Penetration Testing mailing list archives
Re: [PEN-TEST] 2 quick questions
From: M Schubert <schubert () fsck org>
Date: Fri, 15 Dec 2000 15:46:50 -0800
Potentially, if the router logs traffic or you can put the router in promisc mode and use something like tcpdump (can't IOS do this?) you could glean some useful information obviously. Note however, I'd feel it to be important to show a client that their routers are vulnerable. Those are the gateways to the flow of information and if you're an ecommerce provider and some pissed of guy who was sent the wrong pokemon' action figure can get into your router and muck with it, you're losing sales.
First is I was curious about routers: If a network has a router (a hardware one, not a computer running Linux or NT). Is there anything to be gained from breaking into the router through one of the remote administration points? Is this thus a fruitless exercise or is there something to show the customer or gain yourself if you are auditing your network's security?
It is all about the realm of ethics. Mass mailing a trojan to prove your point is hardly ethical and quite frankly, if thats what it takes to convince your client that they've got a security problem... well find clients with more intelligence. Social engineering is about making your client's employees _aware_, wrecking havoc to make your point isn't a good way for repeat business or happy customers.
Second I was curious about social engineering. Is this considered "fair play?" Is it discussed in advance? If you're allowed to do it how far do you take it? Do you take it the point where you do a mass mailing of BO or Sub 7 to show the owners of the network how vulnerable they are to this flaw (because isn't social engineering kind of a flaw even though it is a human one?) Or do you just stop with tricking them into revealing user names and passwords?
-- -- M. Schubert - mschuber () uci edu -- Security Specialist - michaels () lightspeedsystems com -- Sys Admin - schubert () fsck org
Current thread:
- [PEN-TEST] 2 quick questions Leon Rosenstein (Dec 16)
- Re: [PEN-TEST] 2 quick questions Talisker (Dec 16)
- Re: [PEN-TEST] 2 quick questions Bill Pennington (Dec 16)
- Re: [PEN-TEST] 2 quick questions M Schubert (Dec 16)
- Re: [PEN-TEST] 2 quick questions sporty o'one (Dec 16)
- Re: [PEN-TEST] 2 quick questions Joe Shaw (Dec 19)
- <Possible follow-ups>
- Re: [PEN-TEST] 2 quick questions Bock, John (ISS San Francisco) (Dec 18)
- Re: [PEN-TEST] 2 quick questions Jose Nazario (Dec 18)
- Re: [PEN-TEST] 2 quick questions Skinner, Tim L. (Dec 19)