Re: [PEN-TEST] Noisy ou stealthy ?

[Don Bailey <baileydl () MITRE ORG>]

Nicolas Gregoire wrote:
> When you are doing some pen-tests, do you use the noisy way (full port
> range scan, lot of scanning for cgi whitout IDS evasion techniques,
> brute force attacks on FTP) or the sthealthy one ?

I believe this is dependent on the event and type of attacks you are
trying to emulate.

For example, if you are in the midst of an eval that has "good-guys",
you are obviously not going to blast away at targets.  Instead, you
slowly probe specific known addresses based on previous intelligence
data, possibly compromise them, and begin racking up "stations" to hop
from.  Depending on the time allocated for the testing, you may even
decrease the speed of scans to a trickle in an effort to fly below IDS
thresholds--although it is rare that you ever have enough time to do
this.  When time is a factor, yet you still wish to give yourself an
edge over the admins, scans in the midst of scripts that toss garbage at
your targets may help in keeping the good-guys off your back or in a
state of doubt--but usually only for a short while.  You should plan on
switching attack locations as a contigency for ACLs that start being
implemented.

For testing that occurs with the admins full knowledge (i.e. "today I
will be scanning this range of your network for vulnerabilities...
you're welcome to watch."), then by all means, whip out CyberCop and the
rest of the bag of noisy tricks for an overnight fest, come back in the
next morning, and evaluate your results.

Sincerely,

Don
--
Don Bailey
INFOSEC Engineer/Scientist
Secure Information Technology
The MITRE Corporation

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature