preview

It Penetration Testing

Better Essays

Use offense to inform defense. Find flaws before the bad guys do.

Copyright SANS Institute Author Retains Full Rights
This paper is from the SANS Penetration Testing site. Reposting is not permited without express written permission.

Interested in learning more?
Check out the list of upcoming events offering "Hacker Techniques, Exploits & Incident Handling (SEC504)" at https://pen-testing.sans.org/events/

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

A Management Guide to Penetration Testing David A. Shinberg

© SANS Institute 2003,

©

SA

NS

In

sti

tu

As part of GIAC practical repository.

te

20

03

,A

ut

ho

rr

Version 2.1a

eta

Practical Assignment …show more content…

It will include suggested items that should be present in the report given to the owner of the network being tested. In addition to the list of vulnerabilities detected, corrective actions are an important part of the final report.

1.1 Scope

2. Preparation

2.1 Technical Preparation

A good penetration tester must be technically competent and methodical. In many situations, a test team is more appropriate than an individual tester. 2 Care must be taken in selecting, installing and configuring the platforms used to perform the testing. Although there are several commercial tools that can be used to perform penetration tests such as Internet Scanner® from Internet Security Systems3, free tools will be used throughout this testing. Kurtz and Prosise make an excellent point when they claim; “Running a commercial vulnerability scanner is penetration testing” is a myth. 4 There are several problems with simply running a vulnerability scanner and assuming that a complete penetration test has been performed. The first is that the vulnerability scanners are only as good as the person running them. As will be discussed latter in this paper, there is more to performing a penetration test than just finding
2

Naturally, the testing performed in support of this paper will be performed by the author only. 3

Get Access
Get Access