Respuesta: Penetration Testing Methodologies

[Omar Herrera <oherrera () prodigy net mx>]

----- Mensaje original -----
De: "Adriel T. Desautels" <atd () secnetops com>
> Greetings List, 
>       I am interested in collecting ideas as to what people feel an ideal
> penetration test is. What does the ideal methodology look like and
> what are the goals? I am asking you this because I have been running
> into interesting issues in certain markets. It would appear that some
> people view penetration tests as nothing more then basic network
> vulnerability audits while others view a penetration test for what it
> is, a test designed to compromise target systems as PoC of
> vulnerability. 

In my opinion, PenTests must include tests designed to compromise target systems manually. The added value of a PenTest 
is to have someone able to find (and exploit) vulnerabilities in custom applications (something beyond that of which 
most tools can do).

>       How do people feel about the use of automated tools and the weights
> of their results?  What about manual or custom testing? We have our
> own methodology that we use for testing our client networks, but I am
> always interested in learning what else might be done. I'd be happy
> to engage anyone in a conversation about this subject. 

Most consultants use automated tools to give you a standardized set of results that can be reproduced (with the same 
tools), but custom testing  is important. I believe that any average PenTest consultant should be capable of 
determining common false positives and incorrect results with manual testing, such as IIS running on a Unix server or 
vulnerabilities for Apache web server for an IIS web server.

Tools make many mistakes, and the least you would expect is that the guy running the software knows what he is doing 
(and actually shows it).

Regards,
Omar Herrera