It makes quite sense, but it won't allways be applicable
Imagine that you have to pentest an iSeries (AS400): it will be
difficult to find one on eBay to launch a test at home :-) and difficult
to be sure you have exactly the same version of client access and the
same PTFs (the same for reproducing a twin of every server)...
In the other corner, i think that it's true that many customers will ask
you to don't use agressive tools to don't disturb the productivity:
it just introduces the difference between passive and agressive tools
and techniques...
btw Metasploit could just be used to create a file on a target (a common
technique to show that a system is ownable without disturb it)...
My 3 cents...
/JA
bulgaro76@yahoo.it a écrit :
I think that the usage of tools like Metasploit might be dangerous for the
business continuity. It's very important to let the staff know which are the
side effects of this kind of tests and so it's necessary to find a test server.
Try to imagine if you use a tool like Ettercap and the side effect is that
employees can't access AS/400 systems because of the network traffic... i think
this wouldn't make the staff so happy to hire you services.
For my two cents...
Alessandro
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
