Penetration Testing mailing list archives
Re: [PEN-TEST] How to "break into" the Pen-Testing field
From: "Frasnelli, Dan" <dfrasnel () COREWAR COM>
Date: Mon, 11 Sep 2000 13:34:03 -0400
One is absolutely correct, it really depends on the type of penetration test one is engaged to conduct. But what really is Industry Best Practices. I know some high end
I imagine SANS or similar group has a list of recommended practices. Security auditing IBP is a sticky subject, so preface everything below with glowing neon "in my humble opinion" signs. On paper, all IBPs serve at least two purposes: - peace of mind for the client/consumer - legal coverage (aka. CYA insurance) for the provider and their employees When it comes to pen testing, your "IBP" is best determined by the client's requirements document and contract terms. If it reads "discover which hosts are visible on the internet", out comes a portscanner or similar util. If it reads "compromise the internal customer database using all necessary means", out comes the phosphorephic VT320 O' Doom, wirecutters, C4 and a 10 gallon drum of coffee. Really, though.. the point of penetration testing is to mimic an unpredictable, chaotic attacker. I've mentioned this in other forums, and I'll mention it here: information security is one part technology, one part psychology. You cannot boil down a sophisticated attacker's techniques into logical rules and process trees.
What tool would be used first and what would be the secondary tool to validate any false positives one may discover??? Is there any manual massaging of the data??
In very generic terms.. a vulnerability scan is the first tool, exploitation of the vulnerability is the second tool which validates the finding. Of course, this is subject to terms of your contract.
Would you turn over the raw data to the customer??
Without hesitation. If not the raw data, slightly formatted data not far up the chain. Results from a penetration test usually have three parts: a) executive summary b) "raw data" (or close facsimile) c) recommendations You want to provide actual data to validate your recommendations and provide the client's technical staff a good starting point. -dan
Current thread:
- [PEN-TEST] How to "break into" the Pen-Testing field Lashley, Bryan (Sep 08)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Drew Simonis (Sep 09)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field El Nahual (Sep 09)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field INOM (Sep 10)
- <Possible follow-ups>
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Bob Radvanovsky (Sep 09)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field gatekeepr (Sep 09)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Dragos Ruiu (Sep 10)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Teicher, Mark (Sep 10)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Frasnelli, Dan (Sep 10)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Teicher, Mark (Sep 11)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Frasnelli, Dan (Sep 11)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Teicher, Mark (Sep 12)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Bennett Todd (Sep 12)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Teicher, Mark (Sep 12)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Frasnelli, Dan (Sep 12)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field gatekeepr (Sep 09)
- Re: [PEN-TEST] How to "break into" the Pen-Testing field Carric Dooley (Sep 12)
- Message not available
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Teicher, Mark (Sep 12)
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Adrian Lazar (Sep 12)
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Carric Dooley (Sep 13)
- Re: [PEN-TEST] Network Mapping (was Re: [PEN-TEST] How to "break into" the Pen-Testing field) Teicher, Mark (Sep 13)
- Re: [PEN-TEST] Visio bites Carric Dooley (Sep 14)