Thanks for your comments. The basic issue with this pen test was that the company is a small company offering an internet service for the first time. Budget contraints were the main issue with the limitations placed on the pen test. I would have liked to attempt brute force, trashing, and assessment/penetration of the network infrastructure but these were not included in our arrangement. How do other pen testers handle issues with outsourced ISPs? This seems like a murky area unless you are actually testing the ISP themselves. Certainly, an attacker won't care about such artificial boundaries, as a vulnerability is a vulnerability, whether it appears in the clients IIS server (surely not! :), sendmail, open proxy server, public/private community strings on routers and network devices, or a weakly secured linux host at the ISP just ripe and waiting for a rootkit and sniffer on a non-switched network. Curt Wilson, Netw3 Consulting www.netw3.com 618-303-6383
This archive was generated by hypermail 2b30 : Thu May 31 2001 - 08:36:27 PDT