Re: [PEN-TEST] First step of a pen-test

["Dunker, Noah" <NDunker () FISHNETSECURITY COM>]

It depends on the scope.  Usually, I try to perform interviews with key
administrators, engineers, and managers.  I also like to review some policy
documents, if they have any.  Of course, you can't *DO* this if they want a
"hacker's eye veiw" on security.  You'd have to use social engineering.  It
all depends on the scope of the contract.

Usually, an in-house assessment is what they want.  they want to see what
you're doing... and so they don't hid the fact that you're pen-testing.  In
this case, Interviews and Policy review are typically my first activity.
This gives me a good idea of some network structure, OS's, and things theat
they consider "Assets", and the level of vulnerability the assets have (or
how vulnerable the company thinks they are).

In general, this is a good way to get the client comfortable with you, and
for you to get comfortable with the environment and people you'll be around
for the next couple of days.

-----Original Message-----
From: Christopher M. Bergeron [mailto:ChrisB () HGSS COM]
Sent: Monday, September 18, 2000 1:39 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: First step of a pen-test


What is the industry norm for _beginning_ a pen-test after the contract has
been made?  Would one first map the network?  Try to war-dial the exchange
for possible remote (pcanywhere, etc). access machines?  VRFY email
addresses to look for user logins?  Is it typical to ask for information
about the network (ie. network architecture) beforehand or do most pen-tests
start "blindly" and do the network reconnaissance.

Thanks to anyone who addresses even one of my many questions.