mailing list archives
Re: [PEN-TEST] Noisy ou stealthy ?
From: Greg <greg () HOOBIE NET>
Date: Sun, 8 Oct 2000 16:40:50 +0100
Why not try both, start quiet and get noisier. Using that approach you can
also measure the client's incident response handling. That is assuming they
notice it at all ;)
It's often useful to record when the client notices they are under
(simulated) attack if you go loud from the outset I guess you miss out on
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Nicolas Gregoire
Sent: 08 November 2000 16:17
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] Noisy ou stealthy ?
just a question about methodology.
When you are doing some pen-tests, do you use the noisy way (full port
range scan, lot of scanning for cgi whitout IDS evasion techniques,
brute force attacks on FTP) or the sthealthy one ?
I think that the noisy way is easiest (just schedule a Nessus scan , a
whisker scan and an ISS scan for the night, read the results and attack)
but can't really test the efficacity of corporate defenses.
The stealthy way is more time-consuming, but more funny ....
So, what's your method ?