Penetration Testing mailing list archives

Re: [PEN-TEST] First step of a pen-test

From: "Teicher, Mark" <mark.teicher () NETWORKICE COM>
Date: Wed, 20 Sep 2000 11:45:07 -0700

"The old-school mentality of "put a firewall up to keep people out" doesn't
work in today's environment. While most sites have some sort of firewall,
attackers can breach security barriers by exploiting vulnerabilities in
the various Web-facing applications. Testing these apps is a difficult and
time-consuming task because each environment has a slightly different
implementation. The requisite skills necessary to perform these
specialized reviews include extensive knowledge of Web technologies, such
as HTML, ASP, Java, Java- Script, cookies, PERL, VB scripting, SQL and CGI
programming, to name a few.

There is a prodigious gap in the skill level needed to perform traditional
network and operating system testing vs. a structured e-commerce
application penetration review. Systems managers should choose wisely
when selecting a vendor to test an e-commerce application environment.
Remember: The browser is the new millennium's security weapon."

So get out that "Security pixie dust"..

/mark

At 01:14 PM 9/19/00 -0400, Jason Stout wrote:

heh, I just read this article 20 minutes ago. This should answer
most of your questions.

http://www.infosecuritymag.com/sep2000/securestrategies.htm

Regards,
Jason Stout

------Original Message------
From: "Christopher M. Bergeron" <ChrisB () HGSS COM>
To: PEN-TEST () SECURITYFOCUS COM
Sent: September 18, 2000 6:38:50 PM GMT
Subject: [PEN-TEST] First step of a pen-test


What is the industry norm for _beginning_ a pen-test after the contract has
been made?  Would one first map the network?  Try to war-dial the exchange
for possible remote (pcanywhere, etc). access machines?  VRFY email
addresses to look for user logins?  Is it typical to ask for information
about the network (ie. network architecture) beforehand or do most
pen-tests start "blindly" and do the network reconnaissance.

Thanks to anyone who addresses even one of my many questions.


-----------------------------------------------
FREE! The World's Best Email Address @email.com
Reserve your name now at http://www.email.com

Current thread:

Re: [PEN-TEST] First step of a pen-test, (continued)
- Re: [PEN-TEST] First step of a pen-test Teicher, Mark (Sep 19)
  - [PEN-TEST] LDAP-nullbase krisk (Sep 20)
    - Re: [PEN-TEST] LDAP-nullbase Brian Conte (Sep 20)
    - Re: [PEN-TEST] LDAP-nullbase spi (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Erik Tayler (Sep 20)
- Re: [PEN-TEST] First step of a pen-test van der Kooij, Hugo (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Wandering One (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Dunker, Noah (Sep 19)
- Re: [PEN-TEST] First step of a pen-test Tonick, Mike (Sep 19)
- Re: [PEN-TEST] First step of a pen-test Jason Stout (Sep 20)
  - Re: [PEN-TEST] First step of a pen-test Teicher, Mark (Sep 20)
    - [PEN-TEST] anyone using firewalking? The Picard (Sep 20)
    - Re: [PEN-TEST] anyone using firewalking? Jonathan Rickman (Sep 21)
    - Re: [PEN-TEST] anyone using firewalking? El Nahual (Sep 21)
- Re: [PEN-TEST] First step of a pen-test H Carvey (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Loschiavo, Dave (Sep 20)
  - Re: [PEN-TEST] First step of a pen-test Max Vision (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Dawes, Rogan (Sep 21)
  - Re: [PEN-TEST] First step of a pen-test Riley Hassell (Sep 23)
    - Re: [PEN-TEST] First step of a pen-test Erik Tayler (Sep 23)
- Re: [PEN-TEST] First step of a pen-test Tonick, Mike (Sep 22)

(Thread continues...)