Re: Email Pen-testing

From: Andreas (andreas_at_inferno.nadir.org)
Date: 03/21/04

  • Next message: Michael Richardson: "Re: Email Pen-testing" 
    Date: Sun, 21 Mar 2004 21:38:18 +0100
To: pen-test@securityfocus.com

    On Mar 20, Blake wrote:
    >
    > Wanted to get your opinion on something...
    >
    > Doing a pen-test for a small bank which was proving very difficult to get it. A friend of mine suggested I send a backdoor trojan attachment via an email. If they clicked on it, the backdoor performs maybe a boxscan, grab passwords, and connects out to the Internet. --Much like a virus.

    Let me first say, that i am not a professional pen-tester, but i am very
    interested in this field.
    In my opinion, social engineering is part of a pentest. You can harden
    your network as much as possible, but if you don't train your employees
    to never open (unknown) attachments, tell passwords over the phone line
    etc. all your hardening isn't it worth.
    Also, it is often the easiest way, to brake into the companies network,
    because initial traffic to the internet is always allowed, while most
    ports from the outside are blocked. If the internal net isn't hardened
    very much, you can own the hole network of the company by getting one
    user executing your binary.
     
    > I think this type of testing is becoming more relevant nowadays, especially with whats out there. It reinforces properly configured antivirus software and user awareness.

    The fact, that email worms are often making its way inside a company
    proofs, that this attack vector is not trivial. Each of this worm mails could
    be your malicious binary.

    > I spoke with a previous customer of mine about the idea. He said he would be very upset if he was not told prior to that type of test as part of normal pen-testing.

    Might be true. Tell him about your plans and ask him, not to inform his
    employees.
    >
    > Generally speaking, my code of ethics doesn't allow me to social engineer. I don't like lying and misleading people. Also people tend to hate you after they've been punk'd.

    But perhaps they learned their lesson?!
     
    >
    > -Blake
    >

    regards,

     Andreas

    ---------------------------------------------------------------------------
    You're a pen tester, but is google.com still your R&D team?
    Now you can get trustworthy commercial-grade exploits and the latest
    techniques from a world-class research group.
    www.coresecurity.com/promos/sf_ept1
    ----------------------------------------------------------------------------

  • Next message: Michael Richardson: "Re: Email Pen-testing"

    Relevant Pages

    • Re: Security - Compromised!
      ... [e.g. install, harden, put it on the network, then promote it to a DC] ... new clean DC [and could be used to compromise an otherwise secure server or ... put the new hardened server on the network just long ... Here's a link to a number of hardening ...
      (microsoft.public.win2000.security)
    • RE: Hardening VS firewalling ?
      ... barbarians and only one of you. ... completely unguarded network with insecure applications and unpatched OS's ... it seems to me that a firewall is a good place to *start*. ... Subject: Hardening VS firewalling? ...
      (Security-Basics)
    • Re: RRAS configuration
      ... My personal opinion is that if all your network is reachable from the ... It is the simplest routing setup because the firewall is already the ... > VPN server and connecting to it then the network behind it. ...
      (microsoft.public.windows.server.networking)
    • Re: OT:Mickey Mouse Names The Villain
      ... People are so sure that if someone has an opinion, it's because it's "their team's" opinion. ... That it has to be partisan, because _everybody_ is partisan, and hates "the other guys." ... But there _is_ such a thing as objective truth, and propaganda pieces like this make it harder for the _average_ person, of _average_ intelligence, and who has exposure to _average_ sources of information, to tell the difference between fact and fiction. ... If your solution is what you mentioned earlier--protesting to the network and Disney and ABC's other advertisers--I'm fine with that too. ...
      (rec.arts.tv.soaps.abc)
    • Re: IGNORE: Just testing...several posts never made it to the server
      ... Gregg Hill ... DISCLAIMER WARNING: the information contained in any reply I make is ... merely an OPINION, one that I hope you will consider when you make a ... choice as to what you will do on your systems or network. ...
      (microsoft.public.windows.server.sbs)