Re: Email Pen-testing

From: Michael Richardson (mcr@sandelman.ottawa.on.ca)
Date: Sun Mar 21 2004 - 18:16:48 EST


-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "Blake" == Blake <netspan@hotmail.com> writes:
    Blake> Wanted to get your opinion on something... Doing a
    Blake> pen-test for a small bank which was proving very difficult to
    Blake> get it. A friend of mine suggested I send a backdoor trojan
    Blake> attachment via an email. If they clicked on it, the backdoor
    Blake> performs maybe a boxscan, grab passwords, and connects out to
    Blake> the Internet. --Much like a virus. I think this type of
    Blake> testing is becoming more relevant nowadays, especially with
    Blake> whats out there. It reinforces properly configured antivirus
    Blake> software and user awareness. I spoke with a previous
    Blake> customer of mine about the idea. He said he would be very
    Blake> upset if he was not told prior to that type of test as part

  This a form of what we call _BlackBox penetration testing and response
testing_

  The purpose of it is to (hopefully) get caught. It is a test of the
companies' response to an incident as well as whether or not they are
secure.
  As such, I would expect some part of the customer to be aware of the
situation, but not all of the customer, and certainly not the IT people.
  (i.e. CIO/CEO only)

  From: http://www.xelerance.com/penetration_testing.php

} This is done without the knowledge of the end client
}customer/user. Often only the CEO or CIO of the client is aware of the
}effort. The consulting is provided with a "get out of jail free"
}letter. The consultant team attempts to comprise the clients' security,
}with the goal of causing some reaction from the customer. The goal is
}not just to compromise a system, but to elicit a response from the
}client, and possibly a response from a law enforcement agency.
}
}In such a test it is acceptable for the consultant to compromise one
}server in order to continue gathering information, and/or attacking
}other systems.

    Blake> of normal pen-testing. Generally speaking, my code of
    Blake> ethics doesn't allow me to social engineer. I don't like

  Well, trojan'ed email that needs to be double-clicked *IS* social
engineering.

- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQF4iX4qHRg3pndX9AQG9ZgQA35QSFTIOBcSVGiU1RAuXm2Rz5+qNDR9M
syB2PU+sHg4piULicvVsxFb8RhpzR94lwFe8dIGe+4RDO/Ae4uUV60Rma9IPZKOB
xuTKo+5ANbTpZRQJDZ56z7SeFYhCwJkJnO/J+lwZep+gAYk/oFnqItopnc8MhMis
8ip/IdnPjHk=
=05W+
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT