RE: Email Pen-testing

["Mike Sues" <msues () rigelksecurity com>]

As a compromise you could setup a controlled email delivery test.
Your client could setup a typical workstation image and a dummy
email address. Deliver your email package to only that email address.
The user opens your email and conducts the test. Depending upon the
particular exploit, the user might not even have to perform anything
more than opening the email. Certainly does not perform the social
engineering but is controlled. Can be used to demonstrate a point.

Keep in mind that testing of email-based exploits in a non-controlled
fashion would have to address the propagation problem. If the recipient
forwards your package on, it could go to someone else outside of the
organization being tested. Moreover, the impact to your client's
organization
itself may be significant if the email is forwarded internally. However,
depending upon the exploit, there are ways to control the impact of
propagation.
For example, if the package is an IE-based vulnerability that can be
triggered
through webmail or an email client by redirecting the user to a site you
have
setup to deliver the IE exploit, build the smarts into your web site
delivery
so the exploit is only delivered once. I'm sure there are other ways .. this
is one approach.

You also have to address an anonymous user visiting your exploit delivery
site
but once again, this can be avoided by building some form of confirmation
into
the web site exploit delivery or using firewall rules around your site to
prohibit
access to all but your client's range. 

I'm not advocating the uncontrolled testing, but just pointing out two
issues
and ways to mitigate them. Test these well.

--------------------------------------------
Mike Sues, GCIH
Ethical Hack Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.720.4842
fax:613.249.8319
--------------------------------------------
 

-----Original Message-----
From: Blake [mailto:netspan () hotmail com] 
Sent: Saturday, March 20, 2004 11:22 AM
To: pen-test () securityfocus com
Subject: Email Pen-testing




Wanted to get your opinion on something...



Doing a pen-test for a small bank which was proving very difficult to get
it. A friend of mine suggested I send a backdoor trojan attachment via an
email. If they clicked on it, the backdoor performs maybe a boxscan, grab
passwords, and connects out to the Internet. --Much like a virus.



I think this type of testing is becoming more relevant nowadays, especially
with whats out there. It reinforces properly configured antivirus software
and user awareness.



I spoke with a previous customer of mine about the idea. He said he would be
very upset if he was not told prior to that type of test as part of normal
pen-testing.



Generally speaking, my code of ethics doesn't allow me to social engineer. I
don't like lying and misleading people. Also people tend to hate you after
they've been punk'd.



What's your ideas on the email pen-tesing?





-Blake

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills of an Ethical Hacker to better assess the security of your
organization. Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------