Re: Re[2]: Penetration Tests

[Arjan Vos <arjan () pino demon nl>]

On Fri, 26 Sep 1997, Edward Cracknell wrote:

> Maybe I didn't give enough info in my first mail, but I have used these
> packages many times, including Crack v5, Netcat, ifstatus, rootkit,
> tiger etc.
>
> I am really looking for;
>
> a) a consensus on what should be covered/not in such a test

The consensus I cannot give, but in performing penetration tests I adhere
to some generic framework in which you define beforehand:

1) goal of the peneration test
2) scope (what will be tested *AND WHAT NOT!!!*)
3) characteristics of the target (e.g., is it a high availability
production system, is it a testing system, is the test whitebox or black
box)
4) expected merits (what do you think will be the added value of the
test, what evidence will be gotten, is it a realistic assessment?),
5) risks (well, maybe the test will bring down repsonsetimes, or maybe
something might go wrong so pay attention to liability issues)
6) requirements (will testing take place on-site? So do you need a
company's computer and network entry, etc, resource, risk, project mgtm,
etc... o yeah, debriefing and evaluation with the "victims" is very
important)

Point 4) is very important. If a company has no security policy and the
systems have no security baselines or whatsoever, then the added value 
will be low as you can foresee pretty certain what the results will be.
If they do have a security policy and baselines, then testing will have
merits as you identify possible deviations from the policy and baselines.

Then, when actually performing the test, you can roughly identify the
following (iterative) phases:

1) planning and preperation for each individual test
2) execution of the test
   a) detect (possible) weaknesses
   b) identify weaknesses by exploiting them
   c) analysis of cumulative effect of weaknesses found
3) evaluating and reporting of the test results, and maybe back to 1)

> b) examples (papers)

I know there have been some articles on penetration testing on the Web. I
don't have these at hand though. If you want to know where to find these
articles I can look the URL's op for you... so let me know then

If you want some more information, email me privetaly so maybe we can work
something out...

> c) news of commercial products, because I may want to take them on board
> to sell to my customers

What do you mean? You already got the information on ISS and Ballista as
given to you as a reply on your initial question.

> d) news of other (less common) packages that you can't get from every
> wanna-be hacker or security experts page!! ;-)

Mmm.. now you are entering the propriety testing toolkits :-)) What I use
is some combination of freely available software and commercial software.
Most things I have modified for my own needs or I have added scripts and
programs etcetera. These scripts merely exist of expect/perl scripts to
automate manual testing. Also netcat is very useful and ipsend or CAPE
from Ballista package.

And of course tcpdump and/or tcpshow prove very useful.... 

> e) I want to hear from anyone who may be interested in having their
> products marketed by quite a large Security organisation over in the UK
> to the financial communities (Thanks Marcus and Frank!)

Unfortunately I do not have a product to market, just services... :-))

> ...and so far I am really grateful for all the replies and information
> which I will be following up on next week
>
> ...and so far I am really grateful for all the replies and information
> which I will be following up on next week
>
> Finally, has anyone heard on the Intranet penetration testing tool
> Netech (I think that's the spelling)? It's an Israeli product.

Never heard of it.

> Thanks in anticipation.

You're welconme

Gr. Arjan

--
Eat hard
Sleep hard
Wear glasses if you need them