On Wed, 4 Jun 2003, Stephan Barnes wrote: > If you do proceed on to actually do the testing, instead of trying to do > a full keyspace search my suggestion is to use password sampling and > patterns. I have examples in the voicemail hacking section (Hacking This is a great approach for vulnerability assessment. On the other hand, if one of the goals of penetration test is "break the CEO's mailbox" rather than "find out if we have any insecure VMBs" then a brute force approach, even if only semi-automated, is probably going to yield better results. In and of itself, this isn't really all that valuable. But if you're coordinating a pen-test simulating a competitive intelligence attack, breaking a specific target mailbox (as opposed to any mailbox) can be a real eye-opener for the client. I agree with your main point. I would restate it this way: most of the time, security dollars are better spent on auditing and defense-in-depth rather than penetration testing. Having said that, the customer is (almost) always right. :) -- The DMCA is anti-consumer. The RIAA has no right to rewrite copyright laws to suit themselves. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 09:49:18 PDT