@IAmDannyBoling eheh thanks. But it won't be tonight - it seems it's been delayed ad the committer has some doubts about their skills.
Discussion
Loading...
I fear my knowledge level is far closer to some IT managers' than I wish.
Please make your life easier and give them access via Anydesk.
@stefano OK. after that, I'd set up a network segment filled with Thinkst Canary Honeypots open to the internet and let them waste their time there while you produce the log report showing them playing in your sandbox
"Yeah, I just need to know which IPv4 & IPv6 addresses your testing will come from so that I can adjust firewall rules"
block drop in on egress proto tcp from <pentest_ips> to any
:dusts off hands and sips coffee:
@gumnos yes, this makes sense
@stefano clown power ! 🤡
@stefano similar here from a leader of a red team: we need further privileges to exploit the vulnerability we assume from the *version number the application reports* 🤡
@stefano maybe an AI sent it? 😅
@IAmDannyBoling I don't think so. There were some errors.
@stefano I'll say! 😉 Regardless, I hope things go well tonight. Maybe you could edit your post with the results so we all get notified, if it's not too much trouble. We'll all be rooting for you.
@IAmDannyBoling eheh thanks. But it won't be tonight - it seems it's been delayed ad the committer has some doubts about their skills.
@stefano That could be your lucky break. 👍
@stefano I love how they asked you to disable any “protection.” What protections? Any protections, just protections in general, anything that protects… don’t worry about it, you don’t need it…
To be fair, I think they are actually doing a pen test. They’re just trying to see how easy it is to penetrate the intelligence, or lack there of, of the sys admin.
@stefano I'll leave the car doors unlocked and the keys in the ignition. See if you can steal it.
@stefano I remember reviewing a pen test like that once. The report said that they were able to access a database server and copy the data files.
When I looked into it, it was because they’d asked for access to the server and an rdp account to connect with. And they were running the test from a device on the same network.
That is both hilarious and ridiculous.
My reply would be: "that's not how you do penetration testing, my boy"... 😉
Years ago, many years ago, I was a junior technology person in the UK public sector.
Disaster recovery/ failover was a thing. And needed to be tested annually I think.
Anyway the It was outsourced to one of those large global evil incompetent corporations that were very competent at profiteering from the public purse.
The test didn't involve intentionally taking servers/services/network things offline.
I demanded it.
They protested and took it up several levels to override my "assurance".
Yeah. I learned a lot about capitalism and the public sector during that era.
@stefano Well, you gotta give it to them for creativity but I suspect it works on some people
@stefano I think you'd pass the test with flying colours by simply responding to the message with a hearty "The fuck I will".
@stefano I mean... maybe that's part of the test? Probably just wishful thinking on my part
@stefano Yeha when i was doing outsourced support we used to get this for PCI compliance scans all the time, totally pointless.
@stefano You should pay them with a few boxes of clown shoes. If this is supposed to be an external network penetration test, it may be polite to also include some brightly colored wigs and big red noses as well.
@stefano Needs an AI generated picture of a friendly nerd wearing Louvre robber safety vests.
@stefano and there are people who will fall for it
@stefano
true story.
him: The Ministry of Education hired me to assess the security of your app.
me: please show me an ID and a letter from the Ministry.
him: no one has never asked me to show them.
@stefano This must the social engineering part of the pentest. Just report a security incident and let them deal with it. 🥸
@stefano I've been there before. Company hired to do a pen test but complained when they couldn't get access to the internal network to get to the server.
@stefano reminds me of the time I was contacted by an angry new IT director of a customer because 'we wasted a lot of money'. He hired a company that did phishing exercises and our mail scanning gateway blocked it all. He wanted us to disable it completely, but then we showed the volume or spam/phishing/junk/... we blocked and asked them if he was really sure and wanted to put that in writing, with the CISO in cc. Never heard from him again.
@stefano ooof
I remember getting almost exactly the same request years back.
They'd pointed Nessus at the box (without telling us... rude) and our protections had _quite rightly_ identified and blocked their source IP.
So, they contacted us and said that we needed to turn the firewall off so that they could check security.
In that case, the test was being done as part of assessing the customer's PCI-DSS compliance.
@stefano Did they also ask a network diagram, otherwise the way to the server wasn't clear enough?
@stefano Hey, it doesn't hurt to ask. They're instructed to test the environment and you're part of the environment.
@stefano It still blows my mind that our merchant account provider will say basically the same thing before they run a PCI compliance check. Like, no thanks, I'm not going to open up our network and make it vulnerable just so you can scan it to see if it's vulnerable. That makes no sense.
We pass every time so yeah, that's not how it works.
@stefano Maybe the pen test has already started and they are trying to social engineer you 😉
@stefano Some real "please lower your shields to enjoy the premium photon-torpedo experience" here.
@stefano At my previous job company hired someone for such test. One of requirements was to install their a server on our network for duration of test. So they can better understand network topology and services to test.
@anparker this makes some sense. They can study the network from inside. But still...
@stefano Are they testing the equipment or are they testing the staff? (Though anyone who falls for someone asking them to do that deserves to be sacked.)
@beecycling officially, "how the services are vulnerable from the Internet"
@stefano "my nmap isnt coming back with anything and I need something to put in my report"
@stefano yeah these are ridiculous. Why the hell would you disable your firewall? Also these aren't penetration tests, they're just vulnerability scanners.
@raymaccarthy @pertho Extremely appropriate definition!
@stefano "little pig, little pig, let me come in?"
"That's not how pen testing works, big bad wolf."
@stefano In a previous role, I used to sometimes triage what were generously called vulnerability reports on our software product. I wish I had a dollar for every one which began "Step 1: Become the administrative user."
@carson This is funny! But yes, this happens. When those asstments start with “if a superuser will start a vulnerable service running as root, and opens a firewall port, and gives the address to others, and and and and…”
@stefano Give him your user and the root password just to make sure the pen test goes as expected 😂
@stefano the assessment: "adding firewall, some protection, and blacklist would significantly improve security of the server".
Can I send them my bank account number?
In all fairness security shouldn't depend on any one layer of protection, but yes, this is really rather ridiculous. So yes, Stefano, I'm pretty sure you understood the request correctly.
Let's also make sure indeed that they also have login credentials that will let them log in as root. Maybe email them the SSH host private keys while we're at it?
😆
@mms You deserve it much more than them
2 more replies (not shown)
