From: goat (goat@severus.org)
Date: Fri Dec 19 2003 - 13:42:50 EST
I personally can't remember any situations where I have not given the client my IPs. Even if the CEO/CTO/C*O of the company is requesting a 'black' penetration test I still give them my IPs or give them to the designated "trusted agent" on their tech team. Since they're usually paying through the nose for my services, I rely on them to maintain the integrity of the test.
I have done announced tests on "uncooperative" sites where rogue techs working for the client did in fact block my IPs on certain subnets. Unfortunately, it's nearly impossible to detect this type of block unless you're actively looking for it. This is one of the primary reasons that I avoid doing penetration testing as a stand-alone activity. A phased assessment that maybe starts as a 'black' test and then moves to a full inspection with access to FW rules, router configs and ACLs, etc, etc will uncover any admin buggery.
As for your second question: Yes. Without question. How much time/money does it take to set up an old box with tcpdump? How much time/money would it cost to defend yourself from an accusation with no evidence of your activities? Do the math and the answer becomes obvious very quickly. In my company we've gone so far as to have a completely different group maintain an OpenBSD bridge that logs all of the traffic in and out of our test lab.
-- goat@severus.org "Rock over London, Rock on Chicago..." --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:44 EDT