Penetration Testing mailing list archives
RE: Penetration test of 1 IP address
From: Erin Carroll <amoeba () amoebazone com>
Date: Thu, 9 Feb 2006 12:29:13 -0500 (EST)
T0aD, A couple notes below On Thu, 9 Feb 2006, T0aD wrote:
Hello all, Really Im a bit surprised to see you guys taking in consideration such questions. I mean, Im not ok against beginners questions, thats not the point, there is no guru nor beginners, we are here with differents experiences and levels of knowledge (maybe Im better cook than aleph one !), but sometimes we have to understand what we're doing when giving away some information to some people.
I see your point but I respectfully disagree with it. Knowledge and facts just "are". They have no morality or bias. How such information is utilized is where it gets fuzzy. Are some people going to use the knowledge shared on this and similar lists for nefarious purposes? Probably. But I believe a far larger majority of people will use this knowledge for Good<tm> and not Evil<tm>.... and I'm dangerously close to venturing into territory against the list charter (morality of pen-testing) so I'll leave it at that.
Here we have some guy, working for some company, having a customer's problem to resolve, thats to say to provide a pentest of a IP address. That is fine. The problem being: where is the precise question ? Should we help him to 'automate' some pentest ? Should we teach him how to actually do his job ? What kind of company is giving its customers such a poor service like assigning an employee with no clue how a pentest could be done ?
I've spoken with the original submitter in private email and this appears to be a case where he has been asked to perform something outside his normal area of expertise but wants to learn. The client is a law firm (as other posters postulated based on the usage of Weblaze) and is attempting to harden a system before bringing it fully into production. Edmond mentioned that the client would be amenable to opening the pen-testing up to the list at-large and writing up some sort of legal cover for people but I think that would be a bad idea. This list gets archived and sent all over the place and the legal implications are...messy. I get the impression that he (and the client and client's network engineer) would welcome an opportunity to see how things are done and git some learnin'. If you are interested in helping him out please contact him directly and off-list. -Erin Carroll Moderator SecurityFocus pen-test mailing list ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Penetration test of 1 IP address Edmond Chow (Feb 08)
- RE: Penetration test of 1 IP address Larry Chin (Feb 08)
- RE: Penetration test of 1 IP address Erin Carroll (Feb 08)
- RE: Penetration test of 1 IP address Sels, Roger (Feb 09)
- Re: Penetration test of 1 IP address Ivan . (Feb 09)
- Re: Penetration test of 1 IP address Dave (Feb 08)
- RE: Penetration test of 1 IP address Matt Bowles (Feb 09)
- Message not available
- RE: Penetration test of 1 IP address T0aD (Feb 09)
- RE: Penetration test of 1 IP address Sels, Roger (Feb 09)
- RE: Penetration test of 1 IP address Erin Carroll (Feb 10)
- Re: Penetration test of 1 IP address Christine Kronberg (Feb 09)
- Re: Penetration test of 1 IP address Buz Dale (Feb 09)
- Re: Penetration test of 1 IP address Ailton Caetano (Feb 09)
- Re: Penetration test of 1 IP address Ailton Caetano (Feb 09)
- RE: Penetration test of 1 IP address Daniel Grzelak (Feb 09)
- RE: Penetration test of 1 IP address Lyal Collins (Feb 09)
- Re: Penetration test of 1 IP address vasile revnic (Feb 09)
- Re: Penetration test of 1 IP address Anonymous (Feb 09)
- Re: Penetration test of 1 IP address Packet Man (Feb 09)
- Re: Penetration test of 1 IP address intel96 (Feb 09)