Penetration Testing mailing list archives
Re: Is Pentesting Goal Oriented, or Coverage Oriented?
From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Tue, 06 Oct 2009 11:45:00 +0100
Chris Griffin wrote:
I agree that finding one point in and stopping is an incomplete test.
A lot depends on if you are taking a depth first or breadth first approach. With automated scans, it is often the default anyhow to let it continue scanning, and of course you should finish the series (unless you feel that might cause an IDS/IDP to notice and block your access, including the already achieved breach) however, in the real world a hacker would not note a breach, then stop - he would dive in and try to exploit that, expanding and finding systems not normally exposed to external traffic but which are reachable via the breach; Normally I would say that you should ideally try at least to find out what you can reach via the breach already found, and if that hole dries up (even if that is because you now own the system) THEN continue looking for an exploitable breach on the outside. far far too many systems rely on a firewall "Maginot Line" which is never a good idea - getting them to adopt at least some concept of defense in depth is (in my opinion of course) a major goal in securing their systems against future intrusion. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Is Pentesting Goal Oriented, or Coverage Oriented? Daniel Miessler (Oct 04)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Michal Zalewski (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Zack Payton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Jerome Athias (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Ramki B Ramakrishnan (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Griffin (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? David Howe (Oct 06)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Kevin L. Shaw, CISSP, GCIH (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Chris Brenton (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Marco Ivaldi (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Robin Wood (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Tim (Oct 05)
- Re: Is Pentesting Goal Oriented, or Coverage Oriented? Taras (Oct 06)