Penetration Testing mailing list archives
RE: Email Pen-testing
From: "Mike Sues" <msues () rigelksecurity com>
Date: Sun, 21 Mar 2004 12:18:18 -0500
As a compromise you could setup a controlled email delivery test. Your client could setup a typical workstation image and a dummy email address. Deliver your email package to only that email address. The user opens your email and conducts the test. Depending upon the particular exploit, the user might not even have to perform anything more than opening the email. Certainly does not perform the social engineering but is controlled. Can be used to demonstrate a point. Keep in mind that testing of email-based exploits in a non-controlled fashion would have to address the propagation problem. If the recipient forwards your package on, it could go to someone else outside of the organization being tested. Moreover, the impact to your client's organization itself may be significant if the email is forwarded internally. However, depending upon the exploit, there are ways to control the impact of propagation. For example, if the package is an IE-based vulnerability that can be triggered through webmail or an email client by redirecting the user to a site you have setup to deliver the IE exploit, build the smarts into your web site delivery so the exploit is only delivered once. I'm sure there are other ways .. this is one approach. You also have to address an anonymous user visiting your exploit delivery site but once again, this can be avoided by building some form of confirmation into the web site exploit delivery or using firewall rules around your site to prohibit access to all but your client's range. I'm not advocating the uncontrolled testing, but just pointing out two issues and ways to mitigate them. Test these well. -------------------------------------------- Mike Sues, GCIH Ethical Hack Specialist Rigel Kent Security & Advisory Services Inc www.rigelksecurity.com ph :613.720.4842 fax:613.249.8319 -------------------------------------------- -----Original Message----- From: Blake [mailto:netspan () hotmail com] Sent: Saturday, March 20, 2004 11:22 AM To: pen-test () securityfocus com Subject: Email Pen-testing Wanted to get your opinion on something... Doing a pen-test for a small bank which was proving very difficult to get it. A friend of mine suggested I send a backdoor trojan attachment via an email. If they clicked on it, the backdoor performs maybe a boxscan, grab passwords, and connects out to the Internet. --Much like a virus. I think this type of testing is becoming more relevant nowadays, especially with whats out there. It reinforces properly configured antivirus software and user awareness. I spoke with a previous customer of mine about the idea. He said he would be very upset if he was not told prior to that type of test as part of normal pen-testing. Generally speaking, my code of ethics doesn't allow me to social engineer. I don't like lying and misleading people. Also people tend to hate you after they've been punk'd. What's your ideas on the email pen-tesing? -Blake --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- RE: Email Pen-testing, (continued)
- RE: Email Pen-testing James Taylor (Mar 23)
- RE: Email Pen-testing Kevin (Mar 23)
- RE: Email Pen-testing Chris Hurley (Mar 23)
- RE: Email Pen-testing AJ Butcher, Information Systems and Computing (Mar 23)
- RE: Email Pen-testing Frank Knobbe (Mar 24)
- Re: Email Pen-testing Michael Richardson (Mar 24)
- RE: Email Pen-testing Rob Shein (Mar 23)
- RE: Email Pen-testing Brad . Murray (Mar 23)
- Re: Email Pen-testing Michael Richardson (Mar 23)
- RE: Email Pen-testing R. DuFresne (Mar 23)
- Re: Email Pen-testing Rainer Duffner (Mar 23)