Re: Using 0days as part of pen-test?

[David Howe <DaveHowe.Pentest () googlemail com>]

Oliver Schad wrote:
> I mean, why should I choose as a tester a role of an attacker who knows 
> nothing about the network if there is somebody in this world who could 
> attack this network with all knowledge he needs?

  Normally the framing of the attack model is part of the negotiation -
you can start out by assuming the attacker will have a full network
topology and all admin/root passwords, but you will probably find the
network isn't really that secure, and the report will probably get
slammed as being "unrealistic". However equally, you can't start out by
assuming an attacker will know nothing - if an attacker could reasonably
know something (a valid user/pass pair on the lan, for example) that
needs to be set out in the contract before the pentest starts.

  Usually though, unless you need a nudge, you are better off
approaching the job as a fearless but skilled team of attackers would -
if you are onsite with a visitor badge, keep your eyes open for user
account details (post it on the screen for temps to use?) and those are
fair game; if they use cisco vpns, see if they will give you a pcf file
for one (write this up as the "lost laptop" scenario if you must). If
they use vasco tokens, try and guess the admin password, and so forth.
There is no reason to approach the testing as a featureless black box,
but you must also when documenting your starting conditions, justify how
a "real" hacker would get that information; remembering of course that a
disgruntled current employee is as likely (and often more likely)
candidate for attacker as any other.