I'm don't get paid to do this sort of thing very often, but when I have been paid, the client has always asked for noisy generic scans that can be integrated as part of a periodic review process (for internal or external parties). Explaining that the bad guys won't be so nice as to light up your IDS with an internal portscan or try to brute force some random database was met with complete indifference.<p>I guess as someone who would be responsible for their network's general well-being, I'd probably rather have some checked boxes saying nothing on my internal network was listening with trivially exploitable (i.e. non-patched or badly configured) services and my passwords are at least a certain complexity and not variations of the 1000 most common as of $SOMEDATE.<p>That said, it should be pretty easy to setup the usual suspects for scan tools to be performed in a scoped manner to satisfy the need for checked boxes after an operator spends some time getting up close and personal with the target system. Those type of attacks are going to reveal more information about user training (looking at Joe User with important\ passwords.docx in My\ Documents) than simple network scans are likely to.<p>I wonder what the qualifications are these days for a pen tester at a commerical company...
A company I worked for got pentested by QinetiQ, both pentesters were thoroughly nice guys and could probably have been blackhatters. They were very efficient, they left zero traces and avoid just going "We exploited X attack vector" and actually dug around the systems to see what they could get. If you hire a pentester get guys like that, as it's the closest you ever want to get to a real world attack.
<i>But isn't it ironic that blackhats bent on data theft so rarely cause system outages?</i><p>We have no way of knowing this. If a blackhat smashes your system to crap, you won't know what caused it. Maybe things just broke. I once permanently lost a machine to the ping of death (the hard reboot was the straw that broke the camel's back) and only knew about it because the entire dorm got hit by the ping of death. If I had been targeted it would have just been the machine dying on me. Which happens to me anyway. [1]<p>But if the whitehat scans your system at 4:52AM and your system breaks at 4:52AM, then you will know exactly what happened.<p>And knowing exactly what ports are open is information that is really valuable to a client. An external audit can find what insiders are too busy to pay attention to.<p>[1] <a href="http://news.ycombinator.com/item?id=4900688" rel="nofollow">http://news.ycombinator.com/item?id=4900688</a>
For external interfaces I don't see a need to avoid portscans - they're popular enough on the open internet that it's not going to attract attention or deviate much from standard traffic.
Vilification of discovery scans in 2012. Weird.<p>Yes. Appstack is totally the way to go if you're an app pen guy. Shocking.<p>Portscanning not too useful in a whitebox pen assessment, sure.<p>Don't do it at all because blackhats "don't do that"? Not really. Just make sure instrumentation and response exists for both of these cases.<p>Pen guys don't want to perform an assessment of the environment to gauge targets but instead just break out the same kit for each engage? Sounds fine if it works for them and leaves more things to discover to the next crew that wanders through.<p>Sounds like more "pentesting isn't compliance" drum beating, which is both good and bad.
<i> Assuming you've done the prep-work to ensure you get placed on a well-populated user desktop network</i><p>This is a write up of attacking LANs from the inside, privilege elevation stuff. Only relevant for large networks obviously.
Step 1: Don't post to Hackernews that you hack into places<p>.. Tongue in cheek commentary aside, the title comes off more like the content would be on par with the grugq's presentation on Opsec for hackers (<a href="http://www.slideshare.net/grugq/opsec-for-hackers" rel="nofollow">http://www.slideshare.net/grugq/opsec-for-hackers</a>).<p>The argument to never modify anything only holds true for pentesting, for a slightly more nefarious attacker it's not unheard of to actually do some system maintenance & configuration fixing to close holes behind them to prevent other attackers from gaining access through the same entry point. Increasing the system stability has a tendency to make people look the other way, it's far less likely that someone would say "Hey, that server has been performing better, let's see if it's been compromised."
Ah, I thought perhaps this was going to be another link to this story: <a href="http://news.ycombinator.com/item?id=4910212" rel="nofollow">http://news.ycombinator.com/item?id=4910212</a>