Penetration Testing mailing list archives
Re: [PEN-TEST] How to deal with others' security ?
From: Domenico De Vitto <dom () DEVITTO DEMON CO UK>
Date: Thu, 7 Sep 2000 19:59:11 +0100
Yea, the biggest companies tend to be sloppy, so to keep the waters clear usually have a clause to keep you out, and insist you have no right to see/know the exact configs. It's a dirty trick and one best delt with by just plain terminating the contract. After all, would you trust a security company that told you that you'll be sue'd if you check they're locking the doors! Dom -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Meritt, Jim Sent: 24 August 2000 18:03 To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] How to deal with others' security ? If the systems are outsources, the company they are outsourced to may legally go after you for conducting your tests on THEIR systems (it is their hardware, wiring,...) through THEIR routers (tough to get to the client's system without doing that) and there may be a network-wide IDS that your specific client knows nothing about. Better get the OK from ALL parties before proceeding! Been there, done that. V/R Jim _______________________ The opinions expressed above are my own. The facts simply are and belong to none. James W. Meritt, CISSP, CISA Senior Secure Systems Engineer at Wang Government Services, Inc.
-----Original Message----- From: Ejovi Nuwere [mailto:ejovi () EJOVI NET] Sent: Wednesday, August 23, 2000 11:08 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: How to deal with others' security ? This should be addressed in the contract before the pen-test/audit begins. Usually you are given specific IP segments to audit. Anything outside of those networks are considered off limits, this includes ISP/ASP sites which the targets DNS may be pointing. Also, you will find that sometimes you are given the task to audit only one department within a corporation. Which limits you to a specific segment. We all make mistakes, but dont concern yourself with anything outside of your audit task. It can result in legal problems. If you think it may be worth looking at, mention it before hand. Otherwise, there isn't much you can do. e. On Tue, 22 Aug 2000, Nicolas Gregoire wrote:Hi, please excuse my (very) poor english. My question is simple : - you have to do a penetration test on a web server. - you discover that there are virtual hosts on the same boxthan the website you have to check. first question : do you know how to learn which virtual hosts are hosted onthis machine? (reverse dns lookups, etc ) [I think it's very important to know that because theothers web sitecan have exploitable cgi, resulting in the ability to rootthe box anddeface all the virtual hosts] second question : how to deal with others' virtual hosts security [ie. theyhave poor cgi]? how obtain authorization to scan these virtual hosts ? thanks in advance Nicob nicob () 7thzone com
Current thread:
- Re: [PEN-TEST] How to deal with others' security ? Domenico De Vitto (Sep 07)