Re: External Pen Test / Manual Exploitation

["James Fields" <jvfields () tds net>]

This is normal for a true penetration test.  Automated tools can do a fair
job of identifying what types of servers/services are accessible, and then
they use a database of known vulnerabilities to suggest what you *might* be
vulnerable to.  The only way to know for sure is to try to exploit the
vulnerability.  For example, we've had testers come back and say "looks like
you're running iPlanet server version X and it may be vulnerable to Z."
However, we then find that because we have removed some file or installed
some patch, we are not vulnerable.

We always have testers work during a specified period of time - say,
midnight to 6:00AM - on known days.  That way if they inadvertently crash a
server, we have time to recover.

----- Original Message -----
From: "Jason Burzenski" <jburzenski () americanhm com>
To: <security-basics () securityfocus com>
Sent: Monday, September 22, 2003 9:35 AM
Subject: External Pen Test / Manual Exploitation


> I am in the process of reviewing a proposal for external penetration
testing
> from a vendor.  One of the phases of the pen test includes a manual
> exploitation of vulnerabilities discovered using automated scans.  The
text
> makes mention of specially crafted commands or code and the use of
modified
> open source tools.
>
> Is this a normal part of an external penetration test?  According to the
> break down of phases, they will use automated tools, then verify the
results
> using manual means to reduce false positives.  Why the need for additional
> manual exploitation?  This seems to pose unnecessary risk to my network
> services.
>
> Jason Burzenski
>
> --------------------------------------------------------------------------
-
> --------------------------------------------------------------------------
--
>



---------------------------------------------------------------------------
----------------------------------------------------------------------------