Penetration Testing mailing list archives
[PEN-TEST] RES: [PEN-TEST] Pen-testing reports
From: Cristiano Lincoln Mattos <lincoln () CESAR ORG BR>
Date: Tue, 27 Mar 2001 16:00:46 -0300
Hi, We generally charge on a per-hour basis -- once you estimate the number of hours it will take, and the number of people on the project, you can have an outline of the cost. Sometimes the client gives us an outline of the scope of the testing, so we can estimate the number of hours correctly -- and sometimes we go on no information at all, and the number of hours can vary somewhat, being a half-week, one-week, two-week contract, etc. As to the results of the pen-test, that depends very much on the methodology/tools that you use, and how deep you go in. Finding the listening ports and services is not, IMHO, very good for a report -- any IT staff with a portscanner can do that. In our case, we generally use information gathering (including, of course, portscanning) to map out the network, servers, services, modes of use, types of access to each server, etc. Then, we start testing for the more basic vulnerabilities, ie, the ones an automated scanner like ISS might find. After that, and depending on the results received up till this point, we go on to slightly advanced attacks, like DNS spoofing, IP Spoofing, subversion of authentication services (netbt, NIS, kerberos, etc), and others. Also included are attacks on systems specific to the client, like web applications, daemons, etc. Sometimes, depending on the client and on the contract, we have developed exploits for buffer overflows found on systems developed by the client. Essential to the effectiveness of the report is finding out who will be reading it. Generally, low-level details and methodologies and fixing details should be left to a separate, more technical report, while giving the high-level view, impacts, general recommendations, etc, on a report that management will be receiving. But it is essential that technical details be given, as well as ways in which to correct them. Of course, all this depends on how your contract has been worked out, how far you go, etc, etc. Your mileage may vary. :) Cristiano Lincoln Mattos, CISSP, SSCP CESAR - Centro de Estudos e Sistemas Avançados do Recife
-----Mensagem original----- De: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]Em nome de Mehmet Murat Gunsay Enviada em: segunda-feira, 26 de março de 2001 05:36 Para: PEN-TEST () SECURITYFOCUS COM Assunto: [PEN-TEST] Pen-testing reports Hello, I'd like to have a general idea about the penetration testing reports that people from this mailing list offer to their customers. I'm not sure if the reports we provide as a company are adequate or even good enough. By finding the listening ports on a given subnet, we try to find what services or programs are running and so forth. However, as this approach sometimes may get too deep, pricing such a test also becomes an issue. Is there a specific measure that some of you use for pricing? I believe replies for these questions will help us greatly in redefining our standards and measures. Thanks in advance for all the replies. Regards, Mehmet Murat Gunsay BTKOM A.S. http://www.btkom.com mgunsay () btkom com
Current thread:
- [PEN-TEST] Pen-testing reports Mehmet Murat Gunsay (Mar 26)
- Re: [PEN-TEST] Pen-testing reports bacano (Mar 26)
- Re: [PEN-TEST] Pen-testing reports Max Vision (Mar 26)
- Re: [PEN-TEST] Pen-testing reports Steve Goldsby (Mar 27)
- Re: [PEN-TEST] Pen-testing reports bacano (Mar 27)
- Re: [PEN-TEST] Pen-testing reports bacano (Mar 27)
- Re: [PEN-TEST] Pen-testing reports Steve Goldsby (Mar 27)
- [PEN-TEST] RES: [PEN-TEST] Pen-testing reports Cristiano Lincoln Mattos (Mar 28)
- <Possible follow-ups>
- Re: [PEN-TEST] Pen-testing reports Peter Herzog (Mar 27)
- Re: [PEN-TEST] Pen-testing reports CyberCop (Mar 28)