Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Generating awareness amongst IT staff

From: Jerome Athias <jerome.athias () free fr>
Date: Sat, 02 Dec 2006 09:14:32 +0100
It makes quite sense, but it won't allways be applicable
Imagine that you have to pentest an iSeries (AS400): it will be difficult to find one on eBay to launch a test at home :-) and difficult to be sure you have exactly the same version of client access and the same PTFs (the same for reproducing a twin of every server)...
In the other corner, i think that it's true that many customers will ask you to don't use agressive tools to don't disturb the productivity: it just introduces the difference between passive and agressive tools and techniques...
btw Metasploit could just be used to create a file on a target (a common technique to show that a system is ownable without disturb it)... 

My 3 cents...
/JA

bulgaro76 () yahoo it a écrit :

I think that the usage of tools like Metasploit might be dangerous for the business continuity. It's very important to let the staff 
know which are the side effects of this kind of tests and so it's necessary to find a test server. Try to imagine if you use a tool 
like Ettercap and the side effect is that employees can't access AS/400 systems because of the network traffic... i think this 
wouldn't make the staff so happy to hire you services.


For my two cents...

Alessandro


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: