From: Todd A. Jacobs (nospam-keyword-securityfocus.7d8038@codegnome.org)
Date: Fri Jun 06 2003 - 21:02:31 EDT
On Wed, 4 Jun 2003, Stephan Barnes wrote:
> If you do proceed on to actually do the testing, instead of trying to do
> a full keyspace search my suggestion is to use password sampling and
> patterns. I have examples in the voicemail hacking section (Hacking
This is a great approach for vulnerability assessment. On the other hand,
if one of the goals of penetration test is "break the CEO's mailbox"
rather than "find out if we have any insecure VMBs" then a brute force
approach, even if only semi-automated, is probably going to yield better
results.
In and of itself, this isn't really all that valuable. But if you're
coordinating a pen-test simulating a competitive intelligence attack,
breaking a specific target mailbox (as opposed to any mailbox) can be a
real eye-opener for the client.
I agree with your main point. I would restate it this way: most of the
time, security dollars are better spent on auditing and defense-in-depth
rather than penetration testing. Having said that, the customer is
(almost) always right. :)
-- The DMCA is anti-consumer. The RIAA has no right to rewrite copyright laws to suit themselves. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:34 EDT