Re: Newbie Hacker Tools

[James Eaton-Lee <james.mailing () gmail com>]

Not quite sure what other responses you've got on this topic as I
haven't had a change to read through the whole thread, but for my 2c..

..in my experience (both doing this sort of work and on the receiving
end, managing IT), companies are looking for security auditing because
they don't have the necessary base of experience to carry them out
inhouse. The majority of businesses these days (in my experience) are
starting to be more and more on the ball, security-wise, so a security
audit is considerably more complicated than simply checking for
unnecessary services and missing patches (unless their IT is *really*
flagging, in which case they have larger problems).

The usefulness of 'audit in a box' tools *on their own*, therefore, is
limited. Nessus does just this - it scans a given host or set of hosts
based on a database of known misconfigurations and vulnerabilities - but
what you will get out of it is a fairly dumb list of problems which
require further investigation, with a lot of false positives. Running a
nessus scan is a good start for a security audit, but it doesn't go much
further - a *good* security analyst needs the expertise not only to
analyse the nessus output and determine what reaction is appropriate
(usually a combination of investigation followed by patching,
reconfiguration, or ignoring false positives).

Even with a clean bill of health from nessus (or having successfully
ticked the 'false positive' box for any results it does kick up), there
is a great deal more which is required for a comprehensive security
audit, which should extend to IT policy, physical factors (physical
security on infrastructure resources, machines, network security which
nessus has no way of assessing, etc), and a few other things. With a
windows network (which you're presumably going to have a significant
number of clients for), you also have to consider yet more aspects for
which nessus isn't useful, such as group policy and the layout of active
directory. Again, this all depends upon exactly *how* comprehensive you
want to be. 

Bearing that in mind, therefore, I think it's important to underline the
need for a penetration tester or security analyst who has configured,
broken through, and administered a significant number of the components
which I've mentioned - and I haven't even mentioned the most basic of
application penetration testing methods which are necessary nowadays
(such as SQL injections and cross-site-scripting problems) or other
similarly recent problems, such as rogue wireless access points.

Although your cause is an admirable one, I think you'd be best served by
trying to understand security in a more holistic way, so that when you
*do* start to approach your own security audits, you can do so with the
confidence in your own abilities and in the knowledge that you're not
missing anything or making any large mistakes. 

Companies contract out security audits because they don't have the
necessary expertise or perspective to carry them out themselves - and
they assume that the third party they choose to carry them out has the
necessary expertise and experience not only to do the job properly, but
to make sure that they don't run into severe problems further down the
line as a result of a shoddy job (it's quite possible that if a client
of yours was broken into and they decided it was because you hadn't done
the job properly, you could find yourself on the receiving end of legal
action). 

If you're already having problems with 'hackers' you've hired to do
this, you're probably aware of these issues already - it may either be
worth investing in new staff, or finding yourself a strategic partner
who have experience doing this and have more of a reputation than an 'I
used to be a hacker' card.

If you have any queries, feel quite free to ask them on or offlist!
Happy to help as much as I can!

 - James Eaton-Lee.

On Wed, 2005-01-05 at 20:46 -0500, Edmond Chow wrote:
> Hello all,
>
> My name is Ed and I run a technology consulting company.  I have begun
> offering computer security audits to my clients and, as I am not experienced
> in hacking, have been subcontracting this work out.
>
> The written reports that I have received back from the hackers leave much to
> be desired!  Not knowing too much about intrusion detection but realizing
> that when almost nothing is found wrong (from a security viewpoint) with a
> client's network, I am in big trouble!  Either the hacker does not have the
> experience to find any problems or there really are not any problems.
>
> On my first few audit assignments, I was barely able to break even as I had
> to hire two independent hackers for each  i.e., a second hacker had to be
> hired to give me an independent assessment of the network.  I then cut and
> pasted the two reports into a final "acceptable" one.
>
> I am at a crossroads where I can either give up on the security audits or
> learn to do them myself.  I have chosen the latter and was hoping to get
> some help from experts like you.  I realize that I will have a steep hill to
> climb but I feel confident that I can learn enough to be much more
> proficient that the hackers that I am currently paying.
>
> I'm really confused about what tools I need in my "toolkit" for
> Windows-related audits.  I've heard a lot about Nessus as a freeware program
> but am confused when I go on the nessus.org site and see that it might not
> be free.  Other programs I've heard of include nmap, SAINT, Newt.
>
> And, perhaps, there are tools out there (either free or not) that would
> provide me with an "audit in a box?"  I'm guessing that the pros have a
> select few tools of the trade that they use.  You've listed a bunch of tools
> on your site as well.  I realize that ethical hacking is an art and that no
> two hackers will use exactly the same tools but I am hoping to learn to use
> the tools they most often use.
>
> Thanks for any help that you can shed on this subject.
>
> Regards,
>
>
> Ed