Penetration Testing mailing list archives

Re: Limited vs full blown testing

From: Martin Mačok <martin.macok () underground cz>
Date: Thu, 24 Jun 2004 23:01:50 +0200

On Wed, Jun 23, 2004 at 09:27:58AM -0700, Toby Barrick wrote:

During my many years of pen testing one common thread when dealing
with customers has been the request to not perform any destructive
or DOS type testing.


Tell them that the purpose of the test is *to test* (i.e. to try
something) and the only thing you can do to not break anything is to
not try anything at all. Maybe they want an audit instead of
a pen-test and they just don't know the terms and the meanings.

If they are so scared, negotiate the exact time of potentially
destructive/aggressive tests.

Use Nessus with "safe checks" turned on for "polite" scans... You can
also disable all "DoS" family plugins in Nessus.

Martin Mačok
IT Security Consultant

Current thread:

Limited vs full blown testing Toby Barrick (Jun 24)
- RE: Limited vs full blown testing Jerry Shenk (Jun 24)
- Re: Limited vs full blown testing Richard Rager (Jun 24)
- Re: Limited vs full blown testing Peter Wood (Jun 24)
  - Re: Limited vs full blown testing R. DuFresne (Jun 24)
    - RE: Limited vs full blown testing Jerry Shenk (Jun 27)
    - RE: Limited vs full blown testing R. DuFresne (Jun 27)
- Re: Limited vs full blown testing Martin Mačok (Jun 25)
  - RE: Limited vs full blown testing Markowsky, Tyler (Jun 27)
- <Possible follow-ups>
- RE: Limited vs full blown testing Bénoni MARTIN (Jun 24)
- RE: Limited vs full blown testing Martin Murray-Brown (Jun 24)
- Re: Limited vs full blown testing El C0chin0 (Jun 24)
  - IE caching issue jatkinson (Jun 27)
    - Re: IE caching issue Daniel Staal (Jun 28)
- RE: Limited vs full blown testing Thompson, Jimi (Jun 27)
- RE: Limited vs full blown testing Wayne Wooley (Jun 27)
  - RE: Limited vs full blown testing R. DuFresne (Jun 27)
- RE: Limited vs full blown testing Alan Davies (Jun 27)

(Thread continues...)