Re: [PEN-TEST] First step of a pen-test

["Tonick, Mike" <Mike.Tonick () PS NET>]

I may be even more rusty than you...but, wouldn't the following be right?
sed 's/ /\\n/g'
-----Original Message-----
From: Dawes, Rogan [mailto:rdawes () DELOITTE CO ZA]
Sent: Thursday, September 21, 2000 2:00 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: First step of a pen-test


Try something like wget

e.g.

$ wget -r -l 5 http://www.example.com (specify html files only, no images,
an appropriate level of recursion, etc)
$ find www.example.com/ -name \*.htm\* -type f -print | xargs cat |
"translate spaces to \n" | sort | uniq > wordlist

(My sed is rusty, but I guess "translate spaces to \n" could be somthing
like sed 's/ /\n/g' )

You will end up with a bunch of HTML tags, and URL's as well, but those you
can filter if you want to.

Rogan

> -----Original Message-----
> From: Loschiavo, Dave [mailto:DLoschiavo () FRCC CC CA US]
> Sent: Wednesday, September 20, 2000 8:27 PM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Re: [PEN-TEST] First step of a pen-test
>
>
> With checking out the website being a first step...
>
> Does anyone know if there is a tool that will comb through a
> website to pull
> nouns down into a dictionary file that you use for a
> customized dictionary
> attack specific to that company?
>
> -----Original Message-----
> From: Erik Tayler
> To: PEN-TEST () SECURITYFOCUS COM
> Sent: 9/19/00 9:25 AM
> Subject: Re: [PEN-TEST] First step of a pen-test
>
> In my experience, the first step of a pen-test is the recon &
> enumeration. Personally, I research the company, find out as much
> information I can from their webpages, or from google
> (employees, recent
> acquisitions and the like). For example, if Company ABC recently
> acquired Company DEF, they might have improperly assimilated Company
> DEF's network architecture into their own, which might be a gateway of
> sorts into penetrating Company ABC's systems. Gathering names of
> employees and important persons from the web would be a good start for
> the social engineering aspect of things. After that I would typically
> map the network according to operating system, listening services, et
> cetera. If routers/firewalls block the presence, planning of
> some source
> routing attacks would happen. One of the last steps [for me] is banner
> grabbing, checking versions of listening services and such,
> and finally
> exploiting known [and sometimes unknown holes]. This process
> varies from
> person to person, whatever makes you comfortable.
>
> Erik Tayler
> http://www.14x.net
> http://www.digitaloffense.net
>
> "Christopher M. Bergeron" wrote:
> > What is the industry norm for _beginning_ a pen-test after the
> contract has been made?  Would one first map the network?  Try to
> war-dial the exchange for possible remote (pcanywhere, etc). access
> machines?  VRFY email addresses to look for user logins?  Is
> it typical
> to ask for information about the network (ie. network architecture)
> beforehand or do most pen-tests start "blindly" and do the network
> reconnaissance.
> > Thanks to anyone who addresses even one of my many questions.