Re: Pen-Testing New Server - Where to start?

[krymson () gmail com]

Pen-testing a new system can be difficult, especially if there really are few holes in the system as configured.

I've found it best, for early teaching/learning to make sure you've built the system with known holes in it. Grab an 
unpatched Windows XP SP1 box, and attempt to leverage exploits against it (such as Metasploit).

Better yet, get a vulnerable system or application from somewhere else. These will have known issues in them, but you 
won't inherently know them because you didn't build the systems. This should get your feet wet enough to be able to 
more intelligently tackle something "newer," like Ubuntu 6.06+.

www.de-ice.net has several live cd builds with known vulnerabilities. You'll have to sign up to download them, but I 
think this is an excellent service.

DVL (www.damnvulnerablelinux.org) is also a purposefully vulnerable linux distro with various holes in it.

Foundstone Hacme (http://www.foundstone.com/us/resources-free-tools.asp) series is a bit more geared towards 
applications, but can be useful. 



<- snip ->
Hi, I'm new to the InfoSec industry and would like to try my hand at 
penetration-testing (and securing) a new server I've set up at home.

Seeing as I've set up the system, I know all the usernames/passwords 
used on the box, as well as how everything is set up, but I'd like to 
approach this as an outside user, pretending that I have none of this 
information. I want to try to gather information, form an attack plan, 
and attempt to crack the system from scratch, so that I can later on go 
back and secure the system against those attacks.