Penetration Testing mailing list archives
Collection of problems in production systems while pen-testing - "Butterfly effect"
From: "Adriano Leite (DHL CZ)" <Adriano.Dias.Leite () dhl com>
Date: Tue, 27 May 2008 10:10:13 +0200
Gents, Since I haven't seen anything like that before, I would like to open a discussion on what problems you have caused on production environment while performing pen-testing.
From the e-mail of our colleague Brahnda sent few days ago, I see that small
unpredictable situations might rise even when we thing everything is under control. :) It would be nice to hear your "issues", maybe we can use the mail thread as a checklist in the future to not cause any chain (Butterfly effect) problems when performing pen tests. Below I list some unexpected situations myself and colleagues witnessed throughout our careers, when being pen/stress-tested by third parties: - Scanning of web application with automated tools: Some pages can contain forms for e-mail submittal. If SQL Injection brute force attack is performed in such a page, you can either clog a vital business mailbox with trash, or cause a DoS if smtp relay crashes. - Port scanning of production servers - some IP stacks are not able to handle even "simple" port scans. Services can hang (RPC in our case). Issues are known with AS/400, HPUX and Solaris OS. - stress-testing using windows XP: I once got a report from a Microsoft Certified Partner that our e-commerce website couldn't handle more than 100 connections simultaneously. After sending developers, network architects and security specialists to verify what was happening, it was found that the operation system used for the scan was windows XP, which couldn't handle more than 10 connections at once... and yes, the guy was MCSE... :) It is always good to share experiences, even the bad ones :) Adriano
Attachment:
smime.p7s
Description:
Current thread:
- username and Password sent as clear text strings jfvanmeter (May 14)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 15)
- Re: username and Password sent as clear text strings Todd Haverkos (May 15)
- Collection of problems in production systems while pen-testing - "Butterfly effect" Adriano Leite (DHL CZ) (May 28)
- RE: username and Password sent as clear text strings Shenk, Jerry A (May 15)
- RE: username and Password sent as clear text strings Jones, David H (May 15)
- Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 15)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Jon Kibler (May 16)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Newton, Preston (May 16)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? pand0ra (May 16)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? pand0ra (May 16)
- Re: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Rick Zhong (May 17)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 26)
- RE: Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Adriano Leite (DHL CZ) (May 28)
- Dangerous in using nmap for AS/400 730 machine configured with 3 ASPs? Brahnda A. Eleazar (May 15)