Penetration Testing mailing list archives
Re: [PEN-TEST] First step of a pen-test
From: H Carvey <keydet89 () YAHOO COM>
Date: Wed, 20 Sep 2000 10:11:39 -0000
What is the industry norm for _beginning_ a
pen-test after the contract has been made? As others have said, it depends upon the scope of the work. I prefer an internal (in-house) assessment, as it uncovers much more than a pen test. However, if the pen-test is what's called for, you need to develop a footprint of the system you're dealing with. Keep in mind...there really is no such thing as an "industry norm". Certain factors come into play, such as the scope of the contract (very important!!), what info you're given, etc. Generally, the way I like to start my footprinting is with a multi-phase approach. In the first phase, collect info from sources other than the target itself...Mark mentioned WHOIS and SEC/EDGAR searches. This is a good way to get things like names, email addresses, phone numbers, addresses (some of which can be useful if social engineering is called for). If you have access to a Lexis/Nexis account, you can find a lot out about the company, as well. Search media sources for names of key individuals, and references to what the target's business is...what they do. Do searches of public online databases...DogPile, Deja, etc. If you have a domain name ("example.com"), look for Usenet entries or even Web pages that contain "@example.com" or even any of the email addresses you've already collected. A good example is that the biotech industry has a web site based in the UK for trading company gossip back and forth. Many posts contain valid email addresses. Another example is that on 11 Nov '98, a telecomm company had a huge rollout...big full page ads in the papers as well as major space in Times Square and the subways of NY. That day, someone posted on a telecomm newsgroup asking what the company was up to...the responses that followed contained detailed info, such as domain zone transfers, identification of multiple ISPs servicing the organization...all very useful to an attacker. Later searches also revealed that the person maintaining an online billing system was having trouble, and posted (from his company account) a complete description of the entire billing platform...machines, how many, what os's and applications, etc. The point is that you can find a lot out about an organization without ever sending a packet anywhere near their systems. Once you develop a profile in accordance with the contract (based on provided info, time, etc) you may then decide to move on toward active probing of the network. Start small/slow...use nmap to perform stealth scans of only limited ranges of ports. Attempt to identify systems by function, or some other criteria. Once you have an idea of what types of machines you're dealing with, focus your attempts to gain access based on the system. Too many times you'll see someone just identify a range of IP addresses and plug them into ISS w/ a full profile. Not elegant at all...very noisy... Once you identify systems, you're well on your way... Just my $0.02... carv
Current thread:
- Re: [PEN-TEST] First step of a pen-test, (continued)
- Re: [PEN-TEST] First step of a pen-test Erik Tayler (Sep 20)
- Re: [PEN-TEST] First step of a pen-test van der Kooij, Hugo (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Wandering One (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Dunker, Noah (Sep 19)
- Re: [PEN-TEST] First step of a pen-test Tonick, Mike (Sep 19)
- Re: [PEN-TEST] First step of a pen-test Jason Stout (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Teicher, Mark (Sep 20)
- [PEN-TEST] anyone using firewalking? The Picard (Sep 20)
- Re: [PEN-TEST] anyone using firewalking? Jonathan Rickman (Sep 21)
- Re: [PEN-TEST] anyone using firewalking? El Nahual (Sep 21)
- Re: [PEN-TEST] First step of a pen-test Teicher, Mark (Sep 20)
- Re: [PEN-TEST] First step of a pen-test H Carvey (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Loschiavo, Dave (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Max Vision (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Dawes, Rogan (Sep 21)
- Re: [PEN-TEST] First step of a pen-test Riley Hassell (Sep 23)
- Re: [PEN-TEST] First step of a pen-test Erik Tayler (Sep 23)
- Re: [PEN-TEST] First step of a pen-test Riley Hassell (Sep 23)
- Re: [PEN-TEST] First step of a pen-test Tonick, Mike (Sep 22)
- Re: [PEN-TEST] First step of a pen-test Robert van der Meulen (Sep 22)
- Re: [PEN-TEST] First step of a pen-test Wolfgang Zenker (Sep 22)
- Re: [PEN-TEST] First step of a pen-test Missy, E (Sep 22)
- Re: [PEN-TEST] First step of a pen-test Cassiano Aquino (Sep 22)
- Re: [PEN-TEST] First step of a pen-test Robert van der Meulen (Sep 22)