Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Password Cracking Issues

From: "Adrian Puente Z." <apuente () hackarandas com>
Date: Tue, 05 Jan 2010 22:53:07 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you are doing a Client-aware pentest, you should have acces and even
control of the device, take screenshots to have probes and make it part
of the report that involves all the targets you are pentesting. That's
the way I do it. You should not change any setting unless you need to so
you get control of another target, but use names that can be associated
to the pentest and have a really detailed log so the IDS and IPS can
math with anything you did and you can protect yourself if a parallel
incident happens.

Greets,

On Tue, Dec 29, 2009 at 11:06 AM, THOMAS, DEDRIC (ATTCLSMA)
<dt7089 () att com> wrote:

Hey,

Ethically, you should notify them of the fact that they need to strengthen
their Account Management Policies.  You can have them change the password,
and then go forth with your pen-testing.  It would benefit both parties,
they know they can trust you to tell them the right thing, instead of

faking

your way through a password hack, even though you know the password.

Just my two cents....

Dedric

-----Original Message-----
From: listbounce () securityfocus com

[mailto:listbounce () securityfocus com] On

Behalf Of JAE HO JANG
Sent: Thursday, December 17, 2009 10:08 AM
To: pen-test () securityfocus com
Subject: Password Cracking Issues

Hi,

I am doing Pen-testing of our customer's FW, NetScreen.
But I installed this FW also set password a few months ago so I

already knew

the password (they haven't changed).
In this case, what is the best way to do?
just proceed the password cracking? then report them I managed to find the
password?
or skip password cracking and then advise to reinforce the password

policy?


Please advise.
Thanks in advance.

Regards,
Tony


--------------------------------------
Get Disney character's mail address on Yahoo! Mail
http://pr.mail.yahoo.co.jp/disney/

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review

Board


Prove to peers and potential employers without a doubt that you can

actually

do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




- --
Adrián Puente Z.
[www.hackarandas.com]
Donde las ideas se dispersan en bytes...

"... ruego a mi orgullo que se acompañe siempre de mi prudencia,
y si algún día mi prudencia se echara a volar, que al menos
pueda volar junto con mi locura"
        --Nietzche

Huella: FBD6 4C36 2557 C64C 1318  70A8 F561 CB6F 4E40 5AFB
http://www.hackarandas.com/apuente_at_hackarandas.com.asc.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktEFzIACgkQW2tF/eN2yfYXBQCfbcRwUg0z31++mEKHehZmRv8O
P3IAn3QJU3Kfu8ZPeoE3WvTXWJHFkbGA
=RbzU
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: