Re: [PEN-TEST] 2 quick questions

[Bill Pennington <billp () boarder org>]

See answers in-line

Leon Rosenstein wrote:
> Hi everyone I was curious about two things as far as pen testing goes.
>
> First is I was curious about routers:  If a network has a router (a hardware
> one, not a computer running Linux or NT).  Is there anything to be gained
> from breaking into the router through one of the remote administration
> points?  Is this thus a fruitless exercise or is there something to show the
> customer or gain yourself if you are auditing your network's security?

By compromising a router I can gain many things. First it gives me
another point of attack to the internal network, most likely a trusted
one. If their are any packet filters in place I can remove them. I can
sniff traffic going through the router which could lead to password
disclosure among other things. I could wipe it out and you would have a
DOS on your hands.

> Second I was curious about social engineering.  Is this considered "fair
> play?"  Is it discussed in advance?  If you're allowed to do it how far do
> you take it?  Do you take it the point where you do a mass mailing of BO or
> Sub 7 to show the owners of the network how vulnerable they are to this flaw
> (because isn't social engineering kind of a flaw even though it is a human
> one?)  Or do you just stop with tricking them into revealing user names and
> passwords?

Generally speaking social engineering is out unless the client
specifically request it. If the client request it then you have to work
out the boundaries. In general as a pen tester I would not mass mail
trojans to all the users. It could be a huge cleanup task and would
expose my clients to unneeded risk during the assessment.

> Thanks.

Your welcome! :-)

--


Bill Pennington - CISSP