From: Stephane Auger (sauger@pre2post.com)
Date: Fri Jul 15 2005 - 09:43:21 EDT
No offence taken :) I know I'm still a beginner, which is why I'm doing
research. The "pen-test" I'm talking about is more a practice then
anything else. In this case, the "client" is a friend of mine.
So no, I'm not selling these services professionally, and don't intend
to for a while. Sorry if I was misleading, but I really am just looking
for a place to start.
I totally agree with what you're saying, which is why I'm trying to
figure out the basics so I don't do anything stupid when I really have
to do one...
Thanks to everyone who gave me their input, I appreciate it.
Stephane
-----Original Message-----
From: Security Professional [mailto:redteamer@gmail.com]
Sent: July 15, 2005 7:02 AM
To: Stephane Auger; pen-test@securityfocus.com
Subject: Re: Pen Test Basic Needs
Steph,
Judging by the types of questions you have asked, I would be willing
to bet that you haven't actually performed a penetration test
"professionally" before.
No worries, everyone has their first time ;)
Anyway, as I was saying, my guess is that you don't have a lot of
experience in this area. Just an honest assessment. The problem you
run into is, did you tell the company that is having you do this that
you have never done one before? One common mistake I have seen is
that people get this bug to start doing pen-tests and try to make
money the first few times they do one.
What should be happening is that you actually learn the things you are
asking first, then decide to do this professionally as a service once
you get some experience. Don't put the cart before the horse here.
Also, you state that you are well aware of the legal ramifications.
But honestly speaking...Are you? Have you consulted a lawyer and had
them explain everything to you? If so, why didn't they draft a
contract up for you? A contract ultimately comes down to what you
want to do in your test and what you do / do not want to be liable
for.
You state in one of your questions that you would use Snort in a
pen-test. You ask about hwere one would "start". You ask about what
type of information you would begin with. All of these questions are
things that, as a "pen tester", you should already know. If you don't
know them, you shouldn't be doing assessments on networks where you
have to worry about legal ramifications.
Quite honestly, I hope that the company you are referring to is
reading this list and realizes they aren't getting what was probably
pitched to them. Please do us all a favor and actually learn how to
do these types of things before you decide to do one as a service to a
company.
P.S. - In no way is this e-mail intended to be hurtful or insinuate
that you don't know anything. I am just stating my opinion on what I
think is going on here and calling you on it. It is people like what
I have described above, that give this profession a bad name.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:33 EDT