Re: Small Network Pen Testing

From: Rocky <pixscreenpoint@xxxxxxxxx>
Date: Mon, 6 Nov 2006 09:10:36 -0800

I actually used nmap & nessus. The company don't want to
hire 3rd party pen-test engineer because of the cost,they have
presented a procedure and the cost is US$8,000.

What i did is just scanned the whole network for open ports and
vulnerablities and locked down the ports that are not need to be open
and get nothing but a lap dance hehe.

I did internal and external pen test.I actually told them that what
i did is only scanning not the real pen-test stuff.

Thank you all for replying.
Rocky

On 11/4/06, Stefano Zanero <s.zanero@xxxxxxxxxxxxxxxx> wrote:

Rocky wrote:

> they wanted me to pen testing their network and i did

1) it is unethical to pen test a network you designed, because you
already know what you will find, you already know the internals, so what
kind of "penetration test" are you doing ?

> using purely nmap.

2) Selling an nmap scan as a pen test is even worse than unethical.

> Is there any simple and precise method for pen testing
> small network?

This process is composed of 2 steps
1) evaluate if a penetration test is really needed (it sounds as it
probably isn't) and then
2) have your customer hire someone else than yourself, who can also in
fact do a penetration test

Sorry for the bluntness.

Stefano

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

References:
- Small Network Pen Testing
  - From: Rocky
- Re: Small Network Pen Testing
  - From: Stefano Zanero

Prev by Date: Re: Small hardware network sniffer - does it exist?
Next by Date: Re: Web App Pen Test Results
Previous by thread: Re: Small Network Pen Testing
Next by thread: RE: Small Network Pen Testing
Index(es):
- Date
- Thread

Relevant Pages

Using 0days as part of pen-test?
... I understand the issue of using 0-day in a penetration test. ... security of systems beyond that point. ... If the security of the network you ... I've identified a vulnerability in some closed-source ...
(Pen-Test)
RE: Nmap output
... Try using Nlog. ... NLog is a set of PERL scripts for managing and analyzing your nmap 2.0+ ... web based service gateway to an internal network. ...
(Pen-Test)
Re: Scanning Class A network
... About point 2, i recommend you Nmap... ... >network to identify hosts and ports exposed to the Internet. ... >Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
(Pen-Test)
Re: VPNs and double encryption
... HTTPS + VPN. Things to look at could be packet count, ... Same goes for the network kit between your hosts. ... Certification Review Board ... you can actually do a proper penetration test. ...
(Pen-Test)
Re: Internal Penetration Testing
... onto network shares, private network drives, internal servers, ... to identify the techniques that give rise to the "threat from within" etc. ... Information Assurance Certification Review ... actually do a proper penetration test. ...
(Pen-Test)