Metasploit mailing list archives
Pen-Testing and Metasploit Question
From: metafan at intern0t.net (MaXe)
Date: Wed, 22 Apr 2009 18:50:25 +0200
Professor 0110 wrote:
Thanks for the replies everyone! :) @metafanNow about the tools, BackTrack is sufficient though if your company(or yourself) has enough money then go buy Core Impact. Then you'll have everything you need and you don't really need any skills. How many exploits are included with Core Impact currently? @The DoctorGreetings, salutations, and health.Thank you. Same for you. :)There are also sometimes surprises in the networks that youmay be tasked with testing - undocumented firewalls protecting a particular project's enclave, for example. Scan it all you want, it looks locked down tighter than a drum, but you might not know about the Server 2k machines behind it that have not been patched in years... How would one expect to circumvent a firewall such as this without stumbling upon a previously undiscovered vulnerability?My apologies if this sounds disjointed, I'm writing it off and on allday at work. It's kind of busy right now. Thank you for taking the time to answer my questions. :DDo you have any questions that I could answer?You're obviously a professional penetration tester, so I was wondering what tools you use on the job. Also, do you use exploits off milw0rm and places such as that? Or do you use products such as Metasploit and Core Impact for the most part? Also, an open question here to everyone: Is it really necessary to employ both Nmap and Nessus if Nmap can identify open ports, listening services, associated versions, and the operating system? I'm saying this because if I see an open port with a listening service, I can search whether that version of software listening on the open port is vulnerable to an exploit. If it is, I can attempt to exploit it. Also, one thing: Would it be possible to perform a Pen Test with just Nmap, Metasploit and various Network Tools such as Ping, WHOIS, etc, etc? Finally, what are the recommended tools that a Pen Tester should have in his/her toolkit? Thanks, Professor 0110
Core Impact contains a sufficient amount of exploits, however no one really buys Core Impact except if they got way too much money :-) You can use milw0rm, SecurityFocus etc and all those places IF you have permission to penetrate (which not many companies wants, they just want to know if you might be able to, at least here). About Nessus and Nmap, nope you don't have to use both but if you're on a tight time-limit and you're on an internal network scanning 30-50 computers with 10 processes on each where most of them might be different for each computer, how are you going to find the time? Anyways that's my point, time. Nessus does a few good things and has some vulnerability recognition that not much other tools/program has even though i usually booted it up to start with and then used tools like nmap meanwhile. If it is possible to do a pentest with the above tools? Sure for an internal scenario (f.ex. about disgruntled employees) you might go like this: nmap on ports 135 and 445, Metasploit detect version (smb, it's really good imho), MS08_067 if it's not patched, Done. If the scenario was only about gaining access to computers, yes the method looked quite inadequate and perhaps even script kiddy, but it's a common flaw on many internal systems not to get patches deployed right away unfortunately. (I could go on forever) So what are the recommended tools, hmm.. Doesn't that depend on the situation? I would say BackTrack + Some tools that are not included and/or custom scripts to help you. If you want some material to read, perhaps The Penetration Testers Open Source Toolkit vol 2? I've read that a few times and i really liked it, opened my eyes of using the tee pipe ;-) nmap -sP 192.168.0.0/24|tee ~/pentest-company/nmap_ping_scan.log is really just an example. If you need some ways to do a pen test and similar efficiently, perhaps read some Penetration Frameworks? ("manuals") Or Pentesting Methods? (i think HD Moore has even made one i read a few times as well, pdf paper). If it still doesn't work out for you i suggest get a CISSP or whatever you might think would be good. If you live in the US, it's probably a good idea i guess. Best Regards, MaXe
Current thread:
- Pen-Testing and Metasploit Question Professor 0110 (Apr 19)
- Pen-Testing and Metasploit Question chuks Jonia (Apr 19)
- Pen-Testing and Metasploit Question max (Apr 21)
- Pen-Testing and Metasploit Question Ronald L. Rosson Jr. (Apr 21)
- Pen-Testing and Metasploit Question max (Apr 21)
- Pen-Testing and Metasploit Question rogue (Apr 20)
- Pen-Testing and Metasploit Question chuks Jonia (Apr 20)
- Message not available
- Pen-Testing and Metasploit Question Professor 0110 (Apr 21)
- Pen-Testing and Metasploit Question MaXe (Apr 22)
- Pen-Testing and Metasploit Question Professor 0110 (Apr 21)
- Pen-Testing and Metasploit Question chuks Jonia (Apr 19)
- Pen-Testing and Metasploit Question Simon Taplin (Apr 22)
- Pen-Testing and Metasploit Question pandini pandini (Apr 23)
- Pen-Testing and Metasploit Question Kevin Beaver (Apr 23)
- Pen-Testing and Metasploit Question Ben Nell (Apr 23)
- Pen-Testing and Metasploit Question pandini pandini (Apr 29)
- Pen-Testing and Metasploit Question Matt Gardenghi (Apr 30)
- Pen-Testing and Metasploit Question chuks Jonia (May 02)
- Pen-Testing and Metasploit Question Matt Gardenghi (May 04)
- Pen-Testing and Metasploit Question Kevin Beaver (May 04)
- Pen-Testing and Metasploit Question pandini pandini (Apr 23)
- Pen-Testing and Metasploit Question Matt Gardenghi (Apr 23)