Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] How to deal with others' security ?
From: Domenico De Vitto <dom () DEVITTO DEMON CO UK>
Date: Thu, 7 Sep 2000 19:59:11 +0100

Yea, the biggest companies tend to be sloppy, so to keep the waters clear
usually have a clause to keep you out, and insist you have no right to
see/know the exact configs.  It's a dirty trick and one best delt with by
just plain terminating the contract.

After all, would you trust a security company that told you that you'll
be sue'd if you check they're locking the doors!


-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Meritt, Jim
Sent: 24 August 2000 18:03
Subject: Re: [PEN-TEST] How to deal with others' security ?

If the systems are outsources, the company they are outsourced to may
legally go after you for conducting your tests on THEIR systems (it is their
hardware, wiring,...) through THEIR routers (tough to get to the client's
system without doing that) and there may be a network-wide IDS that your
specific client knows nothing about.

Better get the OK from ALL parties before proceeding!

Been there, done that.



The opinions expressed above are my own.  The facts simply are and belong to
James W. Meritt, CISSP, CISA
Senior Secure Systems Engineer at Wang Government Services, Inc.

-----Original Message-----
From: Ejovi Nuwere [mailto:ejovi () EJOVI NET]
Sent: Wednesday, August 23, 2000 11:08 AM
Subject: Re: How to deal with others' security ?

This should be addressed in the contract before the
pen-test/audit begins.
Usually you are given specific IP segments to audit. Anything
outside of
those networks are considered off limits, this includes ISP/ASP sites
which the targets DNS may be pointing.

Also, you will find that sometimes you are given the task to
audit only
one department within a corporation. Which limits you to a specific
segment. We all make mistakes, but dont concern yourself with anything
outside of your audit task. It can result in legal problems.

If you think it may be worth looking at, mention it before hand.
Otherwise, there isn't much you can do.


On Tue, 22 Aug 2000, Nicolas Gregoire wrote:


please excuse my (very) poor english.

My question is simple :
- you have to do a penetration test on a web server.
- you discover that there are virtual hosts on the same box
than the web
site you have to check.

first question :
do you know how to learn which virtual hosts are hosted on
this machine
? (reverse dns lookups, etc )
[I think it's very important to know that because the
others web site
can have exploitable cgi, resulting in the ability to root
the box and
deface all the virtual hosts]

second question :
how to deal with others' virtual hosts security [ie. they
have poor cgi]
how obtain authorization to scan these virtual hosts ?

thanks in advance

nicob () 7thzone com

  By Date           By Thread  

Current thread:
  • Re: [PEN-TEST] How to deal with others' security ? Domenico De Vitto (Sep 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]