|
Penetration Testing
mailing list archives
Re: Penetration test report - your comments please?
From: Curt Wilson <netw3 () netw3 com>
Date: 30 May 2001 23:42:28 -0000
Thanks for your comments.
The basic issue with this pen test was that the
company is a small company offering an internet
service for the first time. Budget contraints were the
main issue with the limitations placed on the pen test.
I would have liked to attempt brute force, trashing,
and assessment/penetration of the network
infrastructure but these were not included in our
arrangement.
How do other pen testers handle issues with
outsourced ISPs? This seems like a murky area
unless you are actually testing the ISP themselves.
Certainly, an attacker won't care about such artificial
boundaries, as a vulnerability is a vulnerability,
whether it appears in the clients IIS server (surely
not! :), sendmail, open proxy server, public/private
community strings on routers and network devices,
or a weakly secured linux host at the ISP just ripe and
waiting for a rootkit and sniffer on a non-switched
network.
Curt Wilson, Netw3 Consulting
www.netw3.com
618-303-6383
 By Date 
By Thread
Current thread:
- Re: Penetration test report - your comments please?, (continued)
|
Intro
