Re: Optimizing time in a pen-test

[Marco Ivaldi <raptor () mediaservice net>]

Hello,

On Wed, 13 Feb 2008, Pen Testing wrote:

> Hello pen-testers,
>
> I need advice on how to economize time in a pen-test. For instance, let's
> imagine the following (exagerated) scenario where you've got only 1-2
> days to perform a black-box testing over a very large enterprise subnet.
> You don't have time to perform a general scanning with
> Nessus/nmap/whatever (think in a class-B network or some other huge
> subnet; impossible to scan in one day, and moreover you'd have to add
> more time to review/check scanning results... so it's prohibitive).
>
> The question is: Which attacks/tools/options would you use and in which
> order? Obviously you should only launch attacks where you'd expect
> results in a brief time and/or you could launch several of them in
> parallel (let's suppose you have only one laptop).

*** Disclaimer: don't blindly do what i'm saying, YMMV. ***

Just a few hints off the top of my head:

1) Start with an automated portscan of the whole enterprise network, using
   a fast portscanner. This way, you get the big picture of the target
   network spending only cpu-cycles instead of precious brain-time:
        - zucca scanner (http://lab.mediaservice.net/code/singsing/).
        - if you can enumerate active hosts (ICMP ECHO packets are often
          allowed), build a list of targets and work on that from now on.
        - arp-scan is cool too, if you're in a flat network.

2) While the scanner is running, perform some quick mass-information
   gathering tasks, e.g.:
        - CIFS enum (http://0xdeadbeef.info/code/samba-hax0r).
        - SNMP enum (http://www.phreedom.org/solar/onesixtyone/).
        - SMTP/FINGER/etc. enum (http://0xdeadbeef.info/code/brutus.pl)
          on UNIX hosts.
        - other services with known information leaks, such as LDAP.
        - as you said, sniffing can be very helpful too, even though i
          personally prefer active attacks;)

3) Launch some password guessing and "gentle" bruteforce attacks:
        - on Local and Domain users on Windows boxen, after verifying the
          account locking policy in use (try enum.exe): the aforementioned
          samba-hax0r script is pretty good for this task too.
        - on UNIX hosts (hydra, medus, the aforementioned brutus.pl).
        - on network equipment (also, exploit rw SNMP communities you
          found during step 2 above).

4) Scan for your favorite subset of services with known vulnerabilities:
        - HINT#1: even if proper update procedures are in place (which is
          seldom the case anyway), third-party software will often be
          outdated and potentially vulnerable.
        - HINT#2: databases are usually a great entry point to OS command
          execution (not to mention the sensitive information they often
          contain;).

Based on what you've found so far, and with the help of the Customer if 
possible, select a sample of hosts as a subset of the scope and use it as 
the target: depending on the network size and architecture, you should 
still have plenty of time for an in-depth pen-test on the newly defined 
target sample. If you're not alone, distribute the workload among Red Team 
members.

Yeah, you don't even need exploits to perform a thorough pen-test. On this 
subject, see also hdm's remarkable work at:

http://www.metasploit.com/confs/blackhat2007/tactical_paper.pdf
http://www.metasploit.com/confs/blackhat2007/tactical_blackhat2007.pdf

Ciao,

--
Marco Ivaldi, OPST
Red Team Coordinator      Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------