Penetration Testing mailing list archives

Re: [PEN-TEST] Hypothetical Wargaming

From: Etaoin Shrdlu <shrdlu () deaddrop org>
Date: Wed, 11 Oct 2000 07:33:36 -0700

H Carvey wrote:


Assume you're given a pen test.  All you have is a
domain name.  A couple of quick checks tell you
that the systems in question are Win32 machines.

Your goal is to "tag" a file.  No DoS allowed.


I always assume that a DoS is cheating. Besides, any machine/network can
be dossed -- proves nothing about the security of the site.

IIS, Exchange, and MS DNS are being used.


Assuming a little lead time, I start looking for the domain name out in
the live world. Search engines are a wonderful thing, and people who are
happy to make posts describing their brand new machine, and its setup,
certainly make it easier to find a way in. I also consider the
geographical area.

What steps do you take?  At each step, what do you
hope to gain, and what programs/scripts/techniques
do you use (give program name, and command line
switches/GUI options)?


First and foremost, what geographical region is it in? If it's the
central US, I know that those folk have less attempts to deal with, and
are less likely to have stayed up with the latest patches. This makes
the MS databases on service packs and hot fixes an excellent resource.
Geographical areas are also a help if you are trying random passwords,
or constructing new dictionaries (assuming that you've acquired a nice
SAM to play with).

If it's the coasts in the US, or any of the more serious countries (such
as Israel or Germany), I expect to find other things not metioned in the
list above, since the bar for security is set a little higher (da skript
kids have more skilz).

I would probably not use a tool like firewalk against something so
fragile as the set up above, since many NT based solutions seem to think
that even the gentlest firewalk is a DoS. I would certainly use nmap and
a stealth scan against the IP space, since it might turn up something
that would point out the easiest targets.

At each step, assume both NT and Win2K.


While we are thinking on this subject, I wonder how many folk here use
the more intrusive tools, or have written tools of their own that are
more agressive than, say, nmap or ISS?

.shrdlu

--
Real programmers disdain structured programming.  Structured
programming is for compulsive neurotics who were prematurely
toilet-trained.  They wear neckties and carefully line up
pencils on otherwise clear desks.

Current thread:

[PEN-TEST] Hypothetical Wargaming H Carvey (Oct 07)
- Re: [PEN-TEST] Hypothetical Wargaming Mark Teicher (Oct 09)
- Re: [PEN-TEST] Hypothetical Wargaming Etaoin Shrdlu (Oct 11)
  - Re: [PEN-TEST] Hypothetical Wargaming Bennett Todd (Oct 11)
  - Re: [PEN-TEST] Hypothetical Wargaming van der Kooij, Hugo (Oct 12)
- <Possible follow-ups>
- Re: [PEN-TEST] Hypothetical Wargaming Dunker, Noah (Oct 09)
  - Re: [PEN-TEST] Hypothetical Wargaming Deus, Attonbitus (Oct 10)
- Re: [PEN-TEST] Hypothetical Wargaming Danny DS Stieler (Oct 09)
- Re: [PEN-TEST] Hypothetical Wargaming H Carvey (Oct 11)
  - Re: [PEN-TEST] Hypothetical Wargaming Deus, Attonbitus (Oct 11)