Re: [PEN-TEST] Lots of questions...my first paid pen-test.

["Carskadden, Rush" <carskar () NETSOLVE NET>]

Answers below.

ok,
Rush

> -----Original Message-----
> From: Shaun Dewberry [mailto:shaun () axsys co za]
> Sent: Monday, December 04, 2000 2:13 AM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: [PEN-TEST] Lots of questions...my first paid pen-test.


> Hi,
> Maybe this post should be broken into separate threads. I leave that to
the
> moderator and others to decide.

> I'm due to perform a pen-test early January for a rather large company.
Just
> have a couple of questions as this will be my first official pen-test.

I will answer for myself, but keep in mind that there are widely different
approaches in the business of penetration testing. Please take my answers
with a grain of salt, and keep in mind that YMMV (Your Mileage May Vary).
Some other readers may have suggestions that are far better than mine.

>  1) What is the usual team size used when performing a pen-test?

This depends on some variables. You should think about what depth your
assessment will go into, how much ground there is to cover, and how fast you
need to get it done. These are good questions to nail down before
establishing some sort of manpower estimate.

>  2) Do you prefer to test from a fixed or dynamic IP?

I really don't see that this matters much, but I like to use DHCP addresses
from an Internet Service provider. In the event that I run into an Intrusion
Detection device or access control system that is somehow configured to
detect my probes and deny me access based on my IP (for instance the
NetRanger with shunning enabled), it's nice to be able to force-renew my
lease, get a new IP, and proceed with more caution. As always, be careful
with DNS related research, and make sure that no data is network-of-origin
biased.

>  3) What sort of logging of activities takes place? How in depth should
the
> logs be and does anyone have references or examples of pen-test logs? Are
> any specific tools (i.e. keystroke monitors) used during the test?

I'm not big on keystroke monitors, though I have seen them used with the
intention of recording events in pen testing before. I generally keep very
extensive notes, and I like to keep a full-size tape recorder nearby as
well. You will want to keep all of the output from any tools you use, as
well as the output of your web research. The general rule of thumb that I go
by is that there is no such thing as too much data, as long as you are
fairly organized.

>  4) Do you usually have a third-party/company representative present
during
> the  testing process? (i.e. for auditing purposes)

There are a million different approaches to this issue, and I have seen
several, but the most frequent arrangement is that there are a number of
employees of the client company that are "on-call" at different periods of
the assessment process. This allows you to contact a responsible employee
should you have any issues to discuss regarding the production status of any
element of the client network. Usually, the client does not see the need for
any more interaction than this during the assessment. That's not to say that
it isn't wise to be very careful about your processes, however. If you can
get a representative of the client company or a third party to act as
witness, it would be nice. As I noted, however, it's usually not necessary,
and client representatives are rarely technically engaged enough in what
you're doing to act as effective witnesses anyway.

>  5) Are any trophies taken off machines that are vulnerable to attack?
This
> also brings up the question of whether non-destructive exploits should be
> run against a known-to-be-vulnerable target.

Not sure what you are asking in the first part, but my assumption is that
you are asking whether client data should be removed from machines on the
client network. The answer is a definite no, unless this is what is
specifically demanded by your agreement with the client. The agreement also
determines the aggressiveness (or level of intrusiveness) you engage in
during the assessment. This is something that I like to think should be
determined entirely by the customer. You should never actually exploit a
system unless it is the client's explicit desire for you to do so, and they
are comfortable with it. You may even choose to contact the on-call
employees and discuss with them what you are going to do before running an
exploit, if that will make them more comfortable. They will probably ask you
about the potential impact of running the exploit, if you do call them. It
is important to have an answer to this that has been well thought-out. Don't
just say "Well, it shouldn't do anything bad". Be very specific about what
you are doing if you are going to involve the client at the point of
penetration.

>  6) Costing and Fees - How is a quotation for the assessment compiled.
> Obviously it is relative to the size of the organization and the number of
> machines scanned, out are there any other determining factors that should
> affect price? e.g. according to OS, machine type & value, value of
> information on machine... Any example/old/used/whatever quotes out there
> which I can get an idea from? In South Africa, pen-testing is an unknown
> service with no baseline standards / recommendations available.

This is a difficult question to answer. There are a ton of different ways to
do this, and I would not feel confident presenting a case for doing it any
one way, as I am not a full-fledged marketeer. So I will pass, and defer to
someone who can answer more intelligently.

> 7) In the event of a physical pen-test, should this take place before or
> after the online test?

It depends on the nature of the physical penetration test, but if you are
conducting your network assessment with the intention of testing internal
response time and measures, then it is essential that the majority of the
client company's employees be unaware that you are conducting your
assessment. In this case, it is best to do the physical assessment after the
network assessment, as the physical activities may draw attention to the
fact that security measures are being tested, and may heighten awareness,
resulting in false data.

> Thanks for your help. If u have any other relevant tips I'd appreciate it.

Good luck. I hope everything goes well for you.

> Shaun Dewberry
> ==============================
> Axsys IT Solutions
> Tel: +27 11 395 3310
> Cell: +27 83 415 5201
> Email:shaun () axsys co za
> Personal:shaun () dewberry co za