Penetration Testing mailing list archives

RE: How much do you disclose to customers?

From: "Brewis, Mark" <mark.brewis () eds com>
Date: Fri, 19 Dec 2003 16:59:39 -0000

On Tue, 16 Dec 2003, Joe P wrote:

I have a question on customer disclosure.  Is it wise to tell the

customer  which IP addresses you'll be
using before starting pen tests?


Always.  Even on 'blind' jobs, when the client is specifying a PenTest to test IDS and firewall teams effectiveness, 
someone in the client organisation - the people you agreed the scope with - need to know who you are and where you are 
coming from, in order to cap escalation procedures etc.

Cons for Telling:
I was thinking that if you did tell them you may get an over zealous,

insecure admin that just sets up a
filter to block you out to make him/herself look good.

Possible, and have seen it done, but only once.  It is a very limited solution, and stands out during testing.  If you 
report that what you find, and the client wonders why you weren't able to see their web-site, it is a bit of a 
giveaway.  Most admins are happy to help anyway.

Pros for Telling:

1) if you don't tell them your IP address they may think your doing

testing when in actuallity it's someone
else (ie: a true cracker trying to break in).

Yes

2) Audit trail reasons - if you trip up an IDS while doing testing they

can ignore those alarms.


Worth reminding the client to tell all parties that you are doing the test - their ISP, and managed services etc, so 
that you don't get blocked downstream.

Also, how do testers handle multiple IP addresses?  Is there any benefit

to doing it from multiple IP
addresses??

This is actually a very complex question.  It depends very heavily on what type of test you are doing.  But, in 
general, multiple IP gives you flexibility and are often essential.

How do testers distribute a test amongst multiple people?

By skills.  You need to know your team well, but with experience it tends to distribute itself, to a point.

Lastly,  do you keep logs of tests performed just to cover yourself?

(Ie: "Our server crashed on Saturday,
it must have been something you did!!"")


thanks ahead of time,
Joe

Script everything under Linux.  Keep raw output from all your tools.  Consider packet logging everything.  Burn it all 
on to a CD when you are finished.  It can help you with all sorts of issues:  how much you covered, what you did, what 
test were running when x crashed, what the problem with x might be, if it is a new vulnerability etc.

HTH,

Mark

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: How much do you disclose to customers?, (continued)
- - Re: How much do you disclose to customers? Harry Hoffman (Dec 20)
- Re: How much do you disclose to customers? fergus (Dec 19)
- Re: How much do you disclose to customers? goat (Dec 20)
- RE: How much do you disclose to customers? Teicher, Mark (Mark) (Dec 19)
- RE: How much do you disclose to customers? Kinnane, Scott (Dec 19)
  - RE: How much do you disclose to customers? Michal Zalewski (Dec 20)
- RE: How much do you disclose to customers? Gary Everekyan (Dec 19)
- Re: How much do you disclose to customers? H Carvey (Dec 19)
  - Re: How much do you disclose to customers? Clint Bodungen (Dec 20)
  - Re: How much do you disclose to customers? Frank Knobbe (Dec 20)
- RE: How much do you disclose to customers? Brewis, Mark (Dec 19)
- RE: How much do you disclose to customers? Whiteside, Larry [contractor] (Dec 20)