|
Penetration Testing
mailing list archives
Re: Info collection
From: H Carvey <keydet89 () yahoo com>
Date: 10 Aug 2004 16:01:38 -0000
In-Reply-To: <EDF30175FE4D804B83444FB153172A50201358 () louexch KiZAN net>
What I'm looking for are utilities that collect useful information on
running production devices in the early stages of an eval. They need to
be scriptable (ie command line) and should not have any installed
components. The idea is that they can be executed remotely using shell
scripts, psexec, or rolled into an msi package.
Refer to my previous response, but add WMI to that for Windows boxes, as well.
Why play the service guessing game w/ headers &
fingerprints when you could just find out first hand? Saves you effort
& the customer $$. In my opinion, the days of black box pen testing are
over. By starting on the box and working outward you can evaluate the
successive layers of security providing for a systematic and
comprehensive evaluation.
Agreed, excellent point. I was with Trident Data System's commercial consulting arm, and that's what we did w/
vulnerability assessments...we included it in the contract. By working cooperatively w/ the admins, we were able to
uncover all of the dust bunnies, not just the first one we ran across (as in the case of a pen test).
 By Date 
By Thread
Current thread:
- RE: Info collection, (continued)
| 
Intro
