Penetration Testing mailing list archives
Re: Pentest Cisco
From: Sat Jagat Singh <flyingdervish () yahoo com>
Date: Fri, 11 Dec 2009 15:12:18 -0800 (PST)
Not to be too picky, but first you describe it as an "audit", then mention "pentesting". These are very different things. An audit compares an implementation against a defined standard such as a documented baseline, a specific set of controls, such as NIST SP800-53, or perhaps against generally accepted good practice. One really good audit tool is Nipper. It takes a config file and compares it against a baseline of generally accepted good practices that have been defined. Is a pentest or "vulnerability assessment" what they're really after? Important questions include: - will scanning be permitted? - what is the timeframe for completing the project? - do they want you to test first without credentials and then with credentials of a basic user or an admin? - if you aren't already familiar with it, what kind of government regulations may pertain to their business or industry segment? - what kind of reporting requirements do they have? - what kinds of meeting requirements will they have for project management and status? That should be a good start for addressing the RFP. There will be many more questions about actually carrying out the project should you get the chance to move forward. Good luck --- On Sat, 12/5/09, Paulo Ribeiro <lopolo_fr () yahoo fr> wrote:
From: Paulo Ribeiro <lopolo_fr () yahoo fr> Subject: Pentest Cisco To: pen-test () securityfocus com Date: Saturday, December 5, 2009, 7:41 AM Hello All, I need to respond to an RFP to audit an infrastructure with 100+ cisco devices (routers, switches, etc...) I was wondering if some of you would share: 1) what to ask to size the pentest? number of devicee? role? number of VLAN (any relevance?) 2) how would you go to pentest it? any particular tools? Would you use CDP and/or SNMP? (any tools) ? would one first start by doing a network scan to identify where and what the devices are? Any help appreciated! Kind regards, LoPo ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Pentest Cisco Paulo Ribeiro (Dec 08)
- Re: Pentest Cisco Daniel Hood (Dec 08)
- OpenVPN traffic David Howe (Dec 15)
- Re: OpenVPN traffic lorddoskias (Dec 15)
- Re: OpenVPN traffic Chris Clymer (Dec 15)
- Re: OpenVPN traffic David Howe (Dec 15)
- Message not available
- Re: OpenVPN traffic David Howe (Dec 21)
- OpenVPN traffic David Howe (Dec 15)
- Re: Pentest Cisco Daniel Hood (Dec 08)