Penetration Testing mailing list archives
Re: Penetration test of 1 IP address
From: thomas springer <tuevsec () gmx net>
Date: Thu, 09 Feb 2006 20:43:29 +0100
If asking only for a webserver-asessment, dan's posting is the best i saw until now. Clemens, Dan wrote:
Its not about using the right tools, its about asking the right questions. You could use a whole sleth of tools on some server, but if your using the wrong tools for the wrong problem you won't get anything back and you will in turn give your client the wrong impression of security when you told them you haven't found anything.
Roelof Temmingh from Sensepost once told me about penetration-testing: "To understand the process we need to have done it many times. If you cannot write the process down on paper you probably don’t understand it completely." I like the this statement. Roelof wrote it down and made nice diagrams about the steps: Footprinting - Fingerprinting - Targeting - Vulnerability discovery - Penetration Testing. Having a look at his presentation on http://www.sensepost.com/restricted/BH2005-lv.pdf is worth it (you'll have to register, but its free). While I personally find that the mentioned tool does it's work usually slower and less accurate than i do, i think the the flowchart on page 22 represents almost every detailled step of a pentest. (I even did a second version of this chart for myself to cover plain webapplication testing.) You might find, that its useful to do some foot- and fingerprinting to be able to ask the right questions afterwards. The mentioned presentation is a great primer. thomas ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Penetration test of 1 IP address, (continued)
- Re: Penetration test of 1 IP address Ivan Arce (Feb 15)
- Re: Penetration test of 1 IP address Sugiowono (Feb 09)
- RE: Penetration test of 1 IP address Bob Radvanovsky (Feb 09)
- RE: Penetration test of 1 IP address Sels, Roger (Feb 09)
- RE: Penetration test of 1 IP address Anders Thulin (Feb 09)
- RE: Penetration test of 1 IP address Edmond Chow (Feb 09)
- RE: Penetration test of 1 IP address John Forristel (SunGard-Chico) (Feb 09)
- Re: Penetration test of 1 IP address Dave (Feb 09)
- RE: Penetration test of 1 IP address Clemens, Dan (Feb 09)
- RE: Penetration test of 1 IP address Edmond Chow (Feb 10)
- Re: Penetration test of 1 IP address thomas springer (Feb 10)
- RE: Penetration test of 1 IP address John Forristel (SunGard-Chico) (Feb 09)
- RE: Penetration test of 1 IP address Levenglick, Jeff (Feb 09)
- Message not available
- Fwd: Penetration test of 1 IP address Brian Loe (Feb 09)
- Re: Fwd: Penetration test of 1 IP address Justin Seitz (Feb 09)
- Message not available
- RE: Penetration test of 1 IP address Beau Mersereau (Feb 09)
- RE: Penetration test of 1 IP address Bob Radvanovsky (Feb 09)
- Re: Fwd: Penetration test of 1 IP address Bob Radvanovsky (Feb 09)
- Re: Fwd: Penetration test of 1 IP address pagvac (Feb 09)
- RE: Penetration test of 1 IP address Navroz Shariff (Feb 09)
- Re: Penetration test of 1 IP address Ratna Kumar (Feb 10)