Penetration Testing mailing list archives
RE: External Pentests Obsolete?
From: "Van Heerden, Francois (CSS)" <Francois.VanHeerden () ontario ca>
Date: Fri, 10 Aug 2007 13:21:09 -0400
Sorry to puncture your balloon but a pen test still has value. A scan can easily reveal if the client is using a commercial backend database or backup tool that links to their web presence. These can be probed very easily and most often are misconfigured or overlooked by overstretched network admins. In our environment, with a Internet facing web-app, the admins challenged a pen tester to break in prior to going live. They were certain their app was impenetrable so the test would be worthless. It took the pen tester a total of ten minutes to use a configuration failure in a supposedly "invisible" backup process (commercial backup software left with default passwords) to gain root and compromise the entire server. Pen tests are not just tools run against a server or two; a detailed vulnerability assessment also uses a great deal of knowledge about network infrastructure, deployment techniques, a thorough knowledge of other applications that are likely deployed and have known holes - many never patched. Your argument is flawed - go back and spend some more time learning about how a vulnerability assessment is actually conducted. Cyberruk
Do you think that an external infrastructure pentest is nowadays
obsolete?
What I want to say is that, most of the serious companies nowadays will
only have a few servers on their DMZ (web server, >mail server, SSL concentrator, terminal server, citrix) and will only allow access to one or two ports for each of them.
The rest of the infrastructure (excluding the internet facing router
and firewall) will be completely inaccessible.
Thus, if web application testing is out of scope, there isn't much to
test, is it? Only half a dozen of services to check >vulnerabilities and misconfiguration, check if mail rely is on, make a password bruteforce attack(?), check that the DNS
can't be poison and VOILA! You have finished!
Do you think that it is ethical to consult our clients to "buy" an
external pentest anymore? P.S. If I am wrong, PLEASE prove me wrong! ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- External Pentests Obsolete? Yiannis Koukouras (Aug 10)
- Re: External Pentests Obsolete? US Infosec (Aug 11)
- RE: External Pentests Obsolete? Van Heerden, Francois (CSS) (Aug 11)
- RE: External Pentests Obsolete? Williamson, Clyde (Aug 11)
- RE: External Pentests Obsolete? Shenk, Jerry A (Aug 11)
- Re: External Pentests Obsolete? Jason Ross (Aug 11)
- Message not available
- Fwd: External Pentests Obsolete? Joel Jose (Aug 11)
- Re: External Pentests Obsolete? rajat swarup (Aug 11)
- <Possible follow-ups>
- Re: Fwd: External Pentests Obsolete? cwright (Aug 12)
- RE: Fwd: External Pentests Obsolete? richard (Aug 13)