Penetration Testing mailing list archives
Re: Using 0days as part of pen-test?
From: Jeremy Brown <0xjbrown41 () gmail com>
Date: Wed, 21 Jan 2009 15:57:40 -0500
Thinking about if 0days are allowed.. what about findings from fuzzing? On Wed, Jan 21, 2009 at 2:34 PM, Morning Wood <se_cur_ity () hotmail com> wrote:
the question(s) to ask is... do the bad guys have this exploit? can the bad guys reach the target? if there is low hanging fruit on a tertiary machine, that allows more leverage against the target... will the bad guys not use this vector? answering yes to any of the above will help you determine the severity, and quantifiability to you. remember.. you are being paid to be the "bad guy" ----- Original Message ----- From: "ArcSighter Elite" <arcsighter () gmail com> To: "pen-test list" <pen-test () securityfocus com> Sent: Monday, January 12, 2009 5:32 AM Subject: Using 0days as part of pen-test?-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list. I'm rather new to responsible disclosure, so experts may found silly my question, but I've founded pretty interesting, so please keep reading. A few days ago, I've identified a vulnerability in some closed-source vendor's ftp server. Then, days later I was requested to do pen-test against a company. While I was information gathering, I've managed to identify that third-party ftp daemon in one of the company's external hosts. I wasn't pretty sure how to proceed in such a situation, but I've fal to the temptation and exploited the flaw. That led to a 20-mins entire network compromise, and of course proved that the network was vulnerable. After doing that, and thinking about what I've done; I wasn't that happy about my results. First, I got the issue of how to report this vulnerability to the company, without breaking the -intermediary- vendor contact and agreement; because the vulnerability exists and its exploitable as I've proved, but it wasn't general public knowledge the flaw is present. I know I've braked a lot of phases of any pen-test framework, but IMHO a blackhat will proceed exactly this way: they'll exploit the network through its weakest link, and is my task to protect the company from the blackhat, not from pen-testers (at least not the evil ones). Secondly, the flaw provided me with enough information that otherwise will take me a lot longer to achieve; so I felt the audit process has been somehow compromised. I think I've been clear enough, if I haven't just ask for more info. What's the most ethical way to proceed in such a situation? Sincerely. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJa0ZSH+KgkfcIQ8cRArj7AKD7hZCFOk+GBdkQ+v271wckKA8ECACgjWqR U1rhxUzEw6Z+Q7P7Vxwe9mc= =5m9Z -----END PGP SIGNATURE-----
Current thread:
- RE: Using 0days as part of pen-test?, (continued)
- RE: Using 0days as part of pen-test? Shenk, Jerry A (Jan 13)
- Re: Using 0days as part of pen-test? David Howe (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? David Howe (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? Jason Ross (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? Dotzero (Jan 13)
- Re: Using 0days as part of pen-test? Paul Melson (Jan 13)
- Re: Using 0days as part of pen-test? Aarón Mizrachi (Jan 14)
- Re: Using 0days as part of pen-test? Morning Wood (Jan 21)
- Re: Using 0days as part of pen-test? Jeremy Brown (Jan 21)
- Using 0days as part of pen-test? christopher . riley (Jan 13)
- Re: Using 0days as part of pen-test? Aarón Mizrachi (Jan 15)
- RE: Using 0days as part of pen-test? Shenk, Jerry A (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- Re: Using 0days as part of pen-test? Aarón Mizrachi (Jan 20)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- RE: Using 0days as part of pen-test? Shenk, Jerry A (Jan 17)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 17)