Penetration Testing mailing list archives

Re: Bank pen test

From: "Noe Espinoza Mancillas" <nespinoza () grupowissen com>
Date: Thu, 2 Mar 2006 23:21:05 -0600

now i make my plan

and one of the steps is to check manualy some know vuln.. and tried to found
some uknow vuln..
and i plan to use 4 tools ( for the scanning) but the bank do not whant ..
they put his hand in the fire for the ISS scanner :(
but sure i`ll be tried to use diferent exploits.

but now i have a dude with the time for this pent test.. becouse de bank
only give 3 weeks to do that!.. and with no more than 4 pepoples work in
on..

and they ask for a pre assessment before start the pent test :S

anyway! thank`s!





----- Original Message ----- 
From: "mystic33" <mystic33 () comcast net>
To: "'Noe Espinoza Mancillas'" <nespinoza () grupowissen com>;
<pen-test () securityfocus com>
Sent: Thursday, March 02, 2006 10:59 PM
Subject: RE: Bank pen test


Hi

First:
If they want a pen test of only 20 servers there is no way to know if the
servers that you haven't tested have the same vulnerabilities unless the 20
are a sample of one of each system down to the os version patch level,
application version patch level etc.

Second:
Core Impact is in my opinion a good tool, but be aware of your selected
exploits. Do you really want to risk running buffer overflow etc. I would
always run a least 2 tools if possible.

Third:
Running a tool is just one step in diligent pen test. You may also do some
manual checking and poking around to verify what the tool has reported.

Last and very important:
Make sure you are specific in your test plan and have the company sign off.
CYA is extremely important.

Hope this is helpful,

Sharon



-----Original Message-----
From: Noe Espinoza Mancillas [mailto:nespinoza () grupowissen com]
Sent: Thursday, March 02, 2006 5:57 PM
To: pen-test () securityfocus com
Cc: nespinoza () grupowissen com
Subject: Bank pen test

hello all!

now i'm still wait to start an internal penetration test in a bank .. they
have a lot of servers.. HP Ux, Win, Sun, Linux , etc.  and now they are
using ISS (scanner) to find vulnerabilitys and then they make a remedation
with some scripts and other comercial tools... so..
now they need help becouse the ISS scanner every time that are running found
the same vulnerabilitys after patchs the servers. I told them that is really
importan to use some other diferents scanners and make an penetration test
to review if the vulnerabilities are really risk for the bussines!!.. and
they don`t accept it ..

buy they need it.. need to make a remediation of all the vulnerabilities in
all the 4000 servers!

so.. they ask for a pent test for only 20 servers.. and i don`t know how can
i select the number of servers that i need to test to be sure that all the
rest of the servers have the same vulnerabilitis!!.. ?

and what kind of tools can i use to make that!?

i never been in that kind of penetration test :(..

i think to use Core Ipact!

any sugestions?


regards

noe



----------------------------------------------------------------------------
--
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed
enterprise networks. StealthWatch, the veteran Network Behavior Analysis
(NBA)
and Response solution, leverages Cisco NetFlow to provide scalable,
internal network security.
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and
Response
Systems in the Enterprise."

http://www.lancope.com/resource/
----------------------------------------------------------------------------
--





__________ Información de NOD32, revisión 1.1425 (20060302) __________

Este mensaje ha sido analizado con  NOD32 antivirus system
http://www.nod32.com




------------------------------------------------------------------------------
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed 
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) 
and Response solution, leverages Cisco NetFlow to provide scalable, 
internal network security. 
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response 
Systems in the Enterprise."

http://www.lancope.com/resource/
------------------------------------------------------------------------------

Current thread:

Request for discussion on defending against specific Nmap TCP syn and version scans. Smith, Chris (Mar 01)
- Re: Request for discussion on defending against specific Nmap TCP syn and version scans. Martin Mačok (Mar 02)
- Bank pen test Noe Espinoza Mancillas (Mar 02)
  - RE: Bank pen test Andy Meyers (Mar 03)
  - RE: Bank pen test mystic33 (Mar 03)
    - Re: Bank pen test Noe Espinoza Mancillas (Mar 03)
  - Re: Bank pen test Rick Zhong (Mar 03)
  - RE: Bank pen test Omar A. Herrera (Mar 04)
- <Possible follow-ups>
- Re: Request for discussion on defending against specific Nmap TCP syn and version scans. revnic (Mar 02)
  - Re: Request for discussion on defending against specific Nmap TCP syn and version scans. Aaron (Mar 03)
    - Re: Request for discussion on defending against specific Nmap TCP syn and version scans. ober (Mar 04)
    - Re: Request for discussion on defending against specific Nmap TCP syn and version scans. Martin Mačok (Mar 04)
- Re: Request for discussion on defending against specific Nmap TCP syn and version scans. krantikari26 (Mar 02)