Re: Using 0days as part of pen-test?

[David Howe <DaveHowe.Pentest () googlemail com>]

purdy () tecman com wrote:
> Good points Pete. But since the sub: caught my attention, I thought I
> would point out (if it has not already been done) that 0-day tests,
> by definition, cannot test anything other than the quality of the
> anomaly-based detection system.  I wonder how many readers here have
> actually come up against a 0-day.  It is mighty scary (particularly
> if it is a worm taking down another mission-critical server every
> minute. All the experience in the world is for naught; the only thing
> that can save you is your own deductive problem-solving abilities.

I wonder if that might be an interesting exercise to offer as a service
- if you have access to an 0-day, warn their staff *in advance* that you
are going to compromise their network at or about a set time on a set
date, and that you will be monitoring their ability to recognise an
attack, interpret the logs appropriately and block the attack as best
they can.

Then, at time 0, be onsite with them and conspiciously run a program
which places a flashing "pentest: running" with a counter starting at 0
and counting the seconds.

watch the headless-chicken activity for a while, without actually doing
anything. Make sure your script occasionally flashes "dos boxes" saying
things like "0day exploit 147 - Test running" to keep them nervous.

Then, at time T+1 hr, someone else in your team repeats the 0day
penetration and attempts to expand the initial break to full lan access.

would be a LOT cheaper than trying to learn while a blackhat is doing
the same thing looking for whatever it is blackhats crave from
compromised networks :)