Penetration Testing

PenTester Pro Tip: Validating The TOE

If you’ve ever worked as a professional penetration tester then you definitely know what a TOE is. For those of you who do not, the TOE or “Target Of Evaluation” is “the product or system that is the subject of evaluation” (Wikipedia). For the sake of simplicity, a system connected to the internet with an IP address is the TOE for an external penetration test. Your client has provided a list of IP addresses, maybe in CIDR notation, maybe they’ve just dropped you a spreadsheet with a list of targets that fall within the scope of testing, at the end of the day, they’ve provided to you with a list of assets that are in play. Side note: I won’t stress the importance of performing thorough reconnaissance and the value it will provide to both you (during the assessment) and to your client. There are plenty of books and training courses that have done a fine job conveying that message. However, I do want to provide you with the following scenarios and why it is important to validate and verify your targets: Scenario 1: Client Provides Wrong IP Addresses (Bitter CIDR) You’ve laid out your pentest, you’ve got a list…

continue reading