Re: [PEN-TEST] First step of a pen-test

[H Carvey <keydet89 () YAHOO COM>]

> What is the industry norm for _beginning_ a 
pen-test after the contract has been made? 

As others have said, it depends upon the scope of 
the work.  I prefer an internal (in-house) 
assessment, as it uncovers much more than a pen 
test.  

However, if the pen-test is what's called for, you 
need to develop a footprint of the system you're 
dealing with.  Keep in mind...there really is no 
such thing as an "industry norm".  Certain 
factors come into play, such as the scope of the 
contract (very important!!), what info you're 
given, etc.

Generally, the way I like to start my footprinting 
is with a multi-phase approach.  In the first 
phase, collect info from sources other than the 
target itself...Mark mentioned WHOIS and SEC/EDGAR 
searches.  This is a good way to get things like 
names, email addresses, phone numbers, addresses 
(some of which can be useful if social engineering 
is called for).  If you have access to a 
Lexis/Nexis account, you can find a lot out about 
the company, as well.

Search media sources for names of key individuals, 
and references to what the target's business 
is...what they do.

Do searches of public online databases...DogPile, 
Deja, etc.  If you have a domain name 
("example.com"), look for Usenet entries or even 
Web pages that contain "@example.com" or even any 
of the email addresses you've already collected.  
A good example is that the biotech industry has a 
web site based in the UK for trading company 
gossip back and forth.  Many posts contain valid 
email addresses.

Another example is that on 11 Nov '98, a telecomm 
company had a huge rollout...big full page ads in 
the papers as well as major space in Times Square 
and the subways of NY.  That day, someone posted 
on a telecomm newsgroup asking what the company 
was up to...the responses that followed contained 
detailed info, such as domain zone transfers, 
identification of multiple ISPs servicing the 
organization...all very useful to an attacker.  
Later searches also revealed that the person 
maintaining an online billing system was having 
trouble, and posted (from his company account) a 
complete description of the entire billing 
platform...machines, how many, what os's and 
applications, etc.

The point is that you can find a lot out about an 
organization without ever sending a packet 
anywhere near their systems.

Once you develop a profile in accordance with the 
contract (based on provided info, time, etc) you 
may then decide to move on toward active probing 
of the network.  Start small/slow...use nmap to 
perform stealth scans of only limited ranges of 
ports.  Attempt to identify systems by function, 
or some other criteria.  Once you have an idea of 
what types of machines you're dealing with, focus 
your attempts to gain access based on the system.  

Too many times you'll see someone just identify a 
range of IP addresses and plug them into ISS w/ a 
full profile.  Not elegant at all...very noisy...

Once you identify systems, you're well on your 
way...

Just my $0.02...

carv