Penetration Testing mailing list archives

Re: Internal Penetration Testing

From: christopher.riley () r-it at
Date: Tue, 16 Jun 2009 09:04:02 +0200

Steve,

I can see your point. However I think you're not taking all the possible 
variables into consideration. Not all testing should be carried out as a 
blackbox test, infact you will find a lot more possible security issues 
using a whitebox methodology. Although this gives an internal penetration 
tester more knowledge than an attacker, it doesn't remove the validity of 
the restults. Taking a basis example, an internal penetration tester my be 
able to find (through manual testing or source code analysis) a Cross-Site 
Scripting vulnerability on the primary website of the company. By using 
knowledge of the product and access to more information than an attacker 
he can find this vulnerability in a fraction of the time it would take an 
external company performing a blackbox test. In this case the knowledge 
the penetration tester has of the systems doesn't reduce the value of the 
findings, however it does speed up the process.

Also, as somebody who works as an internal penetration tester for a bank, 
I can say that there are far more applications and systems in a large 
company than you'd think. It's also not left to the designers, 
programmers, or support staff of these applications to perfom security 
tests (penetration testing, or vulnerability scanning). Having a 
completely seperate team to handle this means that we require no specialy 
permissions to the application. It's not like we turn up to do a test and 
already know what the Administrator password for the system is. That takes 
a few minutes.... ;)

Chris John Riley

listbounce () securityfocus com@inet wrote on 15.06.2009 23:52:43:

I question the validity of "internal pen testing."  After all, as an
insider you should have access to all manner of information that an
attacker would not.  If you have the skills to perform a legitimate
"black box" pen test then you should have no problem doing whatever
you want as an inside "pen tester" even if you try to play by a
predetermined set of rules wherein you pretend not to have insider
knowledge (good luck).  I guess I don't understand the purpose.  If it
is to demonstrate that having someone with a moderate to high amount
of skill "go rogue" inside your network is a "bad thing", that just
seems redundant to me.

The best use for "internal pen testing" in my opinion would be simply
to see if anyone noticed via your IDS/log management solution/etc.

If nobody is watching then an internal pen test is doubly pointless.

Steve Mullins

On Thu, Jun 11, 2009 at 8:10 AM, pma111<pmaneedham () hotmail com> wrote:


Can anybody recommend any good books, or ideally free online

references to

start learning the techniques of internal penetration testing? I.e.

getting

onto (access to) network shares, private network drives,  internal

servers,

systems, from inside the Network that someone is not authorised to do?

wont ask for specific pointers just some good online guides so I can

begin

to identify the techniques that give rise to the "threat from within"

etc.


Regards,
--
View this message in context:

http://www.nabble.com/Internal-Penetration-

Testing-tp23980128p23980128.html

Sent from the Penetration Testing mailing list archive at Nabble.com.

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review

Board


Prove to peers and potential employers without a doubt that you can

actually

do a proper penetration test. IACRB CPT and CEPT certs require a full 
practical examination in order to become certified.


http://www.iacertification.org

------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review

Board


Prove to peers and potential employers without a doubt that you can

actually

do a proper penetration test. IACRB CPT and CEPT certs require a full 
practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------



----------------------------------------
Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. 
Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. 
Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for 
exchange of legally-binding communications.
----------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

Internal Penetration Testing pma111 (Jun 12)
- Re: Internal Penetration Testing Stephen Mullins (Jun 15)
  - RE: Internal Penetration Testing Dr David Scholefield (Jun 16)
  - Re: Internal Penetration Testing Adriel T. Desautels (Jun 16)
    - Re: Internal Penetration Testing Gichuki John (Jun 17)
    - Re: Internal Penetration Testing Stephen Mullins (Jun 18)
    - Re: Internal Penetration Testing Adriel T. Desautels (Jun 18)
    - RE: Internal Penetration Testing Mark van der Meulen (Jun 19)
- RE: Internal Penetration Testing Gorgon Beast (Jun 15)
- <Possible follow-ups>
- Re: Internal Penetration Testing christopher . riley (Jun 16)