Penetration Testing mailing list archives
RE: Auditing / Logging
From: "Rob Shein" <shoten () starpower net>
Date: Mon, 19 Jan 2004 18:48:08 -0500
True, but the question was one of keylogging; as a keylogger it is the most reliable and trouble-free solution. I wouldn't rely upon it for the entire logging solution, but it will store the exact commands given in the course of the test, complete with any options provided.
-----Original Message----- From: Steve Armstrong [mailto:steve () logicallysecure org] Sent: Monday, January 19, 2004 5:50 PM To: 'Rob Shein' Cc: security-basics () securityfocus com; pen-test () securityfocus com Subject: RE: Auditing / Logging Rob Having used Keykatcher, I must advise you that it has one (excuse the pun) key limitation - it only replays the keystrokes. By this I mean it re-enters the keystrokes to an output computer and thus the use of curser keys will move live the curser round the screen. This results in an output that is not always replayable, understandable and certainly rarely usable as evidence as to in what order commands were issued. In my experience to glean any useful information, the output must be watched in case critical output is overwritten/overtyped by the roving curser. Hope this helps. Steve A This email was scanned upon despatch by Norton AntiVirus. -----Original Message----- From: Rob Shein [mailto:shoten () starpower net] Sent: 17 January 2004 01:01 To: 'Don Parker'; 'R. DuFresne' Cc: 'n30'; security-basics () securityfocus com; pen-test () securityfocus com Subject: RE: Auditing / Logging If you want the function of a keylogger without having to worry about software/OS compatibility, simply use a Key Katcher (www.keykatcher.com) between your keyboard and computer. Just be sure to sed out any password/login combinations to your own stuff that you use. Oh, one thing; I don't think it'll work on Sun hardware.-----Original Message----- From: Don Parker [mailto:dparker () rigelksecurity com] Sent: Monday, January 12, 2004 6:18 PM To: R. DuFresne; Don Parker Cc: n30; security-basics () securityfocus com;pen-test () securityfocus comSubject: Re: Auditing / Logging Well, you raise a valid point as to the commands not being logged. Again I would prefer simplicity, so just install akeylogger. There isno need to overcomplicate things. Though a keylogger will not work on most *nix systems to my knowledge. Though all of this should be negotiated with the client prior to the pen test being doneie: whatkinds of logs will be retained and the such. This is onething whichshould be spelt out clearly prior to any pen test actually taking place. Cheers ------------------------------------------- Don Parker, GCIA Intrusion Detection Specialist Rigel Kent Security & Advisory Services Incwww.rigelksecurity.com ph:613.249.8340 fax:613.249.8319 -------------------------------------------- On Jan 12, "R. DuFresne" <dufresne () sysinfo com> wrote: On Mon, 12 Jan 2004, Don Parker wrote:The simplest solution would be to simply log all activity using tcpdump in binary format. This decreases the file size,is faster,and allowsyou to manipulate it after.You can also input this binary log into any protocolanalyzer afterwards as well ie:ethereal, etherpeek nx and the such. Doing the above also gives you and your client a copy ofexactly whatit is you have done during your pen test should there be anyquestions/complaints.Which s great on the data being obtained, yyet fails to retain the nature of the exact command that retrieved the data, somake sure oneeither tee's allcommands to a file <date stamps can helphere> or oneruns script or something. This helps if one has data results that are similiar and they need to know which command applies to which data, as well as make it possible to dupe scenarios. Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com <a href='http://sysinfo.com'>http://sysinfo.com</a> "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us getstraight to thebusiness of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! -------------------------------------------------------------- ------------- Ethical Hacking at InfoSec Institute. Mention this ad andget $720 offany course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at <a href='http://www.infosecinstitute.com/securityfocus'>http://ww w.infosecinstitute.com/secur ityfocus</a> to get $720 off any course! -------------------------------------------------------------- -------------- -------------------------------------------------------------- ------------- -------------------------------------------------------------- ---------------------------------------------------------------------------- ---------- --- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! -------------------------------------------------------------- ---------- ----
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Auditing / Logging n30 (Jan 12)
- Re: Auditing / Logging Peter Hsu (Jan 12)
- <Possible follow-ups>
- Re: Auditing / Logging Don Parker (Jan 12)
- Re: Auditing / Logging R. DuFresne (Jan 12)
- Re: Auditing / Logging Don Parker (Jan 12)
- Re: Auditing / Logging Frank Knobbe (Jan 13)
- RE: Auditing / Logging Rob Shein (Jan 18)
- RE: Auditing / Logging Steve Armstrong (Jan 20)
- RE: Auditing / Logging Rob Shein (Jan 20)
- Re: Auditing / Logging Travis Schack (Jan 12)
- Re: Auditing / Logging Steve Shah (Jan 13)
- Re: Auditing / Logging cdowns (Jan 13)
- Re: Auditing / Logging Steve Shah (Jan 13)
- Re: Auditing / Logging Don Parker (Jan 13)
- Re: Auditing / Logging Steve Shah (Jan 13)
- Re: Auditing / Logging Don Parker (Jan 13)
- Re: Auditing / Logging Steve Shah (Jan 14)