2

How to approach penetration testing of a ATM OS that was upgraded from Windows XP to Windows 7? From what I gather, the testing flow should be as follows:

  1. Architectural Review
  2. Pentesting OS and Application
  3. Physical Audit

For the current requirement, I am focusing on the second item. Typically, I'd scan the machine and look for service/port that a specific service is using, then run an application specific exploit. I am planning to follow PCI ATM Security Guidelines (PDF), section 4.2 Security of Basic Software and section 4.4 ATM Application Management.

Could I take a different, faster approach for an ATM whose OS was upgraded from Windows XP to Windows 7, if it was already penetration tested while running Windows XP?

TildalWave
  • 10,801
  • 11
  • 45
  • 84
Arun
  • 21
  • 1
  • Just an FYI, there is no upgrade path from WindowsXP to Windows7. Meaning, if they went from WindowsXP to Windows7 it's essentially a fresh installation of Windows7. – k1DBLITZ Sep 22 '14 at 20:26

1 Answers1

1

I realise you didn't get an answer here - the reason for this is very simple:

There is no shortcut. You cannot make assumptions from a previous test on XP that there will be weaknesses in the same ATM running Windows 7.

What you should do is conduct your full approach, starting with PCI requirements but adding hardening expectations and best practices for Win 7, as PCI is a very low bar and while you are testing you may as well make it useful.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320