Penetration Testing mailing list archives
RE: Re: pentest documentation
From: "William Woodhams" <William.Woodhams () wegmans com>
Date: Tue, 3 Oct 2006 08:04:37 -0400
Also with this type of documentation make sure that the client has given you specific permission to log all of this to CD etc. If the documentation is highly classified then you must make sure anything like this is allowed by your client and in writing. Bill Woodhams Systems Technician Development Group-Technical Systems (585)429-3183 William.Woodhams () wegmans com Newcastle United signs Michael Owen...Enough Said! -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of krymson () gmail com Sent: Monday, October 02, 2006 3:32 PM To: pen-test () securityfocus com Subject: Re: Re: pentest documentation For Windows, Camtasia is an excellent screen-recorder if you want to go that route. If you're doing some hands-on things like taps or images or something that can't be put into a virtual machine (and screen-capped by the host machine) you could use a digital video recorder if your engagement either requires this level of documentation or allows you to do so. I guess physical security tests may be better documented with digital cameras, although I dunno if I've ever seen that myself (physical pen-tests I don't see very often or hear much about other than theoretical reviews of a site). Other means that go beyond just providing a report: - putting any confiscated material ("look what I found on this developer's machine, source code and client data databases!") on a cd or USB device and then hash it and label appropriately. - capture the packet output of any scans or actual attacks that you do and hash them. Try your best to get times as close as possible, in case they want to correlate IDS entries with your scans/attacks, or a system went down during the scan and they need to determine that you were the cause. - capture the output of any scanning tools you use. Things like Nessus and nmap will have output files and reports. Even though you likely recreate the reports in a more meaningful format for the client, turning over the raw data itself is also good practice. Be aware that you may be capturing sensitive information this way, so protect any captures you take with you for your own review and be sensitive to what the client is going to be wanting you to provide to them. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: pentest documentation, (continued)
- Re: pentest documentation Jason Ross (Oct 02)
- Re: pentest documentation Jürgen R. Plasser (Oct 03)
- Re: pentest documentation Andrew Hay (Oct 02)
- Re: pentest documentation espen (Oct 02)
- Re: pentest documentation Gareth Davies (Oct 02)
- Re: pentest documentation Sol Invictus (Oct 02)
- Re: pentest documentation Tonnerre Lombard (Oct 03)
- RE: pentest documentation Jason M Frey (Oct 03)
- Re: Re: pentest documentation krymson (Oct 02)
- Re: pentest documentation David Ball (Oct 03)
- RE: Re: pentest documentation William Woodhams (Oct 03)
- Re: pentest documentation Ben Anderson (Oct 03)