On 11/06/07, Harold Castro <b0ydaem0n@yahoo.com> wrote:
Hi,
..
Since I'm doing an external black box pentest, I have
to rely on some tools for OS fingerprinting. Nmap
guesses it to be either Nokia IPSO 4.0 or 4.1Build19.
Now I tried googling for that particular appliance
(IP650) and I found out that the appliance is too old
as its existence dates back as early as 1999. I'm
having a hard time trying to find anything
that can be useful for this
Usually the next stage would be to try to exploit it - providing that
is allowed for by your penetration-testing contract. (It should be,
otherwise it's more of an audit rather than a pen-test.)
If all else fails, do you tell the customer that it is
safe to ignore those warnings and vulnerabilities
because you, on a hacker's perspective, was not able
to penetrate the network by making use of those
vulnerabilities found, that the hacker might have a
hard time as well and eventually opt for another
target?
I don't like to. If you aren't able to break it, just say so. As a
pen-tester, you haven't got enough information to say if it's safe.
Obviously, if you break it, it's not safe, otherwise you don't know.
cheers,
Jamie
--
Jamie Riden, CISSP / jamesr@europe.com / jamie@honeynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
