Penetration Testing mailing list archives
Re: [PEN-TEST] 2 quick questions
From: "Skinner, Tim L." <tskinner () LARSONALLEN COM>
Date: Mon, 18 Dec 2000 10:46:47 -0600
Well I've got an obscure real world example of compromising a router. This particular client had a FR PVC to the internet combined with their private network that ran through the same router, by design of course. Anyway this particular router did FR switching to set up a FR link to carry their private data AROUND their internet firewall. Well anyway, telnet was open and not being logged, so after a while, I guessed the password and bypassed their firewall and had access to their internal network without even being noticed. As to your second question, I believe that has been answered already. Tim Skinner, CISSP LarsonAllen eSource voice: 612-397-3176 fax: 612-397-3276 -----Original Message----- From: Leon Rosenstein [mailto:l_rosenstein () MONTELSHOW COM] Sent: Friday, December 15, 2000 8:55 AM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] 2 quick questions Hi everyone I was curious about two things as far as pen testing goes. First is I was curious about routers: If a network has a router (a hardware one, not a computer running Linux or NT). Is there anything to be gained from breaking into the router through one of the remote administration points? Is this thus a fruitless exercise or is there something to show the customer or gain yourself if you are auditing your network's security? Second I was curious about social engineering. Is this considered "fair play?" Is it discussed in advance? If you're allowed to do it how far do you take it? Do you take it the point where you do a mass mailing of BO or Sub 7 to show the owners of the network how vulnerable they are to this flaw (because isn't social engineering kind of a flaw even though it is a human one?) Or do you just stop with tricking them into revealing user names and passwords? I am not pen testing, I was just thinking about these things before I fell asleep last night and I was curious. Anyway public or private responses welcome. Thanks.
Current thread:
- [PEN-TEST] 2 quick questions Leon Rosenstein (Dec 16)
- Re: [PEN-TEST] 2 quick questions Talisker (Dec 16)
- Re: [PEN-TEST] 2 quick questions Bill Pennington (Dec 16)
- Re: [PEN-TEST] 2 quick questions M Schubert (Dec 16)
- Re: [PEN-TEST] 2 quick questions sporty o'one (Dec 16)
- Re: [PEN-TEST] 2 quick questions Joe Shaw (Dec 19)
- <Possible follow-ups>
- Re: [PEN-TEST] 2 quick questions Bock, John (ISS San Francisco) (Dec 18)
- Re: [PEN-TEST] 2 quick questions Jose Nazario (Dec 18)
- Re: [PEN-TEST] 2 quick questions Skinner, Tim L. (Dec 19)