Re: Penetration test of 1 IP address

[pagvac <unknown.pentester () gmail com>]

Following a methodology is good from an engineering point of view, but
this way of thinking will also make you skip security holes that can
only be found using a more fuzzy and artistic approach (thinking
outside the box).

This is why I believe that you need to experiment besides following a
methodological approach.

On 2/9/06, Michael Gargiullo <mgargiullo () pvtpt com> wrote:
> > -----Original Message-----
> > From: Edmond Chow [mailto:echow () videotron ca]
> > Sent: Tuesday, February 07, 2006 10:45 PM
> > To: 'Michael Gargiullo'; pen-test () securityfocus com
> > Cc: 'Edmond Chow'
> > Subject: RE: Penetration test of 1 IP address
> >
> >
> >
> >
> > To all:
> >
> > I have been asked to perform a security audit of 1 IP address
> > for client.
> > They have given me the 1 IP address and a clue (webblaze).
> >
> > If I enter the IP address and then /webblaze, I am taken to a
> > login page (user name and password requested).
> >
> > What tools would you recommend that I use for this assignment?
> >
> > Thanks for your help.
> >
> > Regards,
> >
> >
> > Edmond
> >
> >
> > --------------------------------------------------------------
>
> Edmond,
>
> You really need to set ground rules with your client. Set the clients
> expectations on what is inbounds vs. what is out of bounds.  For
> example, some clients want you to handle their equipment with kid
> gloves, but others want you to test with a sledgehammer.
>
> You need to agree on a large number of issues.
>
> Honestly, if a client approached me with only those 2 items (an IP and
> Hint), I'd probably turn them down.  I'd explain that using those two
> items would give them a low level of assurance on the security of the
> site. I'd only be able to tell them if their server is vulnerable (nmap,
> nessus, Nikto, google the app, company, etc...) and if the app login
> algorithm is sound.
>
> For real assurance, that should only be the first step. Once it's
> determined that the login is secure (if it is), you really should move
> on to actually testing the app.
>
> Id have to say if they only want assurance that the login algorithm
> sound, then go for it.  Do your homework, and attack based on what
> you've agreed upon.
>
> If they want to make sure the whole application is sound, you need more
> then they've given you after you've finished the blind testing.
>
> -Mike
>
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------


--
pagvac (Adrian Pastor)
www.ikwt.com - In Knowledge We Trust

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------