Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Auditing / Logging

From: "Rob Shein" <shoten () starpower net>
Date: Mon, 19 Jan 2004 18:48:08 -0500
True, but the question was one of keylogging; as a keylogger it is the most
reliable and trouble-free solution.  I wouldn't rely upon it for the entire
logging solution, but it will store the exact commands given in the course
of the test, complete with any options provided.


-----Original Message-----
From: Steve Armstrong [mailto:steve () logicallysecure org] 
Sent: Monday, January 19, 2004 5:50 PM
To: 'Rob Shein'
Cc: security-basics () securityfocus com; pen-test () securityfocus com
Subject: RE: Auditing / Logging


Rob

Having used Keykatcher, I must advise you that it has one (excuse the
pun) key limitation - it only replays the keystrokes.  

By this I mean it re-enters the keystrokes to an output 
computer and thus the use of curser keys will move live the 
curser round the screen. This results in an output that is 
not always replayable, understandable and certainly rarely 
usable as evidence as to in what order commands were issued.  
In my experience to glean any useful information, the output 
must be watched in case critical output is 
overwritten/overtyped by the roving curser.

Hope this helps.

Steve A
 
This email was scanned upon despatch by Norton AntiVirus.


-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net] 
Sent: 17 January 2004 01:01
To: 'Don Parker'; 'R. DuFresne'
Cc: 'n30'; security-basics () securityfocus com; 
pen-test () securityfocus com
Subject: RE: Auditing / Logging


If you want the function of a keylogger without having to 
worry about software/OS compatibility, simply use a Key 
Katcher (www.keykatcher.com) between your keyboard and 
computer.  Just be sure to sed out any password/login 
combinations to your own stuff that you use.  Oh, one thing; 
I don't think it'll work on Sun hardware.


-----Original Message-----
From: Don Parker [mailto:dparker () rigelksecurity com]
Sent: Monday, January 12, 2004 6:18 PM
To: R. DuFresne; Don Parker
Cc: n30; security-basics () securityfocus com; 

pen-test () securityfocus com

Subject: Re: Auditing / Logging



Well, you raise a valid point as to the commands not being logged. 
Again I would prefer simplicity, so just install a 

keylogger. There is 

no need to overcomplicate things. Though a keylogger will not work
on most *nix systems to my knowledge. Though all of this should be 
negotiated with the client prior to the pen test being done 

ie: what 

kinds of logs will be retained and the such. This is one 

thing which 

should be spelt out clearly prior to any pen test actually 
taking place.

Cheers

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc 

www.rigelksecurity.com ph 

:613.249.8340 fax:613.249.8319
--------------------------------------------

On Jan 12, "R. DuFresne" <dufresne () sysinfo com> wrote:

On Mon, 12 Jan 2004, Don Parker wrote:


The simplest solution would be to simply log all activity using 
tcpdump in binary format. This decreases the file size, 

is faster, 

and allows

you to manipulate it after.

You can also input this binary log into any protocol

analyzer afterwards as well ie:

ethereal, etherpeek nx and the such.

Doing the above also gives you and your client a copy of

exactly what

it is you have
done during your pen test should there be any 

questions/complaints.



Which s great on the data being obtained, yyet fails to retain the 
nature of the exact command that retrieved the data, so 

make sure one 

either tee's allcommands to a file <date stamps can help 

here> or one 

runs script or something.
This helps if one has data results that are similiar and they 
need to know which command applies to which data, as well as 
make it possible to dupe scenarios.

Thanks,

Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        <a
href='http://sysinfo.com&apos;>http://sysinfo.com</a>

"Cutting the space budget really restores my faith in humanity.  It 
eliminates dreams, goals, and ideals and lets us get 

straight to the 

business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


--------------------------------------------------------------
-------------
Ethical Hacking at InfoSec Institute. Mention this ad and 

get $720 off 

any course! All of our class sizes are guaranteed to be 10
students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, 
Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at <a 
href='http://www.infosecinstitute.com/securityfocus&apos;>http://ww
w.infosecinstitute.com/secur
ityfocus</a> to get $720 off 
any course!  
--------------------------------------------------------------
--------------




--------------------------------------------------------------
-------------
--------------------------------------------------------------
--------------





--------------------------------------------------------------
----------
---
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
any 
course! All of our class sizes are guaranteed to be 10 
students or less.

We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720
off 
any course!  
--------------------------------------------------------------
----------
----







---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: