Penetration Testing mailing list archives
Re: [PEN-TEST] Lots of questions...my first paid pen-test.
From: Iván Arce <core.lists.pentest () CORE-SDI COM>
Date: Mon, 4 Dec 2000 20:34:56 -0300
Hi Shaun, ill try to address your questions with the information you provided... ----- Original Message ----- From: "Shaun Dewberry" <shaun () AXSYS CO ZA> Newsgroups: core.lists.pentest To: <PEN-TEST () SECURITYFOCUS COM> Sent: Monday, December 04, 2000 7:13 PM Subject: [PEN-TEST] Lots of questions...my first paid pen-test.
Hi, Maybe this post should be broken into separate threads. I leave that to
the
moderator and others to decide. I'm due to perform a pen-test early January for a rather large company.
Just
have a couple of questions as this will be my first official pen-test. 1) What is the usual team size used when performing a pen-test?
We'll that depends completly on the size of the infraestructure to test (i.e. a class B net, a class C, just a few boxes, etc), the distributed nature of it (i.e. just one corporate net, several branches, colocated sites, etc.), the time requirements of the customer (is there a deadline for the test, are there other dates that affect the pentest, etc.) and finally the degree of deepness (sp?) of the test (is it just an external test aimed at common Net and Os vulns?, does it include an internal attacker scenario? does it include an application specific test? source code review? etc.) Depending on the above factors we generally go with between 2 and 5 persons. The only rule i apply here is: Never do a pen test with just one person, no matter how small and or easy the job seems to be. As with software development, cryptoanalysis and source code review, in a pen test pier review is a must. What a person misses the others will find and that will increase the overall quality of the job. and...it will also help develop a team work culture in your pen testing company :)
2) Do you prefer to test from a fixed or dynamic IP?
fixed, helps them keep track of what you are doing, and identify possible attacks that are not part of the pentest, also i helps them limit access (when required) to their IT from just one IP...
3) What sort of logging of activities takes place? How in depth should
the
logs be and does anyone have references or examples of pen-test logs? Are any specific tools (i.e. keystroke monitors) used during the test?
We generally log the complete sessions of each member of the team, this is useful for the reporting stage, so you can go back and review the logs in order to clarify doubts while writting reports. So far we have not been asked to provide complete logs of the team's work, and altho. i see no real value in providing them that could be a customer's requirement. We use publicly available tools for this (syslog output, general daemons logs, script(1), etc.)
4) Do you usually have a third-party/company representative present
during
the testing process? (i.e. for auditing purposes)
No. And you dont want them either The customer have to start the project with a mindset that implies a trust relationship with you, if they need someone else to audit you in order to start trusting you, there was something wrong in the pre-sale/sale stage of the pentest. There are other ways to provide the customer with coverage that will lower their risk and increase their trust like NDAs, professional liability insurance and other sorts of legalise. If having an third party auditing your work is a MUST i would require a very precise definition of what the auditors will and will not do, and how they are going to report on your work (on what basis they will say what you have done is OK or not) and which information they are intitled to access. Again, legalise with the third party is in order here to protect you from disclosure on their side, using their auditor role to obtain your methodology and team's know-how, etc.
5) Are any trophies taken off machines that are vulnerable to attack?
This if the reports (status reports and final one) are done properly, with both technical and non-technical explanations of what was done and what was discovered, the customer rarely needs 'trophies' and they provide no added value to the job.
also brings up the question of whether non-destructive exploits should be run against a known-to-be-vulnerable target.
we always use non-destructive exploits, DoS attacks are coordinated and agreed on with the higher level contact from the customer.
6) Costing and Fees - How is a quotation for the assessment compiled. Obviously it is relative to the size of the organization and the number of machines scanned, out are there any other determining factors that should affect price? e.g. according to OS, machine type & value, value of information on machine... Any example/old/used/whatever quotes out there which I can get an idea from? In South Africa, pen-testing is an unknown service with no baseline standards / recommendations available.
we just calculate a quotation based on the info of question 1 and very few other things (is it done remotely? does the customer pay for travel and lodging expenses if not? etc.) it generally comes down to the resources we are allocating for the job not with IT infraestructure specifics.
7) In the event of a physical pen-test, should this take place before or after the online test?
i dont think this make a big difference. Its a matter of discussion with the customer, whatever fits them better. i hope this helps, -ivan --- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, Its nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce ==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : iarce () core-sdi com http://www.core-sdi.com Florida 141 2do cuerpo Piso 7 C1005AAG Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 ===================================================================== --- For a personal reply use iarce () core-sdi com
Current thread:
- [PEN-TEST] Lots of questions...my first paid pen-test. Shaun Dewberry (Dec 05)
- Re: [PEN-TEST] Lots of questions...my first paid pen-test. Iván Arce (Dec 05)
- <Possible follow-ups>
- Re: [PEN-TEST] Lots of questions...my first paid pen-test. Chris Tobkin (Dec 05)
- Re: [PEN-TEST] Lots of questions...my first paid pen-test. Carskadden, Rush (Dec 06)