Re: [PEN-TEST] First step of a pen-test

[Wandering One <wanderingone () core com>]

> What is the industry norm for _beginning_ a pen-test after the
> contract has been made?  Would one first map the network?  Try to
> war-dial the exchange for possible remote (pcanywhere, etc).
> access machines?  VRFY email addresses to look for user logins?
> Is it typical to ask for information about the network (ie.
> network architecture) beforehand or do most pen-tests start
> "blindly" and do the network reconnaissance.
>
> Thanks to anyone who addresses even one of my many questions.

2 main different approaches exist:
1)  You have some or all high level info the client has and they want you to
audit by PEN-TEST their existing security
2)  You have limited to no info and are asked to give a hackers viewpoint.
As mentioned this could add to cost, for a variety of reasons.

First in order to map the network, I'd either have had to be granted access
or already have performed a few of the following steps:
Even before the next three steps a day or two in the library with a few good
industry rags and a little research on the company especially good for a
blind PEN-TEST.  The more information that you have the better prepared you
are, none of this is necessary if you are doing an in-house audit (which is
usually the majority of the assignments) but you never know.  Most training
is for exactly that, in house audits.  Some in-house audits may be blind
audits as to how good the existing team is doing, and so you may not have
all the co-operation necessary to make the job easy on yourself.

1)  go to ARIN and gather some intel on available ip addresses for the
company, if any are registered.
2)  after that stop off at networksolutions and do a whois for domain names
3)  A quick stop on the internet on one of the searchable databases for
yellow page information (411 etc...) to see about phone numbers if they are
listed.

Then yes I'd map out the network a bit, I like to narrow it down to approved
IP ranges from the outside (if I'm offsite and going from there) just to not
accidentally hit a site that doesn't appreciate mapping efforts.  NMAP is
quick and dirty for this and does a good job.  If I'm internal same thing
but not as worried about IP ranges unless it is in the contract as to what
IP ranges are acceptable to map out and test.  (I.E. we'd like you to test
our backoffice accounting systems but not hit the production WebServers
within this scope)

WAR-DIAL if it is within the scope of the project, if not I can still run a
quick scanner that would show me whether BackDoor/Administrative Tools like
PC-Anywhere, BackOrrifice, NetBus, etc... exist on the network.

Now from the outside I could log into their listed MX and other servers
looking for ability to VRFY email addresses, Zone-Transfer the DNS, and
other likewise information gathering type activities (this is still mapping
the network).  Zone-Transfers if allowed can be piped directly into nmap, if
and once I'm onsite to their systems if their firewalls and the like are
setup properly.

It takes a bit longer to do it blindly as to going in with full or some
info, but I have seen it where the company would request 2 teams,
simultaneously working on the system, 1 with info the other working blindly.
Neither team would be allowed to talk to each other.  The team internal does
an audit of the existing systems, policies and procedures and how well they
are followed re-enforced by the second team's findings compiled from all the
sources including social engineering.  Social Engineering will sometimes be
a better guide on the policies and procedures being followed then an
internal audit.

'BLIND' PEN-TEST's are kinda misleading as you do get some information
during the interview and or contract under which you are working.  Social
Engineering used at the time of the contract signing will enable some
information to be obtained that could be used to narrow the future
information gathering techniques.  It's not like you won't know a few things
coming out of the meeting that most outside view crackers would not without
having to do the research.  You have the name of managers as well as address
as well as a main phone number and a few other facts.  Name of managers,
especially the security officers name, or the HR managers name could be
somewhat useful.

Of course all of the above comments are pretty simplistic and by no means
cover the extent of any steps taken as each situation and contract is
different, but there should be a set of steps that could be universally used
in PEN-TESTs of all flavors.  Remove the steps that the contract doesn't
allow or forbids and go from there.

Maybe another discussion for this list could be what steps would you take in
an all-out PEN-TEST.  In other words what are the steps if you were to start
from scratch today on a company you just signed yesterday that all you knew
about the company was what was on the contract that you signed and the
couple of people you met on the 'interview' day(s) where they asked your
company to do this penetration test.  Assuming that you get full permission
to do the works, and give them a full report on every aspect that their
security is lacking including any relevant risk assessments.

Wandering One