Penetration Testing mailing list archives
Re: [PEN-TEST] First step of a pen-test
From: Wandering One <wanderingone () core com>
Date: Wed, 20 Sep 2000 15:58:18 -0500
What is the industry norm for _beginning_ a pen-test after the contract has been made? Would one first map the network? Try to war-dial the exchange for possible remote (pcanywhere, etc). access machines? VRFY email addresses to look for user logins? Is it typical to ask for information about the network (ie. network architecture) beforehand or do most pen-tests start "blindly" and do the network reconnaissance. Thanks to anyone who addresses even one of my many questions.
2 main different approaches exist: 1) You have some or all high level info the client has and they want you to audit by PEN-TEST their existing security 2) You have limited to no info and are asked to give a hackers viewpoint. As mentioned this could add to cost, for a variety of reasons. First in order to map the network, I'd either have had to be granted access or already have performed a few of the following steps: Even before the next three steps a day or two in the library with a few good industry rags and a little research on the company especially good for a blind PEN-TEST. The more information that you have the better prepared you are, none of this is necessary if you are doing an in-house audit (which is usually the majority of the assignments) but you never know. Most training is for exactly that, in house audits. Some in-house audits may be blind audits as to how good the existing team is doing, and so you may not have all the co-operation necessary to make the job easy on yourself. 1) go to ARIN and gather some intel on available ip addresses for the company, if any are registered. 2) after that stop off at networksolutions and do a whois for domain names 3) A quick stop on the internet on one of the searchable databases for yellow page information (411 etc...) to see about phone numbers if they are listed. Then yes I'd map out the network a bit, I like to narrow it down to approved IP ranges from the outside (if I'm offsite and going from there) just to not accidentally hit a site that doesn't appreciate mapping efforts. NMAP is quick and dirty for this and does a good job. If I'm internal same thing but not as worried about IP ranges unless it is in the contract as to what IP ranges are acceptable to map out and test. (I.E. we'd like you to test our backoffice accounting systems but not hit the production WebServers within this scope) WAR-DIAL if it is within the scope of the project, if not I can still run a quick scanner that would show me whether BackDoor/Administrative Tools like PC-Anywhere, BackOrrifice, NetBus, etc... exist on the network. Now from the outside I could log into their listed MX and other servers looking for ability to VRFY email addresses, Zone-Transfer the DNS, and other likewise information gathering type activities (this is still mapping the network). Zone-Transfers if allowed can be piped directly into nmap, if and once I'm onsite to their systems if their firewalls and the like are setup properly. It takes a bit longer to do it blindly as to going in with full or some info, but I have seen it where the company would request 2 teams, simultaneously working on the system, 1 with info the other working blindly. Neither team would be allowed to talk to each other. The team internal does an audit of the existing systems, policies and procedures and how well they are followed re-enforced by the second team's findings compiled from all the sources including social engineering. Social Engineering will sometimes be a better guide on the policies and procedures being followed then an internal audit. 'BLIND' PEN-TEST's are kinda misleading as you do get some information during the interview and or contract under which you are working. Social Engineering used at the time of the contract signing will enable some information to be obtained that could be used to narrow the future information gathering techniques. It's not like you won't know a few things coming out of the meeting that most outside view crackers would not without having to do the research. You have the name of managers as well as address as well as a main phone number and a few other facts. Name of managers, especially the security officers name, or the HR managers name could be somewhat useful. Of course all of the above comments are pretty simplistic and by no means cover the extent of any steps taken as each situation and contract is different, but there should be a set of steps that could be universally used in PEN-TESTs of all flavors. Remove the steps that the contract doesn't allow or forbids and go from there. Maybe another discussion for this list could be what steps would you take in an all-out PEN-TEST. In other words what are the steps if you were to start from scratch today on a company you just signed yesterday that all you knew about the company was what was on the contract that you signed and the couple of people you met on the 'interview' day(s) where they asked your company to do this penetration test. Assuming that you get full permission to do the works, and give them a full report on every aspect that their security is lacking including any relevant risk assessments. Wandering One
Current thread:
- [PEN-TEST] First step of a pen-test Christopher M. Bergeron (Sep 19)
- Re: [PEN-TEST] First step of a pen-test Tom Litney (Sep 19)
- Re: [PEN-TEST] First step of a pen-test Teicher, Mark (Sep 19)
- [PEN-TEST] LDAP-nullbase krisk (Sep 20)
- Re: [PEN-TEST] LDAP-nullbase Brian Conte (Sep 20)
- Re: [PEN-TEST] LDAP-nullbase spi (Sep 20)
- [PEN-TEST] LDAP-nullbase krisk (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Erik Tayler (Sep 20)
- Re: [PEN-TEST] First step of a pen-test van der Kooij, Hugo (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Wandering One (Sep 20)
- <Possible follow-ups>
- Re: [PEN-TEST] First step of a pen-test Dunker, Noah (Sep 19)
- Re: [PEN-TEST] First step of a pen-test Tonick, Mike (Sep 19)
- Re: [PEN-TEST] First step of a pen-test Jason Stout (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Teicher, Mark (Sep 20)
- [PEN-TEST] anyone using firewalking? The Picard (Sep 20)
- Re: [PEN-TEST] anyone using firewalking? Jonathan Rickman (Sep 21)
- Re: [PEN-TEST] anyone using firewalking? El Nahual (Sep 21)
- Re: [PEN-TEST] First step of a pen-test Teicher, Mark (Sep 20)
- Re: [PEN-TEST] First step of a pen-test H Carvey (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Loschiavo, Dave (Sep 20)
- Re: [PEN-TEST] First step of a pen-test Max Vision (Sep 20)