Penetration Testing mailing list archives

RE: Internal Penetration Testing

From: "Dr David Scholefield" <david () port80 com>
Date: Tue, 16 Jun 2009 08:38:22 +0100

I disagree with this.

Internal pen tests provide at least two advantages. It's not a matter
of how much information an attacker has access to, instead it is about
where in the network in relation to the perimeter firewalls that
the attacker has access from. That's what defines 'internal' vs
'external'.

There are a number of scenarios that are tested by internal pen tests
that cannot be tested from external access:

1) an internal employee/contractor/visitor who has access to network 
connectivity from within a perimeter firewall (which may be at a number 
of different internal connection points)

2) an external attacker who manages to subvert the perimeter firewall
(perhaps in the future due to a less than optimal configuration change,
or even a perimeter firewall failure of some kind, or a failed
authentication mechanism controlling VPN access etc).

You seem to be confusing 'black box' and 'white box' with 'internal' and
'external'. An internal pen test may be fully black box (some person simply
jacks-in to an internal network point and has malicious intent for
example), or white-box (a pen tester is given network diagrams). This is
*very* worthwhile testing.

To trust the perimeter firewalls completely and therefore not to test
what might happen if the perimeter is breached by an external attacker,
or internal malicious access is attempted appears to be short sighted.

david

----
Dr David Scholefield, CISSP, OPST, MBCS
07525 624 997
www.port80.com

PGP key ID:    D45F657D

4063 05DB 31F6 9E6A 130C
13E7 C9FA 2769 D45F 657D

Security in a connected world






-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Stephen Mullins
Sent: 13 June 2009 15:22
To: pma111
Cc: pen-test () securityfocus com
Subject: Re: Internal Penetration Testing

I question the validity of "internal pen testing."  After all, as an
insider you should have access to all manner of information that an
attacker would not.  If you have the skills to perform a legitimate
"black box" pen test then you should have no problem doing whatever
you want as an inside "pen tester" even if you try to play by a
predetermined set of rules wherein you pretend not to have insider
knowledge (good luck).  I guess I don't understand the purpose.  If it
is to demonstrate that having someone with a moderate to high amount
of skill "go rogue" inside your network is a "bad thing", that just
seems redundant to me.

The best use for "internal pen testing" in my opinion would be simply
to see if anyone noticed via your IDS/log management solution/etc.

If nobody is watching then an internal pen test is doubly pointless.

Steve Mullins

On Thu, Jun 11, 2009 at 8:10 AM, pma111<pmaneedham () hotmail com> wrote:


Can anybody recommend any good books, or ideally free online references to
start learning the techniques of internal penetration testing? I.e.

getting

onto (access to) network shares, private network drives,  internal

servers,

systems, from inside the Network that someone is not authorised to do? I
wont ask for specific pointers just some good online guides so I can begin
to identify the techniques that give rise to the "threat from within" etc.

Regards,
--
View this message in context:

http://www.nabble.com/Internal-Penetration-Testing-tp23980128p23980128.html

Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review

Board


Prove to peers and potential employers without a doubt that you can

actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.


http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Internal Penetration Testing pma111 (Jun 12)
- Re: Internal Penetration Testing Stephen Mullins (Jun 15)
  - RE: Internal Penetration Testing Dr David Scholefield (Jun 16)
  - Re: Internal Penetration Testing Adriel T. Desautels (Jun 16)
    - Re: Internal Penetration Testing Gichuki John (Jun 17)
    - Re: Internal Penetration Testing Stephen Mullins (Jun 18)
    - Re: Internal Penetration Testing Adriel T. Desautels (Jun 18)
    - RE: Internal Penetration Testing Mark van der Meulen (Jun 19)
- RE: Internal Penetration Testing Gorgon Beast (Jun 15)
- <Possible follow-ups>
- Re: Internal Penetration Testing christopher . riley (Jun 16)