|
Penetration Testing
mailing list archives
Re: Using 0days as part of pen-test?
From: Oliver Schad <oliver.schad () oschad de>
Date: Thu, 15 Jan 2009 08:42:06 +0100
Am Dienstag, 13. Januar 2009 schrieb mir Pete Herzog:
I think you don't have any problems except if you performed actions
outside the statement of work, the contract, or the scope or live in
France. As I can see it:
1. By penetrating in you were able to see more of the infrastructure
and make a better analysis of what is there and what its limitations
are so you did a good thing. Not to mention by saving time with that
you had time to be much more thorough, test from various vectors, and
give a real value for the test.
I don't understand something: Why should you test a blackbox, why
shouldn't you get all informations except user accounts? You don't know
the knowledge of all attackers around the world about this specific
network. You should assume, there is somebody who knows everything,
should you?
I mean, why should I choose as a tester a role of an attacker who knows
nothing about the network if there is somebody in this world who could
attack this network with all knowledge he needs?
Regards
Oli
Attachment:
signature.asc
Description: This is a digitally signed message part.
 By Date 
By Thread
Current thread:
- Re: Using 0days as part of pen-test?, (continued)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 15)
Message not available
| 
Intro
