Results 1 to 9 of 9

Thread: Unofficial Authorized Penetration Testing Question

  1. #1
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    16

    Default Unofficial Authorized Penetration Testing Question

    Guys may I ask for your opinions?

    I was previous employee in this company as the head of IT. The structure of the company is like this. My company is one of the subsidiaries that have their own IT and there is a Mother company governing all which also have their IT dept. Mother company's IT gives support to the subsidiary's IT on their requests & needs and they are also the one responsible on deciding which software should be used by the subsidiaries.

    During my stay, they implemented Lotus Domino as the official email for all, Untangle professional as filter to prevent abusive use of the internet and lots of other software for the business like setting up DMZ, VPN, etc.. If they want to implement it, it happens and they spend big.

    Unfortunately, Untangle was weak during that time they implemented it & I showed it to them on the spot that I can still access forbidden sites right there and then just to tell them that they have to implement it correctly but they never corrected it up to now.

    Soon as they implemented Lotus Domino, I showed them another hole in their setup & requested them to fix it. Unfortunately, months after I have resigned, I poked in to see if it was already corrected, but it was not so I sent an anonymous e-mail to one of the top management and informed him about it for them to have a fix. He asked for proof so I opened the email account of the President of the company, saw that he forwarded my email to the president, and I used that message to reply to him asking if it is enough proof. He was convinced and thank me for bringing it up. Then he said he already know who I am but of course no name was given because he wants to respect my request for anonimity, but he really knew who I am and ask if I can continue checking their network for vulnerabilities and inform them.

    Now my question, is it worth cheking their vulnerabilities? I enjoy it, but I am no longer an employee there, I still have good relationship to some of the top managers, I know people there I need to protect and I don't want them to be in trouble in case I do pentesting but I also need a real life guinea pig for learning! As I mentioned, I was authorized by one of the top manager, but unofficially through his personal email.

    Shall I do it for the sake of learning?

    Thanks... I hope Muts and Pureh@te will reply, I have too much respect on your insights...

  2. #2
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default Re: Unofficial Authorized Penetration Testing Question

    You are pretty much behaving like a criminal at this point. As soon as your employment was terminated you should put the company and their problems out of your mind and focus on finding a new job and the needs of your new employer. If the company wants your opinion on security they would not have let you go or they would hire you as a consultant. The way your are doing things right now is setting you up to be the fallguy for the first thing that goes wrong at that company.

  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Unofficial Authorized Penetration Testing Question

    purehate is 100% correct. Even if you're not going to charge them you need an official statement (document) that they've authorized you to perform the "testing". Without that you're almost definitely breaking the law...
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  4. #4
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    16

    Default Re: Unofficial Authorized Penetration Testing Question

    Ouch!!! That criminal thingy hit a spot...

    Actually the reason I poked in is because it was one of the holes that I am aware of that I wanted to be corrected. I know it's no longer my responsibility after I left them it's just that I felt it is one unfinished job that I have left and that hole could either mean their success or loss.

    Also, the reason I left them is for my career to move on. After two years of staying, I noticed that all of the IT dept staff from all subsidiaries & mother company are already satisfied with what they know, which is basically very little, if not almost zero, some just know how to install windows, crimp wires, connect them, and smoking (this one i have implemented successfully ). For me IT field is a continous learning so I moved out to a foreign country, unfortunately... I was hired as an accountant. So now pentesting is just a learning-hobby.

    How they setup filters, VPNs, and mail servers if they know little? Money talks... Outsourcing from suppliers, which left them dependent on these vendors. I was even amused when they hired an IT security expert. He even have an audit device as he say... A portable USB harddrive enclosure! His weapon of choice, windows explorer and mcafee (pirated)... Thats all for his audit!

    But your thoughts are correct, I could become the fallguy in case something goes wrong, scary to imagine... Really... Thanks thorin.

    Please consider my question solved, I will not commit to pentesting their network, period. Anyway, I'm quite busy now with my work, hell-hard changing careers, accounting-IT-audit-accounting-IT-audit... Years that i've been doing this in my country & now doing it again in this foreign land...

    Anyway, thank you very much guys!

  5. #5
    Junior Member Liuser's Avatar
    Join Date
    Apr 2010
    Posts
    58

    Default Re: Unofficial Authorized Penetration Testing Question

    If you're looking for an active live guinea pig for testing, you can always set up your own vulnerable machines. There are also pre-made ISOs that contain vulnerable VMs specifically dedicated for experimenting with your pentest needs. Metasploit recently released their own version in the last few days. May be worth looking into.

  6. #6
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: Unofficial Authorized Penetration Testing Question

    Just in case anyone else wanders in, have a read of this one as well: http://www.backtrack-linux.org/forum...-do-legal.html

    We (as a community) have had varying questions/scenarios on the whole which were related to the same thing, but that thread probably has the most complete info in it we've collated to date.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  7. #7
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    16

    Default Re: Unofficial Authorized Penetration Testing Question

    Quote Originally Posted by Gitsnik View Post
    Just in case anyone else wanders in, have a read of this one as well: http://www.backtrack-linux.org/forum...-do-legal.html

    We (as a community) have had varying questions/scenarios on the whole which were related to the same thing, but that thread probably has the most complete info in it we've collated to date.
    Thank so much for pointing me to this. I've scanned over it actually before and how could forget! Dumb me!!! Really bad memory!!!

    I've just read it again fully and comprehends the posible ramifications of what it will lead me... Jail. Of course that will be the time i came back to the country.

    Also, I before I was thinking I was very ethical before and doing the right thing for pointing them the problem but as you guys said it, when I poked in on the first place, I did several felonies already and wasn't being ethical as I thought.

    I want to justify my action that I have emailed a top manager about it, but it would have been just trying to justify a wrong move in the first place. I thought I was ethical reporting the problem because I can hack them... Sorry!!!

    Next time I'll look more here for things like this before doing some actions.

    Thank you so much!!!

  8. #8
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default Re: Unofficial Authorized Penetration Testing Question

    Thank you for being on of the few that actually accepts advice from people who have had this problem before and dont want to see others make the same mistake.

  9. #9
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Unofficial Authorized Penetration Testing Question

    phangs stop apologizing so much. It was great that you asked and it's great that you'll accept the advice given. We're not upset or anything we're just worried about the impact it could have on you.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Similar Threads

  1. Firewall penetration testing
    By tlingitsoldier in forum Beginners Forum
    Replies: 26
    Last Post: 04-28-2010, 11:51 PM
  2. O que é um Fuzzer em Penetration Testing (Pentesting)
    By firebits in forum Tutoriais e Howtos
    Replies: 0
    Last Post: 03-28-2010, 06:41 PM
  3. Penetration Testing Environment.
    By chasebadkids in forum OLD Pentesting
    Replies: 8
    Last Post: 01-31-2010, 03:46 AM
  4. Penetration testing
    By jjxoni in forum OLD Newbie Area
    Replies: 6
    Last Post: 01-31-2009, 04:42 PM
  5. Timed out in penetration testing
    By mindf in forum OLD Newbie Area
    Replies: 5
    Last Post: 08-13-2008, 11:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •