Penetration Testing mailing list archives
Password Cracking Issues
From: "Adrian Puente Z." <apuente () hackarandas com>
Date: Tue, 05 Jan 2010 22:53:07 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you are doing a Client-aware pentest, you should have acces and even control of the device, take screenshots to have probes and make it part of the report that involves all the targets you are pentesting. That's the way I do it. You should not change any setting unless you need to so you get control of another target, but use names that can be associated to the pentest and have a really detailed log so the IDS and IPS can math with anything you did and you can protect yourself if a parallel incident happens. Greets, On Tue, Dec 29, 2009 at 11:06 AM, THOMAS, DEDRIC (ATTCLSMA) <dt7089 () att com> wrote:
Hey, Ethically, you should notify them of the fact that they need to strengthen their Account Management Policies. You can have them change the password, and then go forth with your pen-testing. It would benefit both parties, they know they can trust you to tell them the right thing, instead of
faking
your way through a password hack, even though you know the password. Just my two cents.... Dedric -----Original Message----- From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On
Behalf Of JAE HO JANG Sent: Thursday, December 17, 2009 10:08 AM To: pen-test () securityfocus com Subject: Password Cracking Issues Hi, I am doing Pen-testing of our customer's FW, NetScreen. But I installed this FW also set password a few months ago so I
already knew
the password (they haven't changed). In this case, what is the best way to do? just proceed the password cracking? then report them I managed to find the password? or skip password cracking and then advise to reinforce the password
policy?
Please advise. Thanks in advance. Regards, Tony -------------------------------------- Get Disney character's mail address on Yahoo! Mail http://pr.mail.yahoo.co.jp/disney/ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review
Board
Prove to peers and potential employers without a doubt that you can
actually
do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
- -- Adrián Puente Z. [www.hackarandas.com] Donde las ideas se dispersan en bytes... "... ruego a mi orgullo que se acompañe siempre de mi prudencia, y si algún día mi prudencia se echara a volar, que al menos pueda volar junto con mi locura" --Nietzche Huella: FBD6 4C36 2557 C64C 1318 70A8 F561 CB6F 4E40 5AFB http://www.hackarandas.com/apuente_at_hackarandas.com.asc.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktEFzIACgkQW2tF/eN2yfYXBQCfbcRwUg0z31++mEKHehZmRv8O P3IAn3QJU3Kfu8ZPeoE3WvTXWJHFkbGA =RbzU -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Password Cracking Issues Adrian Puente Z. (Jan 06)