Jeff Johnson wrote: > Anyone else have any better advice? So far I think you are right. But what then? How can you (or any other pen-tester in this situation) avoid getting into this kind of mess again? Having a large toolkit usually means having to enter the same data over and over -- it's not a question *if* an error will be made, but *when*. And having a small toolkit (say, just Nessus or Retina or whatever) means the target will get pretty badly hit before anyone on the pen-testing side really notices ... I'm not sure I'd like to imagine what could happen with fairly autonomous tools (CORE Impact, perhaps -- haven't tried it, so I may be mistaken about this). Doing a nmap -sL scan (i.e. reverse DNS only) early may help. "What is apex.com doing on an acme.com network? Better check this before we continue..." I've sometimes thought that sitting behind (or rather in front of) a back-to-front firewall (that is, one that you set up to prevent you from going anywhere but to the target network) would help. It would stop single mistakes (configuring the firewall the right way, but targeting the wrong network, and vice versa), though it won't help preventing double mistakes, or situations where the customer has mistyped or made a bad guess about where his subnets *really* end. (The idea is, of course, to avoid hitting the wrong target, not just to avoid the responsibility for doing so.) A similar situation can occur with RFC1918 nets. On the remote system you've just taken you see a number of sessions from, say, 172.16.3.1-5, and you start scanning those hosts from your home base without quite registering that they are private. And find that you're scanning entirely different systems, and systems you're not supposed to touch. May happen in large organizations who make systematical use of 1918-nets... Pen-test your own pen-testing: how can your working process get disrupted (accidentally or deliberately), and what can you do to lessen the risks. As has been mentioned, insurance is sometimes a possibility. -- Anders Thulin anders.thulinat_private 040-661 50 63 Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Aug 22 2003 - 08:15:21 PDT