Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Pen testing / Vuln Assessment from Cable Modem - question on service provider selection
From: tommymay () comcast net (Tommy May)
Date: Thu, 21 Jun 2007 14:33:43 +0000

Thanks James... certainly good ideas.  I'll keep your offer in mind...and who knows, maybe we can merge some efforts... 
 I am slowly in the process of developing relationships with small companies, doing ad-hoc security stuff, mostly 
network troubleshooting...etc.  But the need for assurance is on the rise...

Once again, thanks for taking the time and sharing perspective and experiences.

Tom


 -------------- Original message ----------------------
From: "James Ruffer" <admin () unixbox ws>
Here is what we have been doing for the last couple of years.

We collocated a couple of servers in a center that has no issue defending
your pen-testing as long as you a legit and in contract with the
company you are
testing.  This collocation facility also hosts porn so you can only imagine the
legal staff.

In October we updated our servers to XEN and consolidated our physical servers.

We now just boot a VM with whatever base OS we would like to test
using.  We have
3 base OS's that we dub with our tools.
We will also zip up the servers that we tested from and submit them to
the client for later testing via DVD.  We do not keep the XEN's after
45 days.  Each XEN is encrypted.

If you are not familiar with XEN is it just like VMWare ESX but free.

If you would like we can set up some XEN servers for your testing.  If
all goes well
who knows maybe that will be our new side business pen-testing hosting...hmmm

James

On 6/19/07, Morgan Reed <morgan.s.reed () gmail com> wrote:
On 6/20/07, Tommy May <tommymay () comcast net> wrote:
Issue - A standard nessus scan or nmap will choke my service from a standard 
home based cable modem service.

You will not likely find anybody who will be willing to allow this.

I need to have a solid provider that is "used to dealing with pen-test like 
customer businesses"... is there someone that you all may be able to recommend 
that won't cost an arm and a leg and will meet the requirements? (i.e. one 
that's home based, allows it to happen, has pen-testing customers. and doesn't 
cost any more than 100.00 a month).

I highly doubt you will find one.

Any words of wisdom would be greatly appreciated.

My best suggestion would be to find a permissive shell account or get
a co-lo server with it's own connection and use that (I have a root
shell on a tier 2 system that I use for these activities).

You're unlikely to find any ISP who will do this for you so your best
bet is to go up a tier or two and get an unrestricted connection
attached to a remote server, you'll still have to read the contracts
carefully though.

Morgan

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------




-- 
Thank you for your time.

James F. Ruffer III
Ce|H MSCE, CNA, CCNA, & BSDI
1.518.271.1844  Mobile


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]