From: Jerry Shenk (jshenk@decommunications.com)
Date: Fri Aug 06 2004 - 07:54:37 EDT
Isn't that just a bit harsh...on both sides. It's not unethical for a
company to leave a vulnerability open just to see if a pen-tester finds
it. I know that some companies that I consult for have had penetration
tests done where things have been missed. One recent one looked like
they just scanned the common ports (or at least some subset of all of
them) 'cuz the didn't find a web server on an odd port....wasn't really
hiding either. A few years ago, I knew that another guy had opened up
tftp from the internet but I forgot about it. I got an alert when the
testing company hit the tftp server...but they never put it in a report
and they never "re-tested". I've always wondered why that never showed
up.
I do think that if a company were to put a server up with specific
holes, they shouldn't complain if I "waste" time exploiting those
conjured up holes. A pen-test is normally priced on a time basis so the
pen-tester should be prioritizing exploitation attempts where the most
gain seems likely. If you make this target too interesting, you may
dilute the value of the pen-test.
Chris:
I'm not sure it's fair either to insist on the pen-tester using certain
tools. It's really not the tool, it's the guy running the tool...or I
would hope tools. If they do a test and ONLY run Nessus (or anything
else for that matter), that's not a very good test. I'm wouldn't call
it a pen-test either...vulnerability scan seems like a better term.
It does seem to me that if a pen-tester runs Nessus as their 'base tool'
and then follows that up with targeting exploit attempts at the
discovered services to identify if they really are exploitable. Then a
little bit of more detailed analysis of web servers, testing of the
domain(s) DNS servers, searching the internet for confidential info,
etc. If you really think they JUST run Nessus and then hand you the
report...yeah, that's not a pen-test and it shouldn't be a terribly
expensive vulnerability scan either.
-----Original Message-----
From: DokFLeed.Net [mailto:dokfleed@dokfleed.net]
Sent: Wednesday, August 04, 2004 1:19 AM
To: Chris Griffin; pen-test@securityfocus.com
Subject: Re: nessus exceptions
This is a very bad practice,
First it is unethical , coz you actually added a Vulnerability to your
company, despite that fact that its ONLINE, where it can be used by
non-indented audience :)
What you should do is, ask the Pen-Tester for the Remediation reports,
and
to use at least 3 different tools ( there are 4+ free good tools) if
you
are paying them good then ask for the commercial originally generated
report
by the tool. but testing with tools is not enough, so
they have to offer you their methodology and approach in general before
they
sign NDA and you sign POA
attached to the same contract.
That almost work on all cases
=========================
----- Original Message -----
From: "Chris Griffin" <cgriffin@dcmindiana.com>
To: <pen-test@securityfocus.com>
Sent: Monday, August 02, 2004 10:58 PM
Subject: nessus exceptions
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi list,
> Im trying to find some good holes, that aren't major security issues,
> that i can create on a machine to see if our testing company really
> uses anything other than nessus.
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBDo7EeFLbG0PZdVwRAmaSAJ9gHU7w6vbI9DGKWa7xmUQ31qKSBQCgpcpq
> cC69CeYr16OsfuYu6u1oe8U=
> =bGZi
> -----END PGP SIGNATURE-----
>
>
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT