RE: Penetration test of 1 IP address

From: Erin Carroll (amoeba@amoebazone.com)
Date: Thu Feb 09 2006 - 12:29:13 EST


T0aD,

A couple notes below

On Thu, 9 Feb 2006, T0aD wrote:

> Hello all,
>
> Really Im a bit surprised to see you guys taking in consideration such
> questions.
> I mean, Im not ok against beginners questions, thats not the point,
> there is no guru nor beginners, we are here with differents
> experiences and levels of knowledge (maybe Im better cook than aleph
> one !), but sometimes we have to understand what we're doing when
> giving away some information to some people.

I see your point but I respectfully disagree with it. Knowledge and facts
just "are". They have no morality or bias. How such information is
utilized is where it gets fuzzy. Are some people going to use the
knowledge shared on this and similar lists for nefarious purposes?
Probably. But I believe a far larger majority of people will use this
knowledge for Good<tm> and not Evil<tm>.... and I'm dangerously close to
venturing into territory against the list charter (morality of
pen-testing) so I'll leave it at that.

> Here we have some guy, working for some company, having a customer's
> problem to resolve, thats to say to provide a pentest of a IP address.
> That is fine. The problem being: where is the precise question ?
> Should we help him to 'automate' some pentest ? Should we teach him
> how to actually do his job ? What kind of company is giving its
> customers such a poor service like assigning an employee with no clue
> how a pentest could be done ?

I've spoken with the original submitter in private email and this appears
to be a case where he has been asked to perform something outside his
normal area of expertise but wants to learn. The client is a law firm (as
other posters postulated based on the usage of Weblaze) and is attempting
to harden a system before bringing it fully into production. Edmond
mentioned that the client would be amenable to opening the pen-testing up
to the list at-large and writing up some sort of legal cover for people
but I think that would be a bad idea. This list gets archived and sent all
over the place and the legal implications are...messy.

I get the impression that he (and the client and client's network
engineer) would welcome an opportunity to see how things are done and git
some learnin'. If you are interested in helping him out please contact him
directly and off-list.

-Erin Carroll
Moderator
SecurityFocus pen-test mailing list

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:29 EDT