Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: snmp
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Mon, 27 Sep 2004 20:11:01 -0400 (EDT)

On Mon, 27 Sep 2004, Frank Knobbe wrote:

On Fri, 2004-09-24 at 15:39, R. DuFresne wrote:
You start by getting yer "get out of jail free card" from mgt.  If you
lack that, you are likely to get fired and then prosecuted.


I didn't read it like you did. It seemed to me that Juan wanted a tool
that lists some info retrieved via SNMP Gets. With that list we would
approach management, showing that you can query interface tables, etc,
with a community string of "public".

I didn't think that he wanted to "break into" and systems, or otherwise
"pentest" it (even though he used that word in his request. Improper use
of "pentest" in my book).


It may have been a languge issue, it may have been phrasing, but,m I read
it in the fashion to which I responded.  And find that security, being the
sexy thing in the IT realm, tends to attract alot of folks lacking, yet
seeking to gain, experience, often not with a decent understanding of what
might or might not be proper etiquette, or legalities.



I don't think he needs management approval or a JOOJF card to just list
some stuff with snmpwalk. After all, the information is "public", right?

As long as he doesn't circumvent counter-measures he should be fine.
After all, he is the one responsible for security in his company. He
would be one handing out the JOOJF cards ;)


Is he the one responsible for security in his company?  I didn't see that
in his pst, and I read it in his post that perhaps this was not his domain
at work, then again, perhaps I misread his whole request <smile>.  when I
read his request, the first thing to come to mind was the Randall Swharz
debacle...

But, you are correct sir, a proposal and a list of software that could
enumerate the issue to the mgt folks would not be a problem.  Using those
tools without either having security as his tasked domain at work <how I
read his request> would be.  Course, I work for a state gov that would
frown on any of this, since it might point out problems and cross domains
of 'influence'.  MGT here tends to not want to know and shoots the
messenger on sight.


Thanks,


Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]