The Network Security. Org

How to setup penetration testing exercises

Based on the many responses we got regarding the 'Packetslinger' diary, here a few notes on how to setup a penetration/cracking exercise.

As a remark: Laws change from area to area. Whatever you do, check your local laws and regulations. Corporate policies, university ethics guidelines and ISP contracts may have to be consulted.

1. Avoid the use of public networks if possible. Its just too easy to 'fat finger' an IP address. It is all too easy to unintenionally shut down a critical system using an attack as simple as a portscan.
2. If you have to use a public network, try to setup a VPN to isolate the sources and targets involved.
3. Ask participants to remove or turn off additional network interfaces (in particular wireless interfaces).

Any attack, even as simple as a portscan, should only be performed with written permission. Even in a lab environment, it may be a good exercise to go through the motions of obtaining written permission from the instructor. It is not always easy to identify the person who has to provide permission. But in general, this should be the 'network owner'. Remember that part of a corporate network may be owned by an ISP, and not the company (or university). SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

More News

• Apple releases another mega-patch for Mac OS X
  



• Security flaw in smart cards poses risk for transit, building access
  



• Free TrojanProof Password Tool Released for Windows
  



• Security scans with OpenVAS
  



• Do ISPs pose a bigger online privacy threat than Google
  



• HTTPS Cookie-Hijacking Tool CookieMonster Gobbles Personal Data
  



• Anatomy of a botnet
  



• Microsoft patches 8 critical bugs in Windows, Office
  



• Virtualization users should expect more attacks
  



• Threat From DNS Bug Is not Over, Experts Say
  



• Website infection rate triples
  



• How to Use Honeypots to Improve Your Network Security
  



• Microsoft Patch Tuesday Targets 26 Application Flaws
  



• SSL VPNs might not be as secure as you think
  



• 8 tips to filter spam effectively
  



• Onus on IP address owner to prove innocence
  



• How to install an SSH Server in Windows Server 2008.
  



• Several vulnerabilities closed in the Linux kernel
  



• 8 Best Practices for Encryption Key Management and Data Security
  



• Free Honeypot Client Could Sting Malware