lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: nexus at patrol.i-way.co.uk (Nexus)
Subject: Verisign abusing .COM/.NET monopoly, BIND releases new

----- Original Message ----- 
From: "Michael Scheidell" <scheidell@...nap.net>

[snip]

> One more interesting thing, if you have a client who has given you ip
> addresses for external testing, and these ip addresses rdns to a domain
> that doens't FWD resolve, you wil end up pen testing verisign's computers.

I don't think so... or, put another way, I hope not ;-)
As any fule kno, part of the <Yank>"Due Diligence"</Yank> process on receipt
of IP ranges from a Client would be to conduct whois type searches to
determine that the Client has indeed not typo'd an IP range or CIDR block.
I've had this happen a few times and a cursory whois + confirmation has
sorted the incorrect ranges before testing actually starts.   Sometimes it's
not even obvious from a whois which is all part of the fun of it.

One hopes that the pen testers you employ also do this... :P

Cheers.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ