Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Internal Penetration Testing

From: "Mark van der Meulen" <mark () envisagetech net>
Date: Fri, 19 Jun 2009 14:12:44 +0800
Have you read any books on Ethical hacking/Penetration Testing yet? If not, I suggest firstly you read "Gray Hat 
Hacking" by Shon Harris, Alan Harper. The only actual exploiting it really deals with is Linux based, but it give you a 
greater insight into pen testing and how it should be performed. It's also an easy read. Then once you have completed 
it, then try some material more specific to the actual hardware and software that you are dealing with.

Just my personal opinion from experience.

Regards,

MARK VAN DER MEULEN
Systems Engineer

Email:    mark () envisagetech net 
Web:        www.envisagetech.net

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Stephen Mullins
Sent: Thursday, 18 June 2009 2:52 PM
To: Adriel T. Desautels
Cc: pma111; pen-test () securityfocus com
Subject: Re: Internal Penetration Testing

Whoa there, I didn't mean to raise the ire of a bunch of folks whose
mortgage payment depends on the perceived value of internal pen
testing.

Let's put the focus back on the original question:

Can anybody recommend any good books, or ideally free online references to
start learning the techniques of internal penetration testing? I.e. getting
onto (access to) network shares, private network drives,  internal servers,
systems, from inside the Network that someone is not authorised to do? I
wont ask for specific pointers just some good online guides so I can begin
to identify the techniques that give rise to the "threat from within" etc.

On Tue, Jun 16, 2009 at 4:35 PM, Adriel T.
Desautels<ad_lists () netragard com> wrote:

If you question the validity of internal penetration testing then you are
either not doing it right or you don't understand the subject enough to
realize its clear benefits.  Internal penetration tests are a great way to
test the internal technological controls of a company, and its resistance to
things like Distributed Metastasis.  Do you really think that an external
penetration test can cover all the bases?  If anything, an Internal is far
more valuable because it can include external scopes.


On Jun 13, 2009, at 10:21 AM, Stephen Mullins wrote:


I question the validity of "internal pen testing."  After all, as an
insider you should have access to all manner of information that an
attacker would not.  If you have the skills to perform a legitimate
"black box" pen test then you should have no problem doing whatever
you want as an inside "pen tester" even if you try to play by a
predetermined set of rules wherein you pretend not to have insider
knowledge (good luck).  I guess I don't understand the purpose.  If it
is to demonstrate that having someone with a moderate to high amount
of skill "go rogue" inside your network is a "bad thing", that just
seems redundant to me.

The best use for "internal pen testing" in my opinion would be simply
to see if anyone noticed via your IDS/log management solution/etc.

If nobody is watching then an internal pen test is doubly pointless.

Steve Mullins

On Thu, Jun 11, 2009 at 8:10 AM, pma111<pmaneedham () hotmail com> wrote:


Can anybody recommend any good books, or ideally free online references
to
start learning the techniques of internal penetration testing? I.e.
getting
onto (access to) network shares, private network drives,  internal
servers,
systems, from inside the Network that someone is not authorised to do? I
wont ask for specific pointers just some good online guides so I can
begin
to identify the techniques that give rise to the "threat from within"
etc.

Regards,
--
View this message in context:
http://www.nabble.com/Internal-Penetration-Testing-tp23980128p23980128.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------





       Adriel T. Desautels
       ad_lists () netragard com
       --------------------------------------

       Subscribe to our blog
       http://snosoft.blogspot.com




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: