Penetration Testing mailing list archives
RE: Penetration test of 1 IP address
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Wed, 8 Feb 2006 18:59:13 -0800
List members, I allowed this question through even though it is, at it's heart, a very basic question that should have gone to security-basics or some other relavent list. My goal in doing so was to hopefully garner responses which would show Edmond and other less-experienced pen-testers the thought processes behind how professionals break down engagements into various segments and proceed with what is, to many of us, a simple and non-complex task. If this task was assigned to you how would you proceed? Why would you use the methods or tools chosen and how would your approach change based on the data you were able to collect? Maybe my method of approaching this would be radically different than yours. Maybe I might learn something I hadn't thought to try from this discussion. Sometimes the most basic questions can produce the most interesting discussions. So far, most of the reponses received on Edmond's email have been... not very professional. <rant> I spend a fair amount of time every day in weeding through enormous buckets of spam and submissions looking for things that would interest list subscribers and adhere to the focus on pen-testing. Not all of the submissions are areas everyone has interest in or are things we've seen previously (rainbow tables again Mom?) but I'm constantly surprised by the level and breadth of knowledge shared here. I don't blindly approve submissions willy-nilly. I will very occassionally allow more basic questions through because sometimes the responses bring out some gem of knowledge from our more experienced members. If you have an issue with something posted to the list please provide me with some feedback (aka complain to me, I wear asbestos underoos). Replying with the something equivalent to "HAHA n00b! U Suxx0r!" is not something I condone or will allow on the list. To paraphrase an email last year from Al Huger prior to my taking over moderation duties: "If you can't say something nice, don't bother saying anything." </rant> So how bout it gang? You've been given some basic information on a target IP. It's running HTTP. It also has a login/password prompt. Where do you go from here and what information do you look for next? -- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball"
-----Original Message----- From: Edmond Chow [mailto:echow () videotron ca] Sent: Tuesday, February 07, 2006 10:45 PM To: 'Michael Gargiullo'; pen-test () securityfocus com Cc: 'Edmond Chow' Subject: RE: Penetration test of 1 IP address To all: I have been asked to perform a security audit of 1 IP address for client. They have given me the 1 IP address and a clue (webblaze). If I enter the IP address and then /webblaze, I am taken to a login page (user name and password requested). What tools would you recommend that I use for this assignment? Thanks for your help. Regards, Edmond -------------------------------------------------------------- ---------------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------- ----------------- -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.2/253 - Release Date: 2/7/2006
-- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.2/253 - Release Date: 2/7/2006 ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Penetration test of 1 IP address Edmond Chow (Feb 08)
- RE: Penetration test of 1 IP address Larry Chin (Feb 08)
- RE: Penetration test of 1 IP address Erin Carroll (Feb 08)
- RE: Penetration test of 1 IP address Sels, Roger (Feb 09)
- Re: Penetration test of 1 IP address Ivan . (Feb 09)
- Re: Penetration test of 1 IP address Dave (Feb 08)
- RE: Penetration test of 1 IP address Matt Bowles (Feb 09)
- Message not available
- RE: Penetration test of 1 IP address T0aD (Feb 09)
- RE: Penetration test of 1 IP address Sels, Roger (Feb 09)
- RE: Penetration test of 1 IP address Erin Carroll (Feb 10)
- Re: Penetration test of 1 IP address Christine Kronberg (Feb 09)
- Re: Penetration test of 1 IP address Buz Dale (Feb 09)
- Re: Penetration test of 1 IP address Ailton Caetano (Feb 09)