Penetration Testing mailing list archives
Re: Internal Penetration Testing
From: Stephen Mullins <steve.mullins.work () gmail com>
Date: Sat, 13 Jun 2009 10:21:52 -0400
I question the validity of "internal pen testing." After all, as an insider you should have access to all manner of information that an attacker would not. If you have the skills to perform a legitimate "black box" pen test then you should have no problem doing whatever you want as an inside "pen tester" even if you try to play by a predetermined set of rules wherein you pretend not to have insider knowledge (good luck). I guess I don't understand the purpose. If it is to demonstrate that having someone with a moderate to high amount of skill "go rogue" inside your network is a "bad thing", that just seems redundant to me. The best use for "internal pen testing" in my opinion would be simply to see if anyone noticed via your IDS/log management solution/etc. If nobody is watching then an internal pen test is doubly pointless. Steve Mullins On Thu, Jun 11, 2009 at 8:10 AM, pma111<pmaneedham () hotmail com> wrote:
Can anybody recommend any good books, or ideally free online references to start learning the techniques of internal penetration testing? I.e. getting onto (access to) network shares, private network drives, internal servers, systems, from inside the Network that someone is not authorised to do? I wont ask for specific pointers just some good online guides so I can begin to identify the techniques that give rise to the "threat from within" etc. Regards, -- View this message in context: http://www.nabble.com/Internal-Penetration-Testing-tp23980128p23980128.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Internal Penetration Testing pma111 (Jun 12)
- Re: Internal Penetration Testing Stephen Mullins (Jun 15)
- RE: Internal Penetration Testing Dr David Scholefield (Jun 16)
- Re: Internal Penetration Testing Adriel T. Desautels (Jun 16)
- Re: Internal Penetration Testing Gichuki John (Jun 17)
- Re: Internal Penetration Testing Stephen Mullins (Jun 18)
- Re: Internal Penetration Testing Adriel T. Desautels (Jun 18)
- RE: Internal Penetration Testing Mark van der Meulen (Jun 19)
- Re: Internal Penetration Testing Stephen Mullins (Jun 15)
- RE: Internal Penetration Testing Gorgon Beast (Jun 15)
- <Possible follow-ups>
- Re: Internal Penetration Testing christopher . riley (Jun 16)