Penetration Testing mailing list archives
Re: Email Pen-testing
From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Sun, 21 Mar 2004 18:16:48 -0500
-----BEGIN PGP SIGNED MESSAGE-----
"Blake" == Blake <netspan () hotmail com> writes:
Blake> Wanted to get your opinion on something... Doing a Blake> pen-test for a small bank which was proving very difficult to Blake> get it. A friend of mine suggested I send a backdoor trojan Blake> attachment via an email. If they clicked on it, the backdoor Blake> performs maybe a boxscan, grab passwords, and connects out to Blake> the Internet. --Much like a virus. I think this type of Blake> testing is becoming more relevant nowadays, especially with Blake> whats out there. It reinforces properly configured antivirus Blake> software and user awareness. I spoke with a previous Blake> customer of mine about the idea. He said he would be very Blake> upset if he was not told prior to that type of test as part This a form of what we call _BlackBox penetration testing and response testing_ The purpose of it is to (hopefully) get caught. It is a test of the companies' response to an incident as well as whether or not they are secure. As such, I would expect some part of the customer to be aware of the situation, but not all of the customer, and certainly not the IT people. (i.e. CIO/CEO only) From: http://www.xelerance.com/penetration_testing.php } This is done without the knowledge of the end client }customer/user. Often only the CEO or CIO of the client is aware of the }effort. The consulting is provided with a "get out of jail free" }letter. The consultant team attempts to comprise the clients' security, }with the goal of causing some reaction from the customer. The goal is }not just to compromise a system, but to elicit a response from the }client, and possibly a response from a law enforcement agency. } }In such a test it is acceptable for the consultant to compromise one }server in order to continue gathering information, and/or attacking }other systems. Blake> of normal pen-testing. Generally speaking, my code of Blake> ethics doesn't allow me to social engineer. I don't like Well, trojan'ed email that needs to be double-clicked *IS* social engineering. - -- ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[ ] mcr () xelerance com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQF4iX4qHRg3pndX9AQG9ZgQA35QSFTIOBcSVGiU1RAuXm2Rz5+qNDR9M syB2PU+sHg4piULicvVsxFb8RhpzR94lwFe8dIGe+4RDO/Ae4uUV60Rma9IPZKOB xuTKo+5ANbTpZRQJDZ56z7SeFYhCwJkJnO/J+lwZep+gAYk/oFnqItopnc8MhMis 8ip/IdnPjHk= =05W+ -----END PGP SIGNATURE----- --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- RE: Email Pen-testing, (continued)
- RE: Email Pen-testing Frank Knobbe (Mar 24)
- Re: Email Pen-testing Michael Richardson (Mar 24)
- RE: Email Pen-testing Rob Shein (Mar 23)
- RE: Email Pen-testing Brad . Murray (Mar 23)
- Re: Email Pen-testing Michael Richardson (Mar 23)
- RE: Email Pen-testing R. DuFresne (Mar 23)
- Re: Email Pen-testing Rainer Duffner (Mar 23)