Pen Test mistake
From: Jeff Johnson (webproze_at_yahoo.com)
Date: 08/21/03
- Previous message: Alberto Guglielmo: "Re: Port 7777 oddities"
- Next in thread: RMcElroy_at_mbe.com: "RE: Pen Test mistake"
- Maybe reply: RMcElroy_at_mbe.com: "RE: Pen Test mistake"
- Reply: Patrick Dolan: "Re: Pen Test mistake"
- Reply: Jonathan Rickman: "Re: Pen Test mistake"
- Reply: Kurt Seifried: "Re: Pen Test mistake"
- Maybe reply: Jennifer Fountain: "RE: Pen Test mistake"
- Maybe reply: MILES John M: "RE: Pen Test mistake"
- Reply: Byron Copeland: "Re: Pen Test mistake"
- Reply: Anders Thulin: "Re: Pen Test mistake"
- Maybe reply: Brad Bemis: "RE: Pen Test mistake"
- Maybe reply: Alfred Huger: "Re: Pen Test mistake"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 20 Aug 2003 21:47:41 -0700 (PDT) To: pen-test@securityfocus.com
Let's just say, for theoretical purposes, that you
were contracted to perform a penetration test on a
company. After receiving the IP range from the
company, you begin the test. You're well into the
test and find several vulnerable servers, which you
promptly own six ways from Sunday. Then a co-worker
wanders into your company's lab and looks over your
shoulder and advises you that the hosts that you're
owning are a single digit in the subnet off from the
hosts you're supposed to be attacking.
Example, I've owned 192.168.10.35, when in actuality I
was supposed to be owning 192.168.11.35.
How do you handle this situation?
My vote is to contact the owners of the site, advise
them honestly of the mistake, offer assistance (free
of charge of course) in correcting the security
problem you used to own them, and walk away a bit the
wiser.
Anyone else have any better advice?
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier
technical IT security event. Modeled after the famous Black Hat event in
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.
Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
----------------------------------------------------------------------------
- Previous message: Alberto Guglielmo: "Re: Port 7777 oddities"
- Next in thread: RMcElroy_at_mbe.com: "RE: Pen Test mistake"
- Maybe reply: RMcElroy_at_mbe.com: "RE: Pen Test mistake"
- Reply: Patrick Dolan: "Re: Pen Test mistake"
- Reply: Jonathan Rickman: "Re: Pen Test mistake"
- Reply: Kurt Seifried: "Re: Pen Test mistake"
- Maybe reply: Jennifer Fountain: "RE: Pen Test mistake"
- Maybe reply: MILES John M: "RE: Pen Test mistake"
- Reply: Byron Copeland: "Re: Pen Test mistake"
- Reply: Anders Thulin: "Re: Pen Test mistake"
- Maybe reply: Brad Bemis: "RE: Pen Test mistake"
- Maybe reply: Alfred Huger: "Re: Pen Test mistake"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
