Re: pentest documentation

From: Ben Anderson (hawklan@iastate.edu)
Date: Tue Oct 03 2006 - 14:49:47 EDT

• Next message: Jason L. Ellison: "bittorrent == botnet"
• Previous message: Jason M Frey: "RE: pentest documentation"
• Maybe in reply to: Jürgen R. Plasser: "pentest documentation"
• Next in thread: krymson@gmail.com: "Re: Re: pentest documentation"
• Maybe reply: krymson@gmail.com: "Re: Re: pentest documentation"
• Maybe reply: William Woodhams: "RE: Re: pentest documentation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> I want to document the pentest process in detail, not only for the
> > customer, but for later reviews and to avoid legal difficulties.
> >
>
>
> If I knew you were keeping pentest info on my company I wouldn't hire
> you. Keeping that data around makes you a target for all your
> customers.

This is a good point. There are conflicting interests with you and your
customer. The customer wants to keep the data private, so they will want you to
destroy the data or turn it over to them. However, you need that data for
review purposes and/or to legally cover yourself.

For the legal issues, I see two possibilities. The first is that you could turn
the data over to them in exchange for signing some sort of waiver or other
document stating that they can't take legal action against you. (Whether this
is sufficient is a question for your lawyer.) Second, you could agree to
archive the data with someone like Iron Mountain that will guarantee the
security of the physical media. Then you can simply sign a document that has
the hash values on it and everyone gets a copy for their records. (I would use
SHA-2 since SHA-1 and MD5 are broken.)

For reviewing purposes, the client may agree to let you keep the data as long as
it is anonymized. This is hard to do properly, and may destroy the data you
want to review, but would be better than nothing. You may also be able to get
the customer to agree to you delivering or destroying the data within 30 days,
which should be enough time to review it.

Now, to collect the data, there are two parts to this problem. The first is
what you are doing; so I would record the session using whatever screen capture
software is available. I say screen capture since it will cover both CLI and
GUI commands you use. The second part is monitoring what the tools are doing.
This would require any logs from the tool itself and the network traffic
generated. The tool should cover the logging part and you can use Wireshark for
the network side.

Benjamin Anderson
Ph.D. Student
Department of Electrical and Computer Engineering
Iowa State University
hawklan@iastate.edu

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Jason L. Ellison: "bittorrent == botnet"
• Previous message: Jason M Frey: "RE: pentest documentation"
• Maybe in reply to: Jürgen R. Plasser: "pentest documentation"
• Next in thread: krymson@gmail.com: "Re: Re: pentest documentation"
• Maybe reply: krymson@gmail.com: "Re: Re: pentest documentation"
• Maybe reply: William Woodhams: "RE: Re: pentest documentation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:05 EDT