Penetration Testing mailing list archives
Re: [PEN-TEST] Lots of questions...my first paid pen-test.
From: "Carskadden, Rush" <carskar () NETSOLVE NET>
Date: Mon, 4 Dec 2000 18:49:40 -0600
Answers below. ok, Rush
-----Original Message----- From: Shaun Dewberry [mailto:shaun () axsys co za] Sent: Monday, December 04, 2000 2:13 AM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] Lots of questions...my first paid pen-test.
Hi, Maybe this post should be broken into separate threads. I leave that to
the
moderator and others to decide.
I'm due to perform a pen-test early January for a rather large company.
Just
have a couple of questions as this will be my first official pen-test.
I will answer for myself, but keep in mind that there are widely different approaches in the business of penetration testing. Please take my answers with a grain of salt, and keep in mind that YMMV (Your Mileage May Vary). Some other readers may have suggestions that are far better than mine.
1) What is the usual team size used when performing a pen-test?
This depends on some variables. You should think about what depth your assessment will go into, how much ground there is to cover, and how fast you need to get it done. These are good questions to nail down before establishing some sort of manpower estimate.
2) Do you prefer to test from a fixed or dynamic IP?
I really don't see that this matters much, but I like to use DHCP addresses from an Internet Service provider. In the event that I run into an Intrusion Detection device or access control system that is somehow configured to detect my probes and deny me access based on my IP (for instance the NetRanger with shunning enabled), it's nice to be able to force-renew my lease, get a new IP, and proceed with more caution. As always, be careful with DNS related research, and make sure that no data is network-of-origin biased.
3) What sort of logging of activities takes place? How in depth should
the
logs be and does anyone have references or examples of pen-test logs? Are any specific tools (i.e. keystroke monitors) used during the test?
I'm not big on keystroke monitors, though I have seen them used with the intention of recording events in pen testing before. I generally keep very extensive notes, and I like to keep a full-size tape recorder nearby as well. You will want to keep all of the output from any tools you use, as well as the output of your web research. The general rule of thumb that I go by is that there is no such thing as too much data, as long as you are fairly organized.
4) Do you usually have a third-party/company representative present
during
the testing process? (i.e. for auditing purposes)
There are a million different approaches to this issue, and I have seen several, but the most frequent arrangement is that there are a number of employees of the client company that are "on-call" at different periods of the assessment process. This allows you to contact a responsible employee should you have any issues to discuss regarding the production status of any element of the client network. Usually, the client does not see the need for any more interaction than this during the assessment. That's not to say that it isn't wise to be very careful about your processes, however. If you can get a representative of the client company or a third party to act as witness, it would be nice. As I noted, however, it's usually not necessary, and client representatives are rarely technically engaged enough in what you're doing to act as effective witnesses anyway.
5) Are any trophies taken off machines that are vulnerable to attack?
This
also brings up the question of whether non-destructive exploits should be run against a known-to-be-vulnerable target.
Not sure what you are asking in the first part, but my assumption is that you are asking whether client data should be removed from machines on the client network. The answer is a definite no, unless this is what is specifically demanded by your agreement with the client. The agreement also determines the aggressiveness (or level of intrusiveness) you engage in during the assessment. This is something that I like to think should be determined entirely by the customer. You should never actually exploit a system unless it is the client's explicit desire for you to do so, and they are comfortable with it. You may even choose to contact the on-call employees and discuss with them what you are going to do before running an exploit, if that will make them more comfortable. They will probably ask you about the potential impact of running the exploit, if you do call them. It is important to have an answer to this that has been well thought-out. Don't just say "Well, it shouldn't do anything bad". Be very specific about what you are doing if you are going to involve the client at the point of penetration.
6) Costing and Fees - How is a quotation for the assessment compiled. Obviously it is relative to the size of the organization and the number of machines scanned, out are there any other determining factors that should affect price? e.g. according to OS, machine type & value, value of information on machine... Any example/old/used/whatever quotes out there which I can get an idea from? In South Africa, pen-testing is an unknown service with no baseline standards / recommendations available.
This is a difficult question to answer. There are a ton of different ways to do this, and I would not feel confident presenting a case for doing it any one way, as I am not a full-fledged marketeer. So I will pass, and defer to someone who can answer more intelligently.
7) In the event of a physical pen-test, should this take place before or after the online test?
It depends on the nature of the physical penetration test, but if you are conducting your network assessment with the intention of testing internal response time and measures, then it is essential that the majority of the client company's employees be unaware that you are conducting your assessment. In this case, it is best to do the physical assessment after the network assessment, as the physical activities may draw attention to the fact that security measures are being tested, and may heighten awareness, resulting in false data.
Thanks for your help. If u have any other relevant tips I'd appreciate it.
Good luck. I hope everything goes well for you.
Shaun Dewberry ============================== Axsys IT Solutions Tel: +27 11 395 3310 Cell: +27 83 415 5201 Email:shaun () axsys co za Personal:shaun () dewberry co za
Current thread:
- [PEN-TEST] Lots of questions...my first paid pen-test. Shaun Dewberry (Dec 05)
- Re: [PEN-TEST] Lots of questions...my first paid pen-test. Iván Arce (Dec 05)
- <Possible follow-ups>
- Re: [PEN-TEST] Lots of questions...my first paid pen-test. Chris Tobkin (Dec 05)
- Re: [PEN-TEST] Lots of questions...my first paid pen-test. Carskadden, Rush (Dec 06)