On Wed, Jun 20, 2001 at 03:11:52PM -0400, Jonathan Rickman wrote:
> Personally, I agree that there is much more involved in penetration
> testing than running "can scans" like ISS. However, I do have to point out
> that showing up without some of these tools handy is a mistake. Nessus is
> pretty good. Passing up on the opportunity to save yourself time is kinda
I used word 'consists', not 'includes' - don't know if it was the right one, sorry.
Personally, I don't like automated *vulnerability* scanners (to make it clear that nMap doesn't belong here). I won't comment more about that, since
we'll probably have another flaming session :)
> foolish. I like to start out with nmap, nessus, and sara/saint to identify
> potential targets. After mapping and documenting everything, the
> "proprietary techniques" (bunch of perl scripts) come out to play. Don't
'Bunch of perl scripts' doesn't make 'proprietary technique' - it just makes 'properietary tools' (which you might, or might not want to, give to
the client - depends on the contract, relationship with the client, etc.).
Proprietary techniques? Ok, let's imagine that I am a client! ("you" below does not relate to anyone specific - just don't flame me :)
You come to my company, you use 'proprietary technique' to root some box, and then what? You will not tell me how you did it, because it is
'proprietary technique'?
What do you think my reaction will be? I'd probably sue you, not pay you anything, and do whatever I can in order to make sure everyone else finds
out about that.
Well, I don't know about others, but all the clients we deal with are not the ones that accept "I can't tell you" as an answer, or "It's secret" as
an argument. No, I'm not trying to sound 'important' or to impress anyone, it's just reality with big companies (at least in my experience, in
Asia-Pacific region).
On the other hand, it is *my* opinion that pentest should not be done in order to 'show the client' that you can hack them. How does that help to
them? It doesn't. Purpose of pentest, in *my* opinion, is to:
a) *understand* client's infrastructure/setup well
b) find *all* security problems in time allocated - not just tell them something like "I rooted your DNS server, hehehe..." and stop there
c) *help* the client by teaching/telling them how to fix *all* the security problems found
d) possibly (we always do it) skip to the 'next phase' where boxes are reviewed/hardened one-by-one up to the level customer and we agree (not
everyone requires 'military level' of security on their boxes)
Not much space for 'proprietary techniques' and 'secrets' in here, I think.
> bash the point and click scanners...some of them do a better job than
> "proprietary techniques" ever will. What would you think if a pen-test
> team showed up without nmap?
I never mentioned nMap and it is not a vulnerability scanner (like Nessus/ISS/CyberCop, which I did mention). I love nMap.
On the other hand, I wouldn't think anything about team that shows up w/o nmap. I would wait for the results.
Really, people are already scared enough with all the security news in mainstream media, do security professionals need to scare them even more with
making pentesting so 'secretive' and 'proprietary'? I always feel sorry when we do a pentest and 'observers' get completely shocked because we don't
use any 3D-navigating-selfadjusting-autolearning-hax0ring tools or something. I am actually very happy if client's staff ("observers" or whoever
else) actually learns something - as long as they don't bother us *during* the work (which we insist on).
I still claim (to the clients and everyone else) that pentesting is not a rocket science, and tools are not anything 'special'. Tools are just an
'extension' that helps once you know how exactly things work. The 'how exactly things work' is the key point, I'd say...
Vanja
This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 14:23:43 PDT