE & Java volume. Chris McNab's 'Network Security Assessment' (O'Reilly, 2004) is also useful.
Not to start a pissing contest, but after reading those books thoroughly, I now feel more stupid for the time wasted. The "Exposed" series is some of the worst fluff in the industry. so1o is also known for having his own systems compromised by 31337 hax0rs and his own share of site defacement. A good lead to follow for sure :). In the book "The art of Exploitation", by Jon Erickson, Jon actually does a decent job in explaining what is happening during the exploit. Understanding what you're doing is more important than knowing how to run tools. Those other books are too much "Hey, I'm a systems admin and I need to learn how to run some tools, and I have no desire to actually know what I'm doing.".
I don't know of any good online material. The OSSTMM is not a pen-test method, though you may be able to get useful ideas from it once you know what you are looking for.
The OSSTMM is a fact based security validation test. The OSSTMM framework provides for consistent, repeatable, methodical, quantifiable results. It also provides a more meaningful and less subjective language for describing the results from the test. Our industry will do well to realize that penetration is no longer the goal :). Breaking in is the easy part. Robert -- Robert E. Lee CTO, Dyad Security, Inc. W - http://www.dyadsecurity.com E - robert () dyadsecurity com M - (949) 394-2033 ------------------------------------------------------------------------------ Internet Security Systems. - Keeping You Ahead of the Threat When business losses are measured in seconds, Internet threats must be stopped before they impact your network. To learn how Internet Security Systems keeps organizations ahead of the threat with preemptive intrusion prevention, download the new whitepaper, Defining the Rules of Preemptive Protection, and end your reliance on reactive security technology. http://www.securityfocus.com/sponsor/ISS_pen-test_041001 -------------------------------------------------------------------------------
Current thread:
- Penetration testing scope/outline Billy Dodson (Oct 05)
- Re: Penetration testing scope/outline Jose Maria Lopez (Oct 05)
- RE: Penetration testing scope/outline Chuck Fullerton (Oct 05)
- Re: Penetration testing scope/outline josh (Oct 05)
- Re: Penetration testing scope/outline Nathan Sportsman (Oct 05)
- Re: Penetration testing scope/outline JM (Oct 05)
- Re: Penetration testing scope/outline Anders Thulin (Oct 06)
- Re: Penetration testing scope/outline robert (Oct 08)
- RE: Penetration testing scope/outline Chuck Fullerton (Oct 08)
- Re: Penetration testing scope/outline Anders Thulin (Oct 08)
- RE: Penetration testing scope/outline Chuck Fullerton (Oct 08)
- RE: Penetration testing scope/outline Tate Hansen (Oct 08)