Penetration Testing mailing list archives
FW: Email Pen-testing
From: "Intel96" <intel96 () bellsouth net>
Date: Mon, 22 Mar 2004 17:07:53 -0500
I had the same situation last year with a small bank that wanted a black test (no information provided to us the testers). We decided to craft a custom virus targeted only to our client. We programmed the virus for the information we desired and selected several delivery methods. The methods were: 1. E-mail attachments 2. Web downloads (created fake web pages to look like products they had purchased in IT) 3. Commercial software repackaged as a gift with the virus embedded in the installed as a update. 4. ISP upgrade disks to target's home address All these items were covered in the scope of work and liability wavier. Using these methods you are guaranteed to gain some good information about the customer's network. Note: Once you code your viruses and developed delivery methods they can be used over and over..... intel96
Doing a pen-test for a small bank which was proving very difficult to get it. A friend of mine suggested I send a backdoor trojan attachment via an email. If they clicked on it, the backdoor performs maybe a boxscan, grab passwords, and connects out to the Internet. --Much like a virus.
*cut*
I spoke with a previous customer of mine about the idea. He said he would be very upset if he was not told prior to that type of test as part of normal pen-testing.
*cut*
What's your ideas on the email pen-tesing?
--------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- RE: Email Pen-testing, (continued)
- RE: Email Pen-testing R. DuFresne (Mar 23)
- RE: Email Pen-testing Mike Sues (Mar 22)
- Re: Email Pen-testing Joe Blatz (Mar 22)
- Re: Email Pen-testing Al Smolkin (Mar 22)
- Re: Email Pen-testing Andreas (Mar 22)
- Re: Email Pen-testing Michael Richardson (Mar 22)
- Re: Email Pen-testing Rainer Duffner (Mar 23)
- Re: Email Pen-testing hwertz (Mar 22)
- RE: Email Pen-testing Reava, Jeffrey (Mar 22)
- RE: Email Pen-testing Eric McCarty (Mar 22)
- FW: Email Pen-testing Intel96 (Mar 22)
- RE: Email Pen-testing Reava, Jeffrey (Mar 23)