Penetration Testing mailing list archives
Optimizing time in a pen-test
From: "Pen Testing" <quick.pentesting () gmail com>
Date: Wed, 13 Feb 2008 21:36:56 +0100
Hello pen-testers, I need advice on how to economize time in a pen-test. For instance, let's imagine the following (exagerated) scenario where you've got only 1-2 days to perform a black-box testing over a very large enterprise subnet. You don't have time to perform a general scanning with Nessus/nmap/whatever (think in a class-B network or some other huge subnet; impossible to scan in one day, and moreover you'd have to add more time to review/check scanning results... so it's prohibitive). The question is: Which attacks/tools/options would you use and in which order? Obviously you should only launch attacks where you'd expect results in a brief time and/or you could launch several of them in parallel (let's suppose you have only one laptop). Some thoughts: - I only could think in some very focused scanning (for instance, let's look for machines with open VNC port and then try to exploit the authentication-bypass known bug). - Scripting is essential (you should try to reduce manual probes). Do you have some of these scripts you wanted to share? - It's very important to focus on the kind of attacks easier to launch and more productive (at the same time). For instance, sniffing. - Any recent vulnerability has a bigger chance to exist in the enterprise. Do you have/use some scanning to test only some of these? Which of them? - Is it productive trying to exploit a buffer overflow? (where success depends on many factors: program version, OS version/language, etc). I'm expecting answers such as: "What I'd do is: 1.- Launch Cain and start sniffing. Let it woring in background and pass to step 2. 2.- Launch an arp-scan (it's fast and easy). Try to imagine systems based on vendor's MAC. 3.- Monitorize Cain's output. Manually test saved user/passwords. 4.- Look for the domain controller using xxxx tool. Launch "enum" to enumerate users. Launch yyyyy tool for a simple brute-force looking only for: blank password and password equal to user. ... etc You're the experienced pen-testers and you better than nobody know which are the attacks you always use with the best sucess/speed/effort ratio. I'd like you hear your ideas. I think this could be an interesting thread. Please, contribute! :) Thank you. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Optimizing time in a pen-test Pen Testing (Feb 14)
- AW: Optimizing time in a pen-test puppe (Feb 15)
- Re: Optimizing time in a pen-test Marco Ivaldi (Feb 15)
- RE: Optimizing time in a pen-test Shenk, Jerry A (Feb 15)