@stefano
The good old social engineering. Never gone out of fashion, since the time of "The sneakers" movie 😃

@stefano

I fear my knowledge level is far closer to some IT managers' than I wish.

Please make your life easier and give them access via Anydesk.

@stefano OK. after that, I'd set up a network segment filled with Thinkst Canary Honeypots open to the internet and let them waste their time there while you produce the log report showing them playing in your sandbox

@stefano

"Yeah, I just need to know which IPv4 & IPv6 addresses your testing will come from so that I can adjust firewall rules"

block drop in on egress proto tcp from <pentest_ips> to any

:dusts off hands and sips coffee:

@stefano @neil tbf this is pretty standard to actually test a service or server. (yes you also test the firewall effectiveness, but the core vulnerabilities are also usually specifically tested without it)

@stefano clown power ! 🤡

@stefano similar here from a leader of a red team: we need further privileges to exploit the vulnerability we assume from the *version number the application reports* 🤡

@stefano maybe an AI sent it? 😅

@stefano I love how they asked you to disable any “protection.” What protections? Any protections, just protections in general, anything that protects… don’t worry about it, you don’t need it…

To be fair, I think they are actually doing a pen test. They’re just trying to see how easy it is to penetrate the intelligence, or lack there of, of the sys admin.

@stefano I'll leave the car doors unlocked and the keys in the ignition. See if you can steal it.

@stefano I remember reviewing a pen test like that once. The report said that they were able to access a database server and copy the data files.

When I looked into it, it was because they’d asked for access to the server and an rdp account to connect with. And they were running the test from a device on the same network.

@stefano

That is both hilarious and ridiculous.

My reply would be: "that's not how you do penetration testing, my boy"... 😉

@stefano

Years ago, many years ago, I was a junior technology person in the UK public sector.

Disaster recovery/ failover was a thing. And needed to be tested annually I think.

Anyway the It was outsourced to one of those large global evil incompetent corporations that were very competent at profiteering from the public purse.

The test didn't involve intentionally taking servers/services/network things offline.

I demanded it.

They protested and took it up several levels to override my "assurance".

Yeah. I learned a lot about capitalism and the public sector during that era.

@stefano Also known as a “Russian Ceasefire Agreement”?

@stefano Surprised they didn’t ask for the admin/root password

@stefano Well, you gotta give it to them for creativity but I suspect it works on some people

@stefano I think you'd pass the test with flying colours by simply responding to the message with a hearty "The fuck I will".

@stefano I mean... maybe that's part of the test? Probably just wishful thinking on my part

@stefano Yeha when i was doing outsourced support we used to get this for PCI compliance scans all the time, totally pointless.

@stefano You should pay them with a few boxes of clown shoes. If this is supposed to be an external network penetration test, it may be polite to also include some brightly colored wigs and big red noses as well.

@stefano Needs an AI generated picture of a friendly nerd wearing Louvre robber safety vests.

@stefano and there are people who will fall for it

@stefano
true story.
him: The Ministry of Education hired me to assess the security of your app.
me: please show me an ID and a letter from the Ministry.
him: no one has never asked me to show them.

@stefano This must the social engineering part of the pentest. Just report a security incident and let them deal with it. 🥸

@stefano I've been there before. Company hired to do a pen test but complained when they couldn't get access to the internal network to get to the server.

@stefano reminds me of the time I was contacted by an angry new IT director of a customer because 'we wasted a lot of money'. He hired a company that did phishing exercises and our mail scanning gateway blocked it all. He wanted us to disable it completely, but then we showed the volume or spam/phishing/junk/... we blocked and asked them if he was really sure and wanted to put that in writing, with the CISO in cc. Never heard from him again.

@stefano ooof

I remember getting almost exactly the same request years back.

They'd pointed Nessus at the box (without telling us... rude) and our protections had _quite rightly_ identified and blocked their source IP.

So, they contacted us and said that we needed to turn the firewall off so that they could check security.

In that case, the test was being done as part of assessing the customer's PCI-DSS compliance.

@stefano Did they also ask a network diagram, otherwise the way to the server wasn't clear enough?

@stefano Hey, it doesn't hurt to ask. They're instructed to test the environment and you're part of the environment.

@stefano It still blows my mind that our merchant account provider will say basically the same thing before they run a PCI compliance check. Like, no thanks, I'm not going to open up our network and make it vulnerable just so you can scan it to see if it's vulnerable. That makes no sense.

We pass every time so yeah, that's not how it works.

@stefano Maybe the pen test has already started and they are trying to social engineer you 😉

@stefano Some real "please lower your shields to enjoy the premium photon-torpedo experience" here.

@stefano @justine It's common to ask for IPs to be whitelisted 🤷

@stefano At my previous job company hired someone for such test. One of requirements was to install their a server on our network for duration of test. So they can better understand network topology and services to test.

@stefano Are they testing the equipment or are they testing the staff? (Though anyone who falls for someone asking them to do that deserves to be sacked.)

@stefano yeah these are ridiculous. Why the hell would you disable your firewall? Also these aren't penetration tests, they're just vulnerability scanners.

@stefano "please open an attack vector for me. I need to get paid"

@stefano "little pig, little pig, let me come in?"

"That's not how pen testing works, big bad wolf."

@stefano Is "outside" in this specific case the pen tester standing in the car park shouting obscenities at the building because they can't get in?

@stefano In a previous role, I used to sometimes triage what were generously called vulnerability reports on our software product. I wish I had a dollar for every one which began "Step 1: Become the administrative user."

@stefano Give him your user and the root password just to make sure the pen test goes as expected 😂

@_elena @stefano @mms similar here: we need further privileges to exploit the vulnerability we assume from the version number the application reports 🤡

@stefano @_elena @mms omg, that was *serious*? 🤦‍♀️🤦‍♀️🤦‍♀️

@stefano @_elena @mms Also sounds a brilliant thing to send to the less clueful admin of a site you are pentesting to see how gullible they are 8)

@_elena Careful, don't give away half the scoop. ;-)

@stefano @mms

@stefano @_elena @mms wait, this isn't just a bad phishing attempt

@_elena @mms Totally. Later today I'll have a call with the person who hired them and explain a thing or two 🙂
This is a good person - just doesn't understand the implications.

@mkj @mms sure. But disabling the layers won't help anyway 🙂

In all fairness security shouldn't depend on any one layer of protection, but yes, this is really rather ridiculous. So yes, Stefano, I'm pretty sure you understood the request correctly.

Let's also make sure indeed that they also have login credentials that will let them log in as root. Maybe email them the SSH host private keys while we're at it?

😆

@mms @stefano

@mms You deserve it much more than them