Security Basics mailing list archives
Re: External Pen Test / Manual Exploitation
From: "Ian Kelly" <e2chameleon () btopenworld com>
Date: Mon, 22 Sep 2003 20:41:03 +0100
Hi, I am also reviewing proposals for pen testing services (external testing, internal testing, laptop theft exploitation and social engineering). I asked 5 vendors to quote and 3 of them offered the ability to exploit vulnerabilities found during external testing. I have been told that to define exactly how vulnerable you are to certain vulnerabilities (couldn't think of a better word to use there) some testing organisations like to try and exploit them. This is in an effort to further reduce false positives by crafting attacks particular to your network configuration (based on information discovered during earlier parts of test). I believe that the testing exploits I was offered were not meant to cause any damage but I still stated that I wouldn't be requiring them (or the denial of service attacks) to be carried out on our live network. I suppose it is up to the individual company whether you wish to allow the exploitoitation top take place and take the risks that they might cause damage to your network or data (whether the testing organisation accepts responsibility for damage or not) but it does appear to be a normal option in the UK at least. Ian Kelly, e2chameleon Information Security Resource. http://www.e2chameleon.btinternet.co.uk ----- Original Message ----- From: "Jason Burzenski" <jburzenski () americanhm com> To: <security-basics () securityfocus com> Sent: Monday, September 22, 2003 2:35 PM Subject: External Pen Test / Manual Exploitation
I am in the process of reviewing a proposal for external penetration
testing
from a vendor. One of the phases of the pen test includes a manual exploitation of vulnerabilities discovered using automated scans. The
text
makes mention of specially crafted commands or code and the use of
modified
open source tools. Is this a normal part of an external penetration test? According to the break down of phases, they will use automated tools, then verify the
results
using manual means to reduce false positives. Why the need for additional manual exploitation? This seems to pose unnecessary risk to my network services. Jason Burzenski --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- External Pen Test / Manual Exploitation Jason Burzenski (Sep 22)
- Re: External Pen Test / Manual Exploitation Ian Kelly (Sep 22)
- Re: External Pen Test / Manual Exploitation James Fields (Sep 22)
- Re: External Pen Test / Manual Exploitation port530 (Sep 23)
- <Possible follow-ups>
- Re: External Pen Test / Manual Exploitation Muhammad Faisal Rauf Danka (Sep 23)