RE: Penetration test of 1 IP address

From: Michael Gargiullo (mgargiullo@pvtpt.com)
Date: Thu Feb 09 2006 - 13:50:59 EST

• Next message: Shenk, Jerry A: "RE: Programming skills for Pen Testers"
• Previous message: Mark Teicher: "Re: Qualys"
• Maybe in reply to: Edmond Chow: "RE: Penetration test of 1 IP address"
• Next in thread: pagvac: "Re: Penetration test of 1 IP address"
• Reply: pagvac: "Re: Penetration test of 1 IP address"
• Reply: b1ivrj77: "Penetration tool kit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> From: Edmond Chow [mailto:echow@videotron.ca]
> Sent: Tuesday, February 07, 2006 10:45 PM
> To: 'Michael Gargiullo'; pen-test@securityfocus.com
> Cc: 'Edmond Chow'
> Subject: RE: Penetration test of 1 IP address
>
>
>
>
> To all:
>
> I have been asked to perform a security audit of 1 IP address
> for client.
> They have given me the 1 IP address and a clue (webblaze).
>
> If I enter the IP address and then /webblaze, I am taken to a
> login page (user name and password requested).
>
> What tools would you recommend that I use for this assignment?
>
> Thanks for your help.
>
> Regards,
>
>
> Edmond
>
>
> --------------------------------------------------------------

Edmond,

You really need to set ground rules with your client. Set the clients
expectations on what is inbounds vs. what is out of bounds. For
example, some clients want you to handle their equipment with kid
gloves, but others want you to test with a sledgehammer.

You need to agree on a large number of issues.

Honestly, if a client approached me with only those 2 items (an IP and
Hint), I'd probably turn them down. I'd explain that using those two
items would give them a low level of assurance on the security of the
site. I'd only be able to tell them if their server is vulnerable (nmap,
nessus, Nikto, google the app, company, etc...) and if the app login
algorithm is sound.

For real assurance, that should only be the first step. Once it's
determined that the login is secure (if it is), you really should move
on to actually testing the app.

Id have to say if they only want assurance that the login algorithm
sound, then go for it. Do your homework, and attack based on what
you've agreed upon.

If they want to make sure the whole application is sound, you need more
then they've given you after you've finished the blind testing.

-Mike

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Shenk, Jerry A: "RE: Programming skills for Pen Testers"
• Previous message: Mark Teicher: "Re: Qualys"
• Maybe in reply to: Edmond Chow: "RE: Penetration test of 1 IP address"
• Next in thread: pagvac: "Re: Penetration test of 1 IP address"
• Reply: pagvac: "Re: Penetration test of 1 IP address"
• Reply: b1ivrj77: "Penetration tool kit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:30 EDT