[PEN-TEST] RES: [PEN-TEST] Pen-testing reports

[Cristiano Lincoln Mattos <lincoln () CESAR ORG BR>]

Hi,

        We generally charge on a per-hour basis -- once you estimate
the number of hours it will take, and the number of people on the
project, you can have an outline of the cost.

        Sometimes the client gives us an outline of the scope of the
testing, so we can estimate the number of hours correctly -- and
sometimes we go on no information at all, and the number of hours
can vary somewhat, being a half-week, one-week, two-week contract,
etc.

        As to the results of the pen-test, that depends very much on
the methodology/tools that you use, and how deep you go in.  Finding
the listening ports and services is not, IMHO, very good for a
report -- any IT staff with a portscanner can do that.

        In our case, we generally use information gathering (including,
of course, portscanning) to map out the network, servers, services,
modes of use, types of access to each server, etc.  Then, we start
testing for the more basic vulnerabilities, ie, the ones an automated
scanner like ISS might find.  After that, and depending on the
results received up till this point, we go on to slightly advanced
attacks, like DNS spoofing, IP Spoofing, subversion of authentication
services (netbt, NIS, kerberos, etc), and others.  Also included are attacks
on
systems specific to the client, like web applications, daemons, etc.
Sometimes, depending on the client and on the contract, we have
developed exploits for buffer overflows found on systems developed
by the client.

        Essential to the effectiveness of the report is finding out
who will be reading it.  Generally, low-level details and methodologies
and fixing details should be left to a separate, more technical report,
while giving the high-level view, impacts, general recommendations, etc, on
a
report that management will be receiving.  But it is essential that
technical details be given, as well as ways in which to correct them.

        Of course, all this depends on how your contract has been worked
out, how far you go, etc, etc.  Your mileage may vary. :)

Cristiano Lincoln Mattos, CISSP, SSCP
CESAR - Centro de Estudos e Sistemas Avançados do Recife

> -----Mensagem original-----
> De: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]Em nome de
> Mehmet Murat Gunsay
> Enviada em: segunda-feira, 26 de março de 2001 05:36
> Para: PEN-TEST () SECURITYFOCUS COM
> Assunto: [PEN-TEST] Pen-testing reports
>
>
> Hello,
>
> I'd like to have a general idea about the penetration testing
> reports that people from this
> mailing list offer to their customers.  I'm not sure if the
> reports we provide as a company
> are adequate or even good enough.  By finding the listening ports
> on a given subnet, we
> try to find what services or programs are running and so forth.
> However, as this approach
> sometimes may get too deep, pricing such a test also becomes an
> issue.  Is there a
> specific measure that some of you use for pricing?  I believe
> replies for these questions
> will help us greatly in redefining our standards and measures.
> Thanks in advance for
> all the replies.
>
> Regards,
> Mehmet Murat Gunsay
> BTKOM A.S.
> http://www.btkom.com
> mgunsay () btkom com