Penetration Testing mailing list archives
Re: Using 0days as part of pen-test?
From: Oliver Schad <oliver.schad () oschad de>
Date: Thu, 15 Jan 2009 08:42:06 +0100
Am Dienstag, 13. Januar 2009 schrieb mir Pete Herzog:
I think you don't have any problems except if you performed actions outside the statement of work, the contract, or the scope or live in France. As I can see it: 1. By penetrating in you were able to see more of the infrastructure and make a better analysis of what is there and what its limitations are so you did a good thing. Not to mention by saving time with that you had time to be much more thorough, test from various vectors, and give a real value for the test.
I don't understand something: Why should you test a blackbox, why shouldn't you get all informations except user accounts? You don't know the knowledge of all attackers around the world about this specific network. You should assume, there is somebody who knows everything, should you? I mean, why should I choose as a tester a role of an attacker who knows nothing about the network if there is somebody in this world who could attack this network with all knowledge he needs? Regards Oli
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Using 0days as part of pen-test? ArcSighter Elite (Jan 12)
- Re: Using 0days as part of pen-test? Chris Griffin (Jan 13)
- Re: Using 0days as part of pen-test? Pete Herzog (Jan 13)
- Re: Using 0days as part of pen-test? purdy (Jan 14)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 15)
- Re: Using 0days as part of pen-test? David Howe (Jan 15)
- we are security critics was: Re: Using 0days as part of pen-test? Pete Herzog (Jan 15)
- Re: we are security critics was: Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? purdy (Jan 14)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 15)
- Re: Using 0days as part of pen-test? Pete Herzog (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)