Penetration Testing mailing list archives
RE: Pen Test Basic Needs
From: "Stephane Auger" <sauger () pre2post com>
Date: Fri, 15 Jul 2005 09:43:21 -0400
No offence taken :) I know I'm still a beginner, which is why I'm doing research. The "pen-test" I'm talking about is more a practice then anything else. In this case, the "client" is a friend of mine. So no, I'm not selling these services professionally, and don't intend to for a while. Sorry if I was misleading, but I really am just looking for a place to start. I totally agree with what you're saying, which is why I'm trying to figure out the basics so I don't do anything stupid when I really have to do one... Thanks to everyone who gave me their input, I appreciate it. Stephane -----Original Message----- From: Security Professional [mailto:redteamer () gmail com] Sent: July 15, 2005 7:02 AM To: Stephane Auger; pen-test () securityfocus com Subject: Re: Pen Test Basic Needs Steph, Judging by the types of questions you have asked, I would be willing to bet that you haven't actually performed a penetration test "professionally" before. No worries, everyone has their first time ;) Anyway, as I was saying, my guess is that you don't have a lot of experience in this area. Just an honest assessment. The problem you run into is, did you tell the company that is having you do this that you have never done one before? One common mistake I have seen is that people get this bug to start doing pen-tests and try to make money the first few times they do one. What should be happening is that you actually learn the things you are asking first, then decide to do this professionally as a service once you get some experience. Don't put the cart before the horse here. Also, you state that you are well aware of the legal ramifications. But honestly speaking...Are you? Have you consulted a lawyer and had them explain everything to you? If so, why didn't they draft a contract up for you? A contract ultimately comes down to what you want to do in your test and what you do / do not want to be liable for. You state in one of your questions that you would use Snort in a pen-test. You ask about hwere one would "start". You ask about what type of information you would begin with. All of these questions are things that, as a "pen tester", you should already know. If you don't know them, you shouldn't be doing assessments on networks where you have to worry about legal ramifications. Quite honestly, I hope that the company you are referring to is reading this list and realizes they aren't getting what was probably pitched to them. Please do us all a favor and actually learn how to do these types of things before you decide to do one as a service to a company. P.S. - In no way is this e-mail intended to be hurtful or insinuate that you don't know anything. I am just stating my opinion on what I think is going on here and calling you on it. It is people like what I have described above, that give this profession a bad name.
Current thread:
- Pen Test Basic Needs Stephane Auger (Jul 14)
- Re: Pen Test Basic Needs Kyle Maxwell (Jul 15)
- <Possible follow-ups>
- RE: Pen Test Basic Needs Stephane Auger (Jul 15)
- Re: Pen Test Basic Needs Security Professional (Jul 15)
- RE: Pen Test Basic Needs Stephane Auger (Jul 15)
- Re: Pen Test Basic Needs Saint Anthony (Jul 16)