Penetration Testing mailing list archives
Re: Email Pen-testing
From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Sun, 21 Mar 2004 18:16:48 -0500
-----BEGIN PGP SIGNED MESSAGE-----
"Blake" == Blake <netspan () hotmail com> writes:
Blake> Wanted to get your opinion on something... Doing a
Blake> pen-test for a small bank which was proving very difficult to
Blake> get it. A friend of mine suggested I send a backdoor trojan
Blake> attachment via an email. If they clicked on it, the backdoor
Blake> performs maybe a boxscan, grab passwords, and connects out to
Blake> the Internet. --Much like a virus. I think this type of
Blake> testing is becoming more relevant nowadays, especially with
Blake> whats out there. It reinforces properly configured antivirus
Blake> software and user awareness. I spoke with a previous
Blake> customer of mine about the idea. He said he would be very
Blake> upset if he was not told prior to that type of test as part
This a form of what we call _BlackBox penetration testing and response
testing_
The purpose of it is to (hopefully) get caught. It is a test of the
companies' response to an incident as well as whether or not they are
secure.
As such, I would expect some part of the customer to be aware of the
situation, but not all of the customer, and certainly not the IT people.
(i.e. CIO/CEO only)
From: http://www.xelerance.com/penetration_testing.php
} This is done without the knowledge of the end client
}customer/user. Often only the CEO or CIO of the client is aware of the
}effort. The consulting is provided with a "get out of jail free"
}letter. The consultant team attempts to comprise the clients' security,
}with the goal of causing some reaction from the customer. The goal is
}not just to compromise a system, but to elicit a response from the
}client, and possibly a response from a law enforcement agency.
}
}In such a test it is acceptable for the consultant to compromise one
}server in order to continue gathering information, and/or attacking
}other systems.
Blake> of normal pen-testing. Generally speaking, my code of
Blake> ethics doesn't allow me to social engineer. I don't like
Well, trojan'ed email that needs to be double-clicked *IS* social
engineering.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr () xelerance com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQF4iX4qHRg3pndX9AQG9ZgQA35QSFTIOBcSVGiU1RAuXm2Rz5+qNDR9M
syB2PU+sHg4piULicvVsxFb8RhpzR94lwFe8dIGe+4RDO/Ae4uUV60Rma9IPZKOB
xuTKo+5ANbTpZRQJDZ56z7SeFYhCwJkJnO/J+lwZep+gAYk/oFnqItopnc8MhMis
8ip/IdnPjHk=
=05W+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
Current thread:
- RE: Email Pen-testing, (continued)
- RE: Email Pen-testing Frank Knobbe (Mar 24)
- Re: Email Pen-testing Michael Richardson (Mar 24)
- RE: Email Pen-testing Rob Shein (Mar 23)
- RE: Email Pen-testing Brad . Murray (Mar 23)
- Re: Email Pen-testing Michael Richardson (Mar 23)
- RE: Email Pen-testing R. DuFresne (Mar 23)
- Re: Email Pen-testing Rainer Duffner (Mar 23)