Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Penetration test report - your comments please?

From: Curt Wilson <netw3 () netw3 com>
Date: 30 May 2001 23:42:28 -0000

Thanks for your comments.

The basic issue with this pen test was that the 
company is a small company offering an internet 
service for the first time. Budget contraints were the 
main issue with the limitations placed on the pen test. 
I would have liked to attempt brute force, trashing, 
and assessment/penetration of the network 
infrastructure but these were not included in our 
arrangement.

How do other pen testers handle issues with 
outsourced ISPs? This seems like a murky area 
unless you are actually testing the ISP themselves. 

Certainly, an attacker won't care about such artificial 
boundaries, as a vulnerability is a vulnerability, 
whether it appears in the clients IIS server (surely 
not! :), sendmail, open proxy server, public/private 
community strings on routers and network devices, 
or a weakly secured linux host at the ISP just ripe and 
waiting for a rootkit and sniffer on a non-switched 
network.

Curt Wilson, Netw3 Consulting
www.netw3.com
618-303-6383
Previous By Date Next
Previous By Thread Next

Current thread: