Penetration Testing mailing list archives
RE: Penetration test of 1 IP address
From: "Levenglick, Jeff" <JLevenglick () fhlbatl com>
Date: Thu, 9 Feb 2006 12:39:35 -0500
" On Wed, 2005-01-05 at 20:46 -0500, Edmond Chow wrote:
Hello all, My name is Ed and I run a technology consulting company. I have begun offering computer security audits to my clients and, as I am not
experienced
in hacking, have been subcontracting this work out. The written reports that I have received back from the hackers leave
much to
be desired! Not knowing too much about intrusion detection but
realizing
that when almost nothing is found wrong (from a security viewpoint)
with a
client's network, I am in big trouble! Either the hacker does not
have the
experience to find any problems or there really are not any problems. On my first few audit assignments, I was barely able to break even as
I had
to hire two independent hackers for each i.e., a second hacker had to
be
hired to give me an independent assessment of the network. I then cut
and
pasted the two reports into a final "acceptable" one. I am at a crossroads where I can either give up on the security audits
or
learn to do them myself. I have chosen the latter and was hoping to
get
some help from experts like you. I realize that I will have a steep
hill to
climb but I feel confident that I can learn enough to be much more proficient that the hackers that I am currently paying."
1) Since your post to lists.virus.org, have you taken any classes? 2) Everybody hates to pay someone money to do the work, but you can't take years of experience and think you Can do it yourself over night. I do not think you understand all of the 'parts' of this project. First you stated that you wanted to pen test one ip. Now your Saying that they want to make sure the application is secure. Ok.. (simple list) Is the OS patched and secure? (tons of tools to use) Is IIS patched and secure? (again, tons of tools) Is the network secure? (sniffing tools) Is the firewall secure? (ditto) A quick google on the app shows that it is integrated with AD/NT security. Is that setup correctly? (ie: are passwords long and random..ect) Are there known bugs in the app? It uses a database. MS Sql? Is that secure...ect.. Oracle.. Is that Secure?...ect.... SQL injection.... You get the point? In a very nice way, I think you need to step back and look at the whole picture. Getting bits of information From list groups is not going to solve your problem. If you need to make sure the app is secure, then you will need tools that Can test the app,the box, the os, the network, the firewall, the database. -----Original Message----- From: Edmond Chow [mailto:echow () videotron ca] Sent: Thursday, February 09, 2006 08:09 AM To: 'Daniel Grzelak'; pen-test () securityfocus com Cc: 'Michael Gargiullo' Subject: RE: Penetration test of 1 IP address Hello Daniel, Thanks to you and all the other helpful (yes, there were a few less than helpful!) posters. You are right in that this is a "capture the flag" project. It's a law firm that wants to make sure that the WebBlaze application is secure before putting it into production. The login screen is a typical windows logon screen with user name and password prompt. It does not look like the login screen found on the webblaze web site. Thanks again! Regards, Edmond -----Original Message----- From: Daniel Grzelak [mailto:daniel.grzelak () sift com au] Sent: Wednesday, February 08, 2006 10:54 PM To: pen-test () securityfocus com Cc: 'Edmond Chow'; 'Michael Gargiullo' Subject: RE: Penetration test of 1 IP address Hi Edmond, I'm sure there will be a vast and many responses to your question with regards to carrying out the actual testing phase of the engagement so I will concentrate on something else. I am making a very big assumption based on your wording but I believe the major issue you have with this engagement centres around scoping. I apologise if I unnecessarily trivialise your original post. "I have been asked to perform a security audit of 1 IP address for client." This statement sounds like a misunderstanding waiting to happen. In general a security audit is considered a review of a system with all relevant information provided. For instance, system configuration, file system access control list, user lists etc. It will also tend to relate to a system rather than an IP. From what I gather, you are being asked to conduct a blind penetration test of a single IP. As such you are being provided very little information and probably being asked to "capture the flag". This can be a very delicate point. Make sure you know the limitations of the testing you have been asked to perform. Is it just a vulnerability assessment, or are you tasked with taking full control of the system. There are of course legal issues which have been addressed previously on this list and various sources on the web. Since you have been provided a clue of webblaze, that may indicate that only that particular application is to be tested. If so, it is important to agree on what constitutes such testing. Is this really a system penetration test or an application penetration test? The two can differ greatly in the amount of assurance you can provide the client on a particular component. Finally, blind testing is not always the most effective way to go. Given a narrow scope and access to only a login page, the client may not gain much from your testing. Perhaps you should agree that upon completion of the blind testing, the client will provide a number of logins of varying access levels to allow you to perform a more in-depth analysis. I know this doesn't directly address your question, but hopefully it will help in the preparations you need to make prior to executing an engagement. Daniel. -----Original Message----- From: Edmond Chow [mailto:echow () videotron ca] Sent: Wednesday, 8 February 2006 5:45 PM To: 'Michael Gargiullo'; pen-test () securityfocus com Cc: 'Edmond Chow' Subject: RE: Penetration test of 1 IP address To all: I have been asked to perform a security audit of 1 IP address for client. They have given me the 1 IP address and a clue (webblaze). If I enter the IP address and then /webblaze, I am taken to a login page (user name and password requested). What tools would you recommend that I use for this assignment? Thanks for your help. Regards, Edmond ------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- ----------------------------------------- This e-mail message is private and may contain confidential or privileged information. ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Penetration test of 1 IP address, (continued)
- RE: Penetration test of 1 IP address John Forristel (SunGard-Chico) (Feb 09)
- RE: Penetration test of 1 IP address Levenglick, Jeff (Feb 09)
- Message not available
- Fwd: Penetration test of 1 IP address Brian Loe (Feb 09)
- Re: Fwd: Penetration test of 1 IP address Justin Seitz (Feb 09)
- Message not available
- RE: Penetration test of 1 IP address Beau Mersereau (Feb 09)
- RE: Penetration test of 1 IP address Bob Radvanovsky (Feb 09)
- Re: Fwd: Penetration test of 1 IP address Bob Radvanovsky (Feb 09)
- Re: Fwd: Penetration test of 1 IP address pagvac (Feb 09)
- RE: Penetration test of 1 IP address Navroz Shariff (Feb 09)
- Re: Penetration test of 1 IP address Ratna Kumar (Feb 10)
- RE: Penetration test of 1 IP address Levenglick, Jeff (Feb 10)
- Re: Penetration test of 1 IP address Bob Radvanovsky (Feb 10)
- RE: Penetration test of 1 IP address Michael Gargiullo (Feb 10)
- Re: Penetration test of 1 IP address pagvac (Feb 11)