FW: Email Pen-testing

["Intel96" <intel96 () bellsouth net>]

I had the same situation last year with a small bank that wanted a black
test (no information provided to us the testers).   We decided to craft a
custom virus targeted only to our client.  We programmed the virus for the
information we desired and selected several delivery methods.

The methods were:

1.  E-mail attachments
2.  Web downloads (created fake web pages to look like products they had
purchased in IT)
3.  Commercial software repackaged as a gift with the virus embedded in the
installed as a update.
4.  ISP upgrade disks to target's home address

All these items were covered in the scope of work and liability wavier.
Using these methods you are guaranteed to gain some good information about
the customer's network.

Note:  Once you code your viruses and developed delivery methods they can be
used over and over.....

intel96



> Doing a pen-test for a small bank which was proving very difficult to
> get it. A friend of mine suggested I send a backdoor trojan attachment
> via an email. If they clicked on it, the backdoor performs maybe a
> boxscan, grab passwords, and connects out to the Internet. --Much like
> a virus.
*cut*
> I spoke with a previous customer of mine about the idea. He said he
> would be very upset if he was not told prior to that type of test as
> part of normal pen-testing.
*cut*
> What's your ideas on the email pen-tesing?




---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------