RE: Respuesta: Penetration Testing Methodologies

From: Adriel T. Desautels (atd@secnetops.com)
Date: Tue Dec 14 2004 - 18:43:40 EST


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Omar,
        That is the sort of input that I am looking for. I also agree with
you regarding the automated tests. The way I've always explained it
to people is that automated tests are not accurate against complex
networks because they are static in nature. Manually executed tests
are more accurate because humans are dynamic and not static. We've
been doing quite a bit of follow up work or secondary penetration
testing to validate the results of a third party tests. Something
that always surprises me is when the test results are very similar to
the automated output of a scan and not of a human being. Having said
that, we rely on automated vulnerability scanners strictly for
reconnaissance purposes, not for actual results.

Regards,
    Adriel T. Desautels
    Secure Network Operations, Inc.
    -----------------------------------------
    Office: 978-263-3829 Cell: 978-697-2946
    http://www.secnetops.com

CAUTION: The information contained in this mail message is
confidential and may be legally privileged. No confidentiality or
privilege is waived or lost by any mistransmission. If the reader of
this message is not the intended recipient, you are hereby notified
that any use, dissemination, or reproduction of this message is
prohibited. If you have received this message in error please notify
the sender immediately by email and destroy the original message.
Thank you
- -----Original Message-----
From: Omar Herrera [mailto:oherrera@prodigy.net.mx]
Sent: Tuesday, December 14, 2004 4:56 PM
To: Adriel T. Desautels
Cc: pen-test@securityfocus.com
Subject: Respuesta: Penetration Testing Methodologies
Importance: Low

- ----- Mensaje original -----
De: "Adriel T. Desautels" <atd@secnetops.com>
>
> Greetings List,
> I am interested in collecting ideas as to what people feel an
> ideal penetration test is. What does the ideal methodology look
> like and what are the goals? I am asking you this because I have
> been running into interesting issues in certain markets. It would
> appear that some people view penetration tests as nothing more
> then basic network
> vulnerability audits while others view a penetration test for what
> it is, a test designed to compromise target systems as PoC of
> vulnerability.

In my opinion, PenTests must include tests designed to compromise
target systems manually. The added value of a PenTest is to have
someone able to find (and exploit) vulnerabilities in custom
applications (something beyond that of which most tools can do).

>
> How do people feel about the use of automated tools and the
> weights of their results? What about manual or custom testing? We
> have our own methodology that we use for testing our client
> networks, but I am always interested in learning what else might
> be done. I'd be happy to engage anyone in a conversation about
> this subject.
>

Most consultants use automated tools to give you a standardized set
of results that can be reproduced (with the same tools), but custom
testing is important. I believe that any average PenTest consultant
should be capable of determining common false positives and incorrect
results with manual testing, such as IIS running on a Unix server or
vulnerabilities for Apache web server for an IIS web server.

Tools make many mistakes, and the least you would expect is that the
guy running the software knows what he is doing (and actually shows
it).

Regards,
Omar Herrera

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
Comment: http://www.secnetops.com

iQA/AwUBQb96ULR5YB3MHZrzEQKLPgCeMTqNTO79rmSRUF+3+tyXrj8Jf1cAoNwb
rTLp+t2rU+qKr7HoYG+totaf
=KlTL
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:10 EDT