Re: [PEN-TEST] 2 quick questions

[M Schubert <schubert () fsck org>]

Potentially, if the router logs traffic or you can put the router in
promisc mode and use something like tcpdump (can't IOS do this?) you
could glean some useful information obviously. Note however, I'd feel
it to be important to show a client that their routers are vulnerable.
Those are the gateways to the flow of information and if you're an
ecommerce provider and some pissed of guy who was sent the wrong
pokemon' action figure can get into your router and muck with it,
you're losing sales.

> First is I was curious about routers:  If a network has a router (a
> hardware one, not a computer running Linux or NT).  Is there anything
> to be gained from breaking into the router through one of the remote
> administration points?  Is this thus a fruitless exercise or is there
> something to show the customer or gain yourself if you are auditing
> your network's security?

It is all about the realm of ethics. Mass mailing a trojan to prove
your point is hardly ethical and quite frankly, if thats what it takes
to convince your client that they've got a security problem... well
find clients with more intelligence. Social engineering is about making
your client's employees _aware_, wrecking havoc to make your point
isn't a good way for repeat business or happy customers.

> Second I was curious about social engineering.  Is this considered
> "fair play?"  Is it discussed in advance?  If you're allowed to do it
> how far do you take it?  Do you take it the point where you do a mass
> mailing of BO or Sub 7 to show the owners of the network how
> vulnerable they are to this flaw (because isn't social engineering
> kind of a flaw even though it is a human one?)  Or do you just stop
> with tricking them into revealing user names and passwords?

--
-- M. Schubert          - mschuber () uci edu
-- Security Specialist - michaels () lightspeedsystems com
-- Sys Admin            - schubert () fsck org