PenTest Checklist
From: J. Yoon (supercool9000_at_hotmail.com)
Date: 01/06/04
- Previous message: Raoul Armfield: "RE: XP password and encryption"
- Next in thread: Alessandro: "Re: PenTest Checklist"
- Reply: Alessandro: "Re: PenTest Checklist"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: security-basics@securityfocus.com Date: Tue, 06 Jan 2004 11:07:05 -0500
Here's a quick summary here from various sources for your review... Also
wanted to know what your favorite tools/methods are for testing methods
Items D through M below.
Pen-Test Quick Checklist
A - Assessment - how long it will take to run the port scan
For a Basic test 2 days for class C, 12 hops over 64k digital line,
additional hour per class C for every hop over 12,
additional time for systems protected by IDS and stateful inspection
firewalls
B - Goals
recognize best practices
recognize business risks
privacy issues both internal and external
C- Technical Prep:
1) set up attack network - prep full packet sending recovery , avoid
firewall/nat pitfalls.
2) access security testing resources - find exploits, find running
services(HTTP, FTP, SMTP, POP3, etc), and what versions
3) set up attack server - install tools
D - Physical System testing - how easy it is to physically get access to the
system.
E- Social engineering test - find out how easy it is to obtain critical
information from people.
F- Web App Testing - tests website as an application for security holes,
weaknesses, usability, performance, and quality.
G - VPN testing - security of remote access VPN, encryption methods, etc
H - Privilege Testing - test with various logins as a valid system user
I - Router Firewall IDS testing - test where another system is placed inside
the DMZ to convey information. all firewalls should be tested together and
separately from the router.
J - DoS testing - to discover if it's vunerable to denial of service attacks
where vital services may be crippled.
K - Containment Measures Testing - test for trojans, viruses or
spam/adwares, internal webbrowsing with scripts and applets.
L - Periodic Testing - regular weekly or monthly testing
M - Verification Testing - To verify that any problems have been
implemented properly
N - Report Results
1) privacy problems
2) security problems
3) web components
4) overal ratings
5) suggestions
_________________________________________________________________
Get reliable dial-up Internet access now with our limited-time introductory
offer. http://join.msn.com/?page=dept/dialup
---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
course! All of our class sizes are guaranteed to be 10 students or less.
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
and many other technical hands on courses.
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
any course!
----------------------------------------------------------------------------
- Previous message: Raoul Armfield: "RE: XP password and encryption"
- Next in thread: Alessandro: "Re: PenTest Checklist"
- Reply: Alessandro: "Re: PenTest Checklist"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
