Sunday, 15 January 2012

tcpdump and Wireshark and permission to test

When executing a pentest, it is necessary to document every step that is made during the pentest. This doesn't just mean to make screenshots of every step, input, output and results during the pentest but also to start tcpdump or Wireshark in the background to log every of your steps when executing attacks especially when you're executing exploits or an automated scan (nmap or nessus for example).

This has two reasons:

1. When executing a pentest you just have a short timeframe agreed between you and your customer, and sometimes you don't have time to execute an attack a second time. When you have a dump of the network traffic during pentesting you may be able to get the information you're looking for even after the agreed time frame. If you just have a screenhost you may have the result, but can't describe and understand in detail what has happened. To understand what has happened, is very important to define countermeasures to close the findings.

2. An agreement or permission memo that allows pentesting should always be made and signed BEFORE pentesting (you can find a template here). But even with this agreement, you are much more safer when you have a dump of you activity. Especially when a server or web application of the customer is having problems and the customer is blaming you. It's much better to show the customer your activities afterwards if problems occur, as when you got no evidence at all and can't prove that you were not the trigger for certain problems.

Also the output by burp, ZAP or whatever interception proxy you are using, should always be saved completely afterwards.

No comments:

Post a Comment