Penetration Testing mailing list archives
Re: Optimizing time in a pen-test
From: Marco Ivaldi <raptor () mediaservice net>
Date: Fri, 15 Feb 2008 13:35:16 +0100 (ora solare Europa occidentale)
Hello, On Wed, 13 Feb 2008, Pen Testing wrote:
Hello pen-testers, I need advice on how to economize time in a pen-test. For instance, let's imagine the following (exagerated) scenario where you've got only 1-2 days to perform a black-box testing over a very large enterprise subnet. You don't have time to perform a general scanning with Nessus/nmap/whatever (think in a class-B network or some other huge subnet; impossible to scan in one day, and moreover you'd have to add more time to review/check scanning results... so it's prohibitive). The question is: Which attacks/tools/options would you use and in which order? Obviously you should only launch attacks where you'd expect results in a brief time and/or you could launch several of them in parallel (let's suppose you have only one laptop).
*** Disclaimer: don't blindly do what i'm saying, YMMV. *** Just a few hints off the top of my head: 1) Start with an automated portscan of the whole enterprise network, using a fast portscanner. This way, you get the big picture of the target network spending only cpu-cycles instead of precious brain-time: - zucca scanner (http://lab.mediaservice.net/code/singsing/). - if you can enumerate active hosts (ICMP ECHO packets are often allowed), build a list of targets and work on that from now on. - arp-scan is cool too, if you're in a flat network. 2) While the scanner is running, perform some quick mass-information gathering tasks, e.g.: - CIFS enum (http://0xdeadbeef.info/code/samba-hax0r). - SNMP enum (http://www.phreedom.org/solar/onesixtyone/). - SMTP/FINGER/etc. enum (http://0xdeadbeef.info/code/brutus.pl) on UNIX hosts. - other services with known information leaks, such as LDAP. - as you said, sniffing can be very helpful too, even though i personally prefer active attacks;) 3) Launch some password guessing and "gentle" bruteforce attacks: - on Local and Domain users on Windows boxen, after verifying the account locking policy in use (try enum.exe): the aforementioned samba-hax0r script is pretty good for this task too. - on UNIX hosts (hydra, medus, the aforementioned brutus.pl). - on network equipment (also, exploit rw SNMP communities you found during step 2 above). 4) Scan for your favorite subset of services with known vulnerabilities: - HINT#1: even if proper update procedures are in place (which is seldom the case anyway), third-party software will often be outdated and potentially vulnerable. - HINT#2: databases are usually a great entry point to OS command execution (not to mention the sensitive information they often contain;).Based on what you've found so far, and with the help of the Customer if possible, select a sample of hosts as a subset of the scope and use it as the target: depending on the network size and architecture, you should still have plenty of time for an in-depth pen-test on the newly defined target sample. If you're not alone, distribute the workload among Red Team members.
Yeah, you don't even need exploits to perform a thorough pen-test. On this subject, see also hdm's remarkable work at:
http://www.metasploit.com/confs/blackhat2007/tactical_paper.pdf http://www.metasploit.com/confs/blackhat2007/tactical_blackhat2007.pdf Ciao, -- Marco Ivaldi, OPST Red Team Coordinator Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Optimizing time in a pen-test Pen Testing (Feb 14)
- AW: Optimizing time in a pen-test puppe (Feb 15)
- Re: Optimizing time in a pen-test Marco Ivaldi (Feb 15)
- RE: Optimizing time in a pen-test Shenk, Jerry A (Feb 15)