.

would this be ethical?

<<

jinwald12

User avatar

Jr. Member
Jr. Member

Posts: 77

Joined: Thu Nov 05, 2009 5:42 pm

Post Sat Jan 02, 2010 1:50 pm

would this be ethical?

Now i know this may seem strange but bare with me. OK ,I'm wondering if this hypothetical situation would fall in the "ethical end of the spectrum". the scenario is this. your doing a pen test on a large network with a server devoted just to running a IDS. would it be considered ethical to run a Denial of Service Attack to buy time to do the pen test? i know this doesn't sound probable or smart but would it be ethical?
where did all the fun go?
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Sat Jan 02, 2010 2:10 pm

Re: would this be ethical?

Why don't you ask your client? Though mostly DoS attacks are not welcomed.
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Sat Jan 02, 2010 2:20 pm

Re: would this be ethical?

If this is a legitimate pentest, then its all about the rules of engagement that you should have clearly defined and agreed upon in advance. This kind of technical consideration has nothing to do about ethics. Its not "cheating" and if the IDS is vulnerable then its vulnerable and needs to be exposed as such by either you being allowed to attack it or at least identity the vulnerability in a well detailed report.

Most will not want you to take down a server if it disrupts the network so that's why we usually have to be careful when we are doing any kind of exploit.  If its just running IDS and you feel taking it down wont be disruptive and such an attack is defined in writing, then by all means. Btw, just having it written out is not enough. You need to sit down with the powers that be and go over each point to make sure they clearly know what you might do and the possible problems that might occur.  It really doesn't help you much after the fact to show the fine print in your agreement to the CEO, who never understood it any way, explaining your action if you accidentally knocked out the corporate network.
Last edited by Kev on Sat Jan 02, 2010 2:24 pm, edited 1 time in total.
<<

jinwald12

User avatar

Jr. Member
Jr. Member

Posts: 77

Joined: Thu Nov 05, 2009 5:42 pm

Post Sat Jan 02, 2010 10:13 pm

Re: would this be ethical?

thanks you guys and this wasn't for a pen test this was a hypothetical question
where did all the fun go?
<<

bamed

Newbie
Newbie

Posts: 48

Joined: Thu Mar 19, 2009 7:05 pm

Location: Joplin, MO

Post Wed Jan 13, 2010 11:55 pm

Re: would this be ethical?

I think all of the answers above are technically correct, though I would throw in there that if you purposefully bring down a server simply to "buy time" than your motives make it unethical.  If you bring down the server to expose a vulnerability, that's a whole different situation.  Of course, the client most likely won't know your motives, and you'd probably get away with it, but it is still my opinion that in the scenario originally described, the pen-tester's motives were unethical, thus the act would be unethical.
chown -R bamed ./base
<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Sun Jan 31, 2010 9:25 pm

Re: would this be ethical?

It all depends on the "rules of engagement".

From practical experience, I haven't seen an intentional DoS against productions systems be allowed.
twitter.com/timmedin | http://blog.securitywhole.com

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 3 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software