Security Basics mailing list archives

Re: External Pen Test / Manual Exploitation

From: "Ian Kelly" <e2chameleon () btopenworld com>
Date: Mon, 22 Sep 2003 20:41:03 +0100

Hi,

I am also reviewing proposals for pen testing services (external testing,
internal testing, laptop theft exploitation and social engineering). I asked
5 vendors to quote and 3 of them offered the ability to exploit
vulnerabilities found during external testing. I have been told that to
define exactly how vulnerable you are to certain vulnerabilities (couldn't
think of a better word to use there) some testing organisations like to try
and exploit them. This is in an effort to further reduce false positives by
crafting attacks particular to your network configuration (based on
information discovered during earlier parts of test). I believe that the
testing exploits I was offered were not meant to cause any damage but I
still stated that I wouldn't be requiring them (or the denial of service
attacks) to be carried out on our live network.  I suppose it is up to the
individual company whether you wish to allow the exploitoitation top take
place and take the risks that they might cause damage to your network or
data (whether the testing organisation accepts responsibility for damage or
not) but it does appear to be a normal option in the UK at least.


Ian Kelly,
e2chameleon Information Security Resource.

http://www.e2chameleon.btinternet.co.uk



----- Original Message ----- 
From: "Jason Burzenski" <jburzenski () americanhm com>
To: <security-basics () securityfocus com>
Sent: Monday, September 22, 2003 2:35 PM
Subject: External Pen Test / Manual Exploitation

I am in the process of reviewing a proposal for external penetration

testing

from a vendor.  One of the phases of the pen test includes a manual
exploitation of vulnerabilities discovered using automated scans.  The

text

makes mention of specially crafted commands or code and the use of

modified

open source tools.

Is this a normal part of an external penetration test?  According to the
break down of phases, they will use automated tools, then verify the

results

using manual means to reduce false positives.  Why the need for additional
manual exploitation?  This seems to pose unnecessary risk to my network
services.

Jason Burzenski

--------------------------------------------------------------------------

--------------------------------------------------------------------------

--



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

External Pen Test / Manual Exploitation Jason Burzenski (Sep 22)
- Re: External Pen Test / Manual Exploitation Ian Kelly (Sep 22)
- Re: External Pen Test / Manual Exploitation James Fields (Sep 22)
- Re: External Pen Test / Manual Exploitation port530 (Sep 23)
- <Possible follow-ups>
- Re: External Pen Test / Manual Exploitation Muhammad Faisal Rauf Danka (Sep 23)