Penetration Testing mailing list archives
Re: Pen Testing
From: "Adriel T. Desautels" <ad_lists () netragard com>
Date: Wed, 22 Oct 2008 13:35:42 -0400
Patrick,Go download backtrack3, GFI comes with it and you can do that test yourself. No reason to pay anyone from the outside to do it.
On Oct 22, 2008, at 11:24 AM, Patrick Fitzgerald wrote:
Thank you to everyone for the insight. It's a long story on this company coming in, and it was not one that we selected from the IT Dept, more like a friend of a friend doing a favor. They've said they'll be using GFI Languard, which explains the admin rights on the domain. I tested the package and did not care for it as the results from the scans I did were completely inaccurate stating services were running on machines that actually did not have them installed. At this point it does not appear they'll be testing externally. On Wed, Oct 22, 2008 at 8:06 AM, Kartikeya Puri <puri.kartikeya () gmail com> wrote:Well looking around on their site does not give a good impression, that is assuming that http://www.sklartechnology.com/consulting_team.html is their site. Skillsets they have listed their does not seem like skillsets for a "pen testing company". If all you are looking for is a report from nessusand other automated tool then may be yes... but in my experience such companies rarely add any value.. but i may be wrong...A security company looking for domain admin is quite comman as it enables them to check windows environment for Patches, configurations etc... but itwill not help in following cases:Databases:- MSSql may give some info and posibally allow them to logon with domain admin if it is configured so. Oracle, DB2, Sybase etc will not beassessed with domain admin.Application servers: Apache/Tomcat, Websphere etc will not be assessed.Applications running on these servers will not be assessed. Network devices will not be assessed. List can go on....We used to ask our clients for domain admin for the last part of the audit after we already had assessed everything else as a normal user or outsider. After getting the admin we used to just run a MBSA/Nessus to provide patchlevel/shares etc. Hope I was helpful... Cheers, K On Mon, Oct 20, 2008 at 7:33 PM, Patrick Fitzgerald <servicepointtest () gmail com> wrote:Does anyone know of a pen testing company named Sklar Technology Partners, whether it be positive or negative? What should we be looking for in a security company? Is it common that a security company would need rights such as domain admin rights to perform an audit on the network? Any resources that you could suggest would be helpful. Thank you. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Adriel T. Desautels ad_lists () netragard com ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Pen Testing Patrick Fitzgerald (Oct 20)
- Re: Pen Testing Volker Tanger (Oct 20)
- Re: Pen Testing Adriel T. Desautels (Oct 22)
- Message not available
- Re: Pen Testing Patrick Fitzgerald (Oct 22)
- Re: Pen Testing Adriel T. Desautels (Oct 22)
- Re: Pen Testing Patrick Fitzgerald (Oct 22)
- Re: Pen Testing Matt - MRS Security (Oct 24)