Penetration Testing mailing list archives
Re: Using 0days as part of pen-test?
From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Thu, 15 Jan 2009 16:39:06 +0000
Oliver Schad wrote:
I mean, why should I choose as a tester a role of an attacker who knows nothing about the network if there is somebody in this world who could attack this network with all knowledge he needs?
Normally the framing of the attack model is part of the negotiation - you can start out by assuming the attacker will have a full network topology and all admin/root passwords, but you will probably find the network isn't really that secure, and the report will probably get slammed as being "unrealistic". However equally, you can't start out by assuming an attacker will know nothing - if an attacker could reasonably know something (a valid user/pass pair on the lan, for example) that needs to be set out in the contract before the pentest starts. Usually though, unless you need a nudge, you are better off approaching the job as a fearless but skilled team of attackers would - if you are onsite with a visitor badge, keep your eyes open for user account details (post it on the screen for temps to use?) and those are fair game; if they use cisco vpns, see if they will give you a pcf file for one (write this up as the "lost laptop" scenario if you must). If they use vasco tokens, try and guess the admin password, and so forth. There is no reason to approach the testing as a featureless black box, but you must also when documenting your starting conditions, justify how a "real" hacker would get that information; remembering of course that a disgruntled current employee is as likely (and often more likely) candidate for attacker as any other.
Current thread:
- Using 0days as part of pen-test? ArcSighter Elite (Jan 12)
- Re: Using 0days as part of pen-test? Chris Griffin (Jan 13)
- Re: Using 0days as part of pen-test? Pete Herzog (Jan 13)
- Re: Using 0days as part of pen-test? purdy (Jan 14)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 15)
- Re: Using 0days as part of pen-test? David Howe (Jan 15)
- we are security critics was: Re: Using 0days as part of pen-test? Pete Herzog (Jan 15)
- Re: we are security critics was: Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? purdy (Jan 14)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 15)
- Re: Using 0days as part of pen-test? Pete Herzog (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? David Howe (Jan 13)