![pen-test logo](/images/pen-test-logo.png)
Penetration Testing mailing list archives
RE: Penetration testing scope/outline
From: "Chuck Fullerton" <chuckf69 () ceinetworks com>
Date: Thu, 7 Oct 2004 10:43:46 -0400
The original question was "Anyone have any documents they are willing to share on the scope of work for a pen-test?" When we get these questions each of us must take into account certain assumptions. I personally like to give the benefit of the doubt. If the person doesn't come right out and say they are new to Security, then I assume that they have an idea of what they are doing and just need a little help. The main reason why I don't like posting questions on groups like these is because many people like to "show their knowledge" and write books on these groups. It is very important that we, as posters to the group, read the entire question and answer the question at hand, not write entire security classes for people who may not need the info. Ok.. Off my soap box.. You started off by asking if I was talking about 3.0. That I was. Anyone who is serious about any type of security testing should be getting as much information as possible about these methodologies. Even if we have to fork out some cash to get the latest and greatest. No not do so is amatuerish. Sincerely, Chuck Fullerton -----Original Message----- From: Anders Thulin [mailto:Anders.Thulin () tietoenator com] Sent: Thursday, October 07, 2004 3:17 AM To: pen-test () securityfocus com Cc: Chuck Fullerton Subject: Re: Penetration testing scope/outline Chuck Fullerton wrote:
The OSSTMM stands for the "Open Source Security TESTING Methodology
Manual".
To say that it's not a pen testing method is simply incorrect. This is a Full methodology for ALL TYPES of Security Testing, Pen testing is a type
of
Security Testing.
I have no quarrel with your last statement, but I am not at all certain that the OSSTMM agrees. (Now, I'm looking only at the 2.1 version, as that is what is available -- you may be arguing from the soon-to-come 3.0 version which hasn't been generally released yet.) The simplest way to check it is probably just to look to what extent the text refers to penetration testing, and how the basic methodology is modified (or not) to that particular type of test. The foreword seems reasonably clear that methodical security testing is different, and presumably also preferrable to penetration testing. So the document makes a distinction, and one that implies that penetration testing lacks in method. Q: Is this the kind of document I would hand to someone asking about penetration testing? No. Perhaps the tenth, but not the first. Apart from the foreword, penetration testing is mentioned only rarely. This may be becuase the text distinguishes 'penetration testing' and 'ethical hacking', but on the other hand, ethical hacking is not treated in any greater detail, either. So how *does* this text apply to pen-testing? It doesn't say. I had expected a section somewhere explaining how the basic methodology could be modified for various testing scenarios. Q: What will someone asking for information about pen-testing in particular get out of this document? As far as I can make out, only that it's not the right question. (And that is correct, in one context: that of the experienced tester.) So what does it say? Section C (Internet Technology Security) is the chapter that most pen-testers would turn to first. It begins on page 42, and already on page 44 I'm flabbergasted. (For those of you who don't have the manual handy, that page says INCOMPLETE in 72 point capitals. There's no explanation of if it is importantly incomplete or not. Just incomplete. And this is not the only place where the text makes this statement. Q. Why point anyone to a document that clearly isn't complete? Assuming it's not importantly incomplete (even though I can't test that assumption) ... Module 3 in the same section is fairly important, as it describes the footprinting and port scanning of a target. Unfortunately, it does not explain the motivation for doing all this. Why do a XMAS scan, with fragmented packets, in reverse? And how useful is that? The manual explicitly leaves all analysis of collected informstion to the tester, so perhaps I'm asking for something outside the scope of the text. But then that, again, may be an indication that this text is not for the beginner. Q. When I ask a OSSTMM tester what he's doing this particular type of scan should he be able to reply cogently? Or will he just say, "I'm doing Item 11 in Module 3 in Section C. Well, I just got to." Experienced testers can rely on their experience to understand what use and utility a particular module is. But they already know about pen-testing. And apropos Item 11 in Module 3 in Section C -- it says I should refer to Appendix B for the ports to be scanned in this manner. Q. Appendix B? Where is that? Not in this document. Q. The document was issued more than a year ago. Has really noone noted that appendix B is missing or, alternatively, that an important reference in the text is bad? If they have, why is the problem allowed to remain? These last points don't have much to do with penetration testing, but I think they help explain why I don't think this document is useful for anyone except a fairly experienced tester. I look forward to the coming version 3.0 -- I trust it has fixed much of what is unclear or incomplete about the 2.1 edition. Over and out, -- Anders Thulin anders.thulin () tietoenator com 040-661 50 63 TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö ------------------------------------------------------------------------------ Internet Security Systems. - Keeping You Ahead of the Threat When business losses are measured in seconds, Internet threats must be stopped before they impact your network. To learn how Internet Security Systems keeps organizations ahead of the threat with preemptive intrusion prevention, download the new whitepaper, Defining the Rules of Preemptive Protection, and end your reliance on reactive security technology. http://www.securityfocus.com/sponsor/ISS_pen-test_041001 -------------------------------------------------------------------------------
Current thread:
- Penetration testing scope/outline Billy Dodson (Oct 05)
- Re: Penetration testing scope/outline Jose Maria Lopez (Oct 05)
- RE: Penetration testing scope/outline Chuck Fullerton (Oct 05)
- Re: Penetration testing scope/outline josh (Oct 05)
- Re: Penetration testing scope/outline Nathan Sportsman (Oct 05)
- Re: Penetration testing scope/outline JM (Oct 05)
- Re: Penetration testing scope/outline Anders Thulin (Oct 06)
- Re: Penetration testing scope/outline robert (Oct 08)
- RE: Penetration testing scope/outline Chuck Fullerton (Oct 08)
- Re: Penetration testing scope/outline Anders Thulin (Oct 08)
- RE: Penetration testing scope/outline Chuck Fullerton (Oct 08)
- RE: Penetration testing scope/outline Tate Hansen (Oct 08)