As much as cleaning up after yourself and walking away sound like a good approach, I think it is a very poor decision. If you get caught then you are, well, screwed. I would be 100% up front about it. I would completely clean up your mess first, and then approach your customer and explain that you made an honest mistake, nothing was damaged, and everything is exactly the way it was before you got there. And then offer to patch those very holes you exploited free of charge. That's my 2 cents John Michael Miles Information Services Analyst Lane County Information Services 541.682.4388 - Voice 541.682.9835 - Fax John.Milesat_private -----Original Message----- From: Jeff Johnson [mailto:webprozeat_private] Sent: Wednesday, August 20, 2003 9:48 PM To: pen-testat_private Subject: Pen Test mistake Let's just say, for theoretical purposes, that you were contracted to perform a penetration test on a company. After receiving the IP range from the company, you begin the test. You're well into the test and find several vulnerable servers, which you promptly own six ways from Sunday. Then a co-worker wanders into your company's lab and looks over your shoulder and advises you that the hosts that you're owning are a single digit in the subnet off from the hosts you're supposed to be attacking. Example, I've owned 192.168.10.35, when in actuality I was supposed to be owning 192.168.11.35. How do you handle this situation? My vote is to contact the owners of the site, advise them honestly of the mistake, offer assistance (free of charge of course) in correcting the security problem you used to own them, and walk away a bit the wiser. Anyone else have any better advice? __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Aug 21 2003 - 14:24:34 PDT