Re: sniffing plaintext protocols



On 8/1/06, itsec.info <itsec.info@xxxxxxxxx> wrote:

From a security point of view it is a fundamental question whether such a
scenario is technically possible or not.
If so, how do I have to assess such a risk, how can I check that at a
penetration test and how about the mitigation.


Mike,

The answer is to avoid using plaintext protocols. About the only
plaintext protocol I can think of any argument for would be ftp (which
I would limit to anonymous logins). If at all possible I would force
users to use scp, sftp or ftps.

As far as checking during a penetration test,.....if they are using
plaintext protocols then you ahve your answer. While this may sound
like an extreme statement to some, continued use of plaintext
protocols in todays environment can generally be attributed to
laziness or ignorance. I'd love to hear someone make a case that use
of plaintext protocols (other than http for general web browsing) is a
best (or even acceptable) practice.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------



Relevant Pages

  • RE: Penetration Mindmap - major update
    ... Penetration Mindmap - major update ... Download FREE whitepaper on how a managed service ... As attacks through web applications continue to ...
    (Pen-Test)
  • Re: a opensource pentesters tools manual (ospttm) project.
    ... I have set on a project to make a penetration testing tools ... As attacks through web applications continue to rise, ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)
  • Re: Which SQL is that? SQL Injection question
    ... > I am doing penetration test for client and have weird situation. ... Download FREE whitepaper on how a managed service can ... As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. ... Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. ...
    (Pen-Test)
  • Re: Starting Out
    ... and use a penetration test as a capstone. ... involves keeping the network safe. ... Download FREE whitepaper on how a managed service can ...
    (Pen-Test)
  • Re: Penetration Mindmap - major update
    ... I've been working alongside Lee Lawson to add alot more content to the Mindmap that may help people performing both; Vulnerability Assessments and Penetration Tests. ... Download FREE whitepaper on how a managed service can ... Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. ...
    (Pen-Test)