On 05/09/2001, Forrest Rae <forrest@code-lab.com> wrote To pen-testat_private: > 100% of the work by hand, then they may require extra time. This brings > me to question why are they doing assessments by hand when there are > great tools like Nessus? Well, something like Nessus should be used in first place, to give a fair and realistic offer to the customer. The tester can see there if the network is "tight" or not. If not (usual case :>), the customer should be encouraged to fix major/ known bugs before a full test. You would only waste time and money from the customer w/ a detailled analysis of all holes. Of course (if "you" can offer that, offer the customer help or full implementation of the major fixes - this is not always recommended for obvious reasons). If the network is somewhat tight, you can start doing detailled analysis on the services, structures, communication flows, trust relationships, etc. And this *takes* time, time which cant be easily estimated. As already metioned the first point here is: how value is the data and the availablity of the network and its services and how many money does (and can) the customer spent on the penetration test. > I am also interested in other people's estimates of time per host. :) "This depends". A user-client (usually offering no services) is something different then a fully-featured workgroup-server or a DMZ box offering services to the crowd out there. How about self-written CGIs for example? What about indirect vulnerabilities? What about priviledge elevation? What about social engineering (NEVER underestimate that!)? Pen-Testing has to be defined by the customer. Cause the story is about being endless :> Pure port-scanning is fast and cheap. And it's somewhat useless. Pure service scanning for "common" vulnerabilities takes a bit more time and more or less gives only a picture how aware and skilled the administrators are. Btw, some have been mentioning "a hacker could spend weeks". Well, that's true - if the target is interesting enough. Most "hackers" (scrippies) are just out for the fast kick/breakin to install their ircbot or a ddos-drone - remove that noise first :> Other point in here is: The pen-tester has *one* advantage, he can ask the customer for an account on a machine, e.g. on a webserver - just *assume* a CGI is vulnerable (most are anyway :P) and then from the "start" being the UID which runs the webserver try to elevate your priviledges. I dont know, somewhat this is "stating the obvious" for aware people, but I see too many people out there saying "this service has no *known* root exploit, let's go to the next machine. Hmm, I stop for now. :> ciao -- Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | <double-p> #1: Break the clue barrier! #2: Already had buzzword confuseritis ? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 10:38:33 PDT