From: Brewis, Mark (mark.brewis@eds.com)
Date: Fri Dec 19 2003 - 11:59:39 EST
On Tue, 16 Dec 2003, Joe P wrote:
> I have a question on customer disclosure. Is it wise to tell the
customer which IP addresses you'll be
using before starting pen tests?
>
Always. Even on 'blind' jobs, when the client is specifying a PenTest to test IDS and firewall teams effectiveness, someone in the client organisation - the people you agreed the scope with - need to know who you are and where you are coming from, in order to cap escalation procedures etc.
> Cons for Telling:
> I was thinking that if you did tell them you may get an over zealous,
insecure admin that just sets up a
filter to block you out to make him/herself look good.
>
Possible, and have seen it done, but only once. It is a very limited solution, and stands out during testing. If you report that what you find, and the client wonders why you weren't able to see their web-site, it is a bit of a giveaway. Most admins are happy to help anyway.
> Pros for Telling:
> 1) if you don't tell them your IP address they may think your doing
testing when in actuallity it's someone
else (ie: a true cracker trying to break in).
Yes
> 2) Audit trail reasons - if you trip up an IDS while doing testing they
can ignore those alarms.
>
Worth reminding the client to tell all parties that you are doing the test - their ISP, and managed services etc, so that you don't get blocked downstream.
> Also, how do testers handle multiple IP addresses? Is there any benefit
to doing it from multiple IP
addresses??
>
This is actually a very complex question. It depends very heavily on what type of test you are doing. But, in general, multiple IP gives you flexibility and are often essential.
> How do testers distribute a test amongst multiple people?
>
By skills. You need to know your team well, but with experience it tends to distribute itself, to a point.
> Lastly, do you keep logs of tests performed just to cover yourself?
(Ie: "Our server crashed on Saturday,
it must have been something you did!!"")
>
> thanks ahead of time,
> Joe
>
Script everything under Linux. Keep raw output from all your tools. Consider packet logging everything. Burn it all on to a CD when you are finished. It can help you with all sorts of issues: how much you covered, what you did, what test were running when x crashed, what the problem with x might be, if it is a new vulnerability etc.
HTH,
Mark
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT