Penetration Testing mailing list archives

A follow-up on Email Pen-testing

From: Blake <netspan () hotmail com>
Date: 30 Mar 2004 01:45:22 -0000

In-Reply-To: <1145.1080157357 () marajade sandelman ottawa on ca>

I appreciate all the great ideas people presented on email pentesting. 

As a follow-up, when I asked the customer about sending trojans thru email as a part of penetration testing, they 
declined. As it turns out though, during the pen-testing, the customer did get a .pif trojan from someone else via 
email. Hence, their internal systems got infected / compromised from the Internet. --Oh, well. Damned if you do, damned 
if you don't.

-Blake

###########

Mailing-List: contact pen-test-help () securityfocus com; run by ezmlm
Precedence: bulk
To: pen-test () securityfocus com
Subject: Re: Email Pen-testing 
In-reply-to: Your message of "Wed, 24 Mar 2004 01:10:00 CST."
            <1080112200.558.165.camel@localhost> 
Date: Wed, 24 Mar 2004 14:42:37 -0500
Message-ID: <1145.1080157357 () marajade sandelman ottawa on ca>
From: Michael Richardson <mcr () sandelman ottawa on ca>

-----BEGIN PGP SIGNED MESSAGE-----

"Frank" == Frank Knobbe <frank () knobbe us> writes:

   Frank> an Incident Response Exercise to test the response capabilities of a
   Frank> client. You are less concerned about getting root but instead try to
   Frank> operate stealthy or in an otherwise defined pattern, attempting to
   Frank> penetrate, but allowing others to take notes of the response
   Frank> procedures of the clients incident response team. 

 Like, for instance, do the IT people even know who to call once they
have "caught" you?

 In Canada, the responsability for "computer crime" devolved from the
RCMP to the local police forces. Alas, the knowledge and experience did
not get passed down. The Ottawa police, as competent as they are for
most things, spends all their computer time tracking down child porn and
stalkers. If you call them and say, "I'm from Corporation FOO, my
firewall was compromised", they offer to send ... the fire department.

 So, in Ottawa at least, my conclusion is that there isn't a number
that can be called anymore.

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr () xelerance com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQGHkrIqHRg3pndX9AQG4hQP/St4ihxRjdcZSYPne59pUM5//BI05iP1H
zU7ZkqcbKvtqi6uKV08/xUxJldOeH9P7S7tM+NtfcEq0JNTYRKpj8q7IxLSgkd5g
M+J4GM4T2k+QSBVPoG2aHAXpHrOZlSlDYWlyoqhF0gVCBf6tZoBs5aSsbgqWNa7P
ZpEqgBErn9E=
=Hrq3
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------


---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------

Current thread:

A follow-up on Email Pen-testing Blake (Mar 30)