Results 1 to 9 of 9

Thread: Blind Penetration Test

  1. #1
    Senior Member
    Join Date
    Dec 2003
    Posts
    137

    Blind Penetration Test

    I found this article in govermentsecurity.org found it interesting and informative so here its
    Life is a shipwreck but we must not forget to sing in the lifeboats. ~Voltaire

  2. #2
    Banned
    Join Date
    May 2003
    Posts
    1,004
    What a bunch of useless crap.

    "Blind penetration tests" part symptom of bad information security management part euphemism for l33t h4x0rz wet dream.

    Think about it, what use is a "blind penetration test"? For any company wishing to run a pen test, they should define what what to test and the expected results beforehand. The testing team should have a high level of knowledge (on a need to know basis of course with considerations of a seperation of duties, otherwise you may be asking for trouble especially if you are a pen test service provider) of the targeted system, this ensures the most efficient (read fastest and least expensive) audit but the most comprehensive.

    cheers,

    catch

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Indeed. What penetration test? They're only doing some basic noninvasive recon stuff. The only "active" part of this document is the traceroute/nmap. Big deal Any serious security professional should be able to do this blindfolded
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Just as an FYI, I spoke with GSecur and he wanted me to pass on that the document was never completed. (one of those "intended to but real life interfered"). I think, however, that a blind penetration test may have some value to find those things you don't know about or wouldn't think about. If all tests are done by those who know how things work, then they know what to expect or where to look.

    If, however, it's done by someone who doesn't know they will look and poke in more places and may find things that were overlooked by those who are used to the existing sytem.

    Just my take/opinion.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    MsM: That's the reason why you should never test your own stuff. You know how it's build and will test along the same lines. Testing should be done by someone who has absolutely no idea on how you did it or how it works.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Reiteration

    penetration testing :
    The portion of security testing in which the evaluators attempt to circumvent the security features of a system. The evaluators may be assumed to use all system design and implementation documentation, which may include listings of system source code, manuals, and circuit diagrams. The evaluators work under the same constraints applied to ordinary users.
    - Glossary of Computer Security Terms
    http://www.radium.ncsc.mil/tpep/libr...CSC-TG-004.pdf

    cheers,

    catch

  7. #7
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Gsecur hasn't impressed me with anything that I could label as 'legitimate' yet.

    This document only add's to that opinion (or lack thereof). To be honest, I think it's like choosing to reinvent the wheel when there is no good reason to. catch said it, its a skiddie circle-jerk disguised as a "white paper".

    I do these for a living. This is *NOT* how you go about it, and continue to offer this service as a legitimate, trusted company.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  8. #8
    Originally posted here by SirDice
    MsM: That's the reason why you should never test your own stuff. You know how it's build and will test along the same lines. Testing should be done by someone who has absolutely no idea on how you did it or how it works.
    I partly disagree, here is why. You are right about knowing your own system and knowing what security issues you may or may not have. But also knowing or not knowing would give you more time to search in other areas of your computer for vulnerabilities. If you know that you are very secure with exploits of certian programs, the next best thing is to try to find other ways into your system and patch up.

    You should always take a second opinion so to speak about your workings, incase you miss something. But someone has to test these things on a computer before commensing to reach out over a network and trying it on someone else.

  9. #9
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    I agree that you should always get a second opinion on your work. Sometimes people get too close ot their projects and lose that objective point of view you need. Its not on purpose but it is much easier for you to look and see how something -should- work, but ignore ow it is -actually- working
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •