RE: Respuesta: Penetration Testing Methodologies

From: Adriel T. Desautels (atd_at_secnetops.com)
Date: 12/15/04

  • Next message: David Taylor: "RE: delving deeper" 
    To: "'Omar Herrera'" <oherrera@prodigy.net.mx>
Date: Tue, 14 Dec 2004 18:43:40 -0500

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Omar,
            That is the sort of input that I am looking for. I also agree with
    you regarding the automated tests. The way I've always explained it
    to people is that automated tests are not accurate against complex
    networks because they are static in nature. Manually executed tests
    are more accurate because humans are dynamic and not static. We've
    been doing quite a bit of follow up work or secondary penetration
    testing to validate the results of a third party tests. Something
    that always surprises me is when the test results are very similar to
    the automated output of a scan and not of a human being. Having said
    that, we rely on automated vulnerability scanners strictly for
    reconnaissance purposes, not for actual results.

    Regards,
        Adriel T. Desautels
        Secure Network Operations, Inc.
        -----------------------------------------
        Office: 978-263-3829 Cell: 978-697-2946
        http://www.secnetops.com

    CAUTION: The information contained in this mail message is
    confidential and may be legally privileged. No confidentiality or
    privilege is waived or lost by any mistransmission. If the reader of
    this message is not the intended recipient, you are hereby notified
    that any use, dissemination, or reproduction of this message is
    prohibited. If you have received this message in error please notify
    the sender immediately by email and destroy the original message.
    Thank you
    - -----Original Message-----
    From: Omar Herrera [mailto:oherrera@prodigy.net.mx]
    Sent: Tuesday, December 14, 2004 4:56 PM
    To: Adriel T. Desautels
    Cc: pen-test@securityfocus.com
    Subject: Respuesta: Penetration Testing Methodologies
    Importance: Low

    - ----- Mensaje original -----
    De: "Adriel T. Desautels" <atd@secnetops.com>
    >
    > Greetings List,
    > I am interested in collecting ideas as to what people feel an
    > ideal penetration test is. What does the ideal methodology look
    > like and what are the goals? I am asking you this because I have
    > been running into interesting issues in certain markets. It would
    > appear that some people view penetration tests as nothing more
    > then basic network
    > vulnerability audits while others view a penetration test for what
    > it is, a test designed to compromise target systems as PoC of
    > vulnerability.

    In my opinion, PenTests must include tests designed to compromise
    target systems manually. The added value of a PenTest is to have
    someone able to find (and exploit) vulnerabilities in custom
    applications (something beyond that of which most tools can do).

    >
    > How do people feel about the use of automated tools and the
    > weights of their results? What about manual or custom testing? We
    > have our own methodology that we use for testing our client
    > networks, but I am always interested in learning what else might
    > be done. I'd be happy to engage anyone in a conversation about
    > this subject.
    >

    Most consultants use automated tools to give you a standardized set
    of results that can be reproduced (with the same tools), but custom
    testing is important. I believe that any average PenTest consultant
    should be capable of determining common false positives and incorrect
    results with manual testing, such as IIS running on a Unix server or
    vulnerabilities for Apache web server for an IIS web server.

    Tools make many mistakes, and the least you would expect is that the
    guy running the software knows what he is doing (and actually shows
    it).

    Regards,
    Omar Herrera

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1
    Comment: http://www.secnetops.com

    iQA/AwUBQb96ULR5YB3MHZrzEQKLPgCeMTqNTO79rmSRUF+3+tyXrj8Jf1cAoNwb
    rTLp+t2rU+qKr7HoYG+totaf
    =KlTL
    -----END PGP SIGNATURE-----

  • Next message: David Taylor: "RE: delving deeper"

    Relevant Pages

    • RE: Respuesta: Penetration Testing Methodologies
      ... It all depends on the level of intrusion of the Penetration Test. ... > vulnerability audits while others view a penetration test for what it ... results that can be reproduced, but custom testing is ... web server for an IIS web server. ...
      (Pen-Test)
    • Re: Vulnerability Assessment vs. PenTest
      ... A Penetration Test in my mind is aimed at testing the response and detection level of a network as well as demonstrating that there is an exploitable way in to the network. ... I feel that a Penetration Test will often recommend that a Vulnerability Assessment be conducted. ... Download FREE whitepaper on how a managed service can ...
      (Pen-Test)
    • [VulnWatch] PR07-14: Cross-site Scripting (XSS) / HTML injection on F5 FirePass 4100 SSL VPN
      ... SSL VPN 'my.activation.php3' server-side script ... F5 Networks has confirmed the following versions to be vulnerable: ... FirePass versions 5.4.1 - 5.5.2 ... No authentication is required to exploit this vulnerability. ...
      (VulnWatch)
    • RE: How hackers cause damage...
      ... PBX and phone systems are PUBLIC networks. ... than list the internet as an agreed path. ... The cost of security is inverse ... Network Vulnerability Assessment project here in Australia and you may ...
      (Security-Basics)
    • RE: Cross testing exploit with vulnerability scan results
      ... I believe you should always check and cross check your scans. ... remember that vulnerability scanning with an automated scanner is ... else you may download 'bad code'. ... vulnerability analysis - not a penetration test. ...
      (Pen-Test)