Re: [PEN-TEST] First step of a pen-test

[Erik Tayler <nine () 14X NET>]

In my experience, the first step of a pen-test is the recon &
enumeration. Personally, I research the company, find out as much
information I can from their webpages, or from google (employees, recent
acquisitions and the like). For example, if Company ABC recently
acquired Company DEF, they might have improperly assimilated Company
DEF's network architecture into their own, which might be a gateway of
sorts into penetrating Company ABC's systems. Gathering names of
employees and important persons from the web would be a good start for
the social engineering aspect of things. After that I would typically
map the network according to operating system, listening services, et
cetera. If routers/firewalls block the presence, planning of some source
routing attacks would happen. One of the last steps [for me] is banner
grabbing, checking versions of listening services and such, and finally
exploiting known [and sometimes unknown holes]. This process varies from
person to person, whatever makes you comfortable.

Erik Tayler
http://www.14x.net
http://www.digitaloffense.net

"Christopher M. Bergeron" wrote:
> What is the industry norm for _beginning_ a pen-test after the contract has been made?  Would one first map the 
> network?  Try to war-dial the exchange for possible remote (pcanywhere, etc). access machines?  VRFY email addresses 
> to look for user logins?  Is it typical to ask for information about the network (ie. network architecture) 
> beforehand or do most pen-tests start "blindly" and do the network reconnaissance.
>
> Thanks to anyone who addresses even one of my many questions.