Penetration Testing mailing list archives
Re: Using 0days as part of pen-test?
From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Thu, 15 Jan 2009 10:39:17 +0000
purdy () tecman com wrote:
Good points Pete. But since the sub: caught my attention, I thought I would point out (if it has not already been done) that 0-day tests, by definition, cannot test anything other than the quality of the anomaly-based detection system. I wonder how many readers here have actually come up against a 0-day. It is mighty scary (particularly if it is a worm taking down another mission-critical server every minute. All the experience in the world is for naught; the only thing that can save you is your own deductive problem-solving abilities.
I wonder if that might be an interesting exercise to offer as a service - if you have access to an 0-day, warn their staff *in advance* that you are going to compromise their network at or about a set time on a set date, and that you will be monitoring their ability to recognise an attack, interpret the logs appropriately and block the attack as best they can. Then, at time 0, be onsite with them and conspiciously run a program which places a flashing "pentest: running" with a counter starting at 0 and counting the seconds. watch the headless-chicken activity for a while, without actually doing anything. Make sure your script occasionally flashes "dos boxes" saying things like "0day exploit 147 - Test running" to keep them nervous. Then, at time T+1 hr, someone else in your team repeats the 0day penetration and attempts to expand the initial break to full lan access. would be a LOT cheaper than trying to learn while a blackhat is doing the same thing looking for whatever it is blackhats crave from compromised networks :)
Current thread:
- Using 0days as part of pen-test? ArcSighter Elite (Jan 12)
- Re: Using 0days as part of pen-test? Chris Griffin (Jan 13)
- Re: Using 0days as part of pen-test? Pete Herzog (Jan 13)
- Re: Using 0days as part of pen-test? purdy (Jan 14)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 15)
- Re: Using 0days as part of pen-test? David Howe (Jan 15)
- we are security critics was: Re: Using 0days as part of pen-test? Pete Herzog (Jan 15)
- Re: we are security critics was: Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? purdy (Jan 14)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 15)
- Re: Using 0days as part of pen-test? Pete Herzog (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)