From: wirepair (wirepair@roguemail.net)
Date: Thu Dec 18 2003 - 19:41:32 EST
We always tell the client which IP's we are coming from. Mainly because we *don't* want to get
our IP's blocked by an IPS or by an unwitting admin. If you do not trust the admins will allow
the test to go smoothly, you should probably contact their managers to see that your information
does not get distorted.
Or you can simply ask them whether or not they'd like to be given that information. Occasionally,
we are told by the managers to not tell the admins to see if they notice the attacks. Doing the tests
from multiple machines has its advantages, especially when given a class C or larger to split up the time.
In our company tests are usually split up with internal/external/pbx & modems ect. But occasionally
we all work on a project together. Logs are definitly important, one thing I wish automated scanners
did would log what plugin/exploit caused the fault/issue. If the issue was caused during a penetration
test you should contact the company immediately and explain what exactly you were testing at the time
and work with them in identifying what the exact nature of the problem was.
Hope this helps,
-wire
On Thu, 18 Dec 2003 13:13:43 -0700 (MST)
Alfred Huger <ah@securityfocus.com> wrote:
>
>
>I am posting this for a user who is having difficulty posting directly to
>the list. Please reply to the list.
>
>-al
>
>
>To: Joe P <joe_nasdaq@yahoo.com>
>Cc: pen-test@securityfocus.com
>Subject: Re: How much do you disclose to customers?
>
>
>On Tue, 16 Dec 2003, Joe P wrote:
>
>> Hi everyone,
>>
>> I have a question on customer disclosure. Is it wise to tell the
>customer which IP addresses you'll be
>using before starting pen tests?
>>
>> Cons for Telling:
>> I was thinking that if you did tell them you may get an over zealous,
>insecure admin that just sets up a
>filter to block you out to make him/herself look good.
>>
>> Pros for Telling:
>> 1) if you don't tell them your IP address they may think your doing
>testing when in actuallity it's someone
>else (ie: a true cracker trying to break in).
>> 2) Audit trail reasons - if you trip up an IDS while doing testing they
>can ignore those alarms.
>>
>> Also, how do testers handle multiple IP addresses? Is there any benefit
>to doing it from multiple IP
>addresses??
>>
>> How do testers distribute a test amongst multiple people?
>>
>> Lastly, do you keep logs of tests performed just to cover yourself?
>(Ie: "Our server crashed on Saturday,
>it must have been something you did!!"")
>>
>> thanks ahead of time,
>> Joe
>>
>>
>>
>
>Alfred Huger
>Symantec Corp.
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
>
-- Visit Things From Another World for the best comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT