Pen-Testing and Metasploit Question

[metafan at intern0t.net (MaXe)]

Professor 0110 wrote:
> Thanks for the replies everyone! :) 
>
> @metafan
> > > > Now about the tools, BackTrack is sufficient though if your company 
> (or yourself) has enough money then go buy Core Impact. Then you'll 
> have everything you need and you don't really need any skills.
>
> How many exploits are included with Core Impact currently? 
>
> @The Doctor 
>
> > > > Greetings, salutations, and health.
>
> Thank you. Same for you. :) 
>
> > > > There are also sometimes surprises in the networks that you
> may be tasked with testing - undocumented firewalls protecting a
> particular project's enclave, for example.  Scan it all you want, it
> looks locked down tighter than a drum, but you might not know about the
> Server 2k machines behind it that have not been patched in years...
>
> How would one expect to circumvent a firewall such as this without 
> stumbling upon a previously undiscovered vulnerability?
>
>
> > > > My apologies if this sounds disjointed, I'm writing it off and on all
> day at work.  It's kind of busy right now.
>
> Thank you for taking the time to answer my questions. :D 
>
> > > Do you have any questions that I could answer?
>
> You're obviously a professional penetration tester, so I was wondering 
> what tools you use on the job. Also, do you use exploits off milw0rm 
> and places such as that? Or do you use products such as Metasploit and 
> Core Impact for the most part? 
>
> Also, an open question here to everyone: Is it really necessary to 
> employ both Nmap and Nessus if Nmap can identify open ports, listening 
> services, associated versions, and the operating system? I'm saying 
> this because if I see an open port with a listening service, I can 
> search whether that version of software listening on the open port is 
> vulnerable to an exploit. If it is, I can attempt to exploit it. 
>
> Also, one thing: Would it be possible to perform a Pen Test with just 
> Nmap, Metasploit and various Network Tools such as Ping, WHOIS, etc, etc? 
>
> Finally, what are the recommended tools that a Pen Tester should have 
> in his/her toolkit? 
>
> Thanks,
>
> Professor 0110
Core Impact contains a sufficient amount of exploits, however no one 
really buys Core Impact except if they got way too much money :-)

You can use milw0rm, SecurityFocus etc and all those places IF you have 
permission to penetrate (which not many companies wants, they just want 
to know if you might be able to, at least here).

About Nessus and Nmap, nope you don't have to use both but if you're on 
a tight time-limit and you're on an internal network scanning 30-50 
computers with 10 processes on each where most of them might be 
different for each computer, how are you going to find the time? Anyways 
that's my point, time. Nessus does a few good things and has some 
vulnerability recognition that not much other tools/program has even 
though i usually booted it up to start with and then used tools like 
nmap meanwhile.

If it is possible to do a pentest with the above tools? Sure for an 
internal scenario (f.ex. about disgruntled employees) you might go like 
this: nmap on ports 135 and 445, Metasploit detect version (smb, it's 
really good imho), MS08_067 if it's not patched, Done. If the scenario 
was only about gaining access to computers, yes the method looked quite 
inadequate and perhaps even script kiddy, but it's a common flaw on many 
internal systems not to get patches deployed right away unfortunately. 
(I could go on forever)

So what are the recommended tools, hmm.. Doesn't that depend on the 
situation? I would say BackTrack + Some tools that are not included 
and/or custom scripts to help you. If you want some material to read, 
perhaps The Penetration Testers Open Source Toolkit vol 2? I've read 
that a few times and i really liked it, opened my eyes of using the tee 
pipe ;-) nmap -sP 192.168.0.0/24|tee 
~/pentest-company/nmap_ping_scan.log is really just an example.

If you need some ways to do a pen test and similar efficiently, perhaps 
read some Penetration Frameworks? ("manuals") Or Pentesting Methods? (i 
think HD Moore has even made one i read a few times as well, pdf paper). 
If it still doesn't work out for you i suggest get a CISSP or whatever 
you might think would be good. If you live in the US, it's probably a 
good idea i guess.


Best Regards,
MaXe