Penetration Testing mailing list archives
RE: Optimizing time in a pen-test
From: "Shenk, Jerry A" <jshenk () decommunications com>
Date: Fri, 15 Feb 2008 08:23:28 -0500
If you want the maximum coverage in the shortest amount of time, you're going to need to just hammer away with some automated too. Your parameters really don't make too much sense but, in the scenario you just described, I'd run CORE Impact. It looks for a ton of stuff and it can automatically install agents which can give you command-line access. Since you only have one laptop, I'd make sure that laptop has as much memory and CPU power as you can get. That will increase the number of simultaneous threads you can have running. I wouldn't waste my time on "the attacks that always work" - they never work;) One site will have vulnerable VNC installations, another will be missing some obscure patch. Each site is just so different. While the "big scan" is running, you might want to run some password guessing attacks on services that you find. I also like your idea of running Cain in the background, just sniffing traffic that gets thrown your way...who knows, you very well may find something interesting that way. I think the best way to optimize time is to walk in with three laptops but, that option is off the table. Normally, my goal is to assist the internal IT staff in finding things that they missed, so walking in with three boxes really works pretty well. I also generally talk with the IT people a good bit to understand the network because, the more I understand about their network, the more helpful I can be in helping them find the issues. I even ask if they have things that they suspect are issues - sometimes, they suspect that some process is insecure but they can't prove it and they can't get management support to fix it....maybe I can work with them to help on that front. Sometimes, they have auditors or somebody who insists that it be totally "black box" - that's rather unfortunate, if the goal is security, why not go in and do testing with some knowledge. -----Original Message----- From: listbounce () securityfocus com [ mailto:listbounce () securityfocus com] On Behalf Of Pen Testing Sent: Wednesday, February 13, 2008 3:37 PM To: pen-test () securityfocus com Subject: Optimizing time in a pen-test Hello pen-testers, I need advice on how to economize time in a pen-test. For instance, let's imagine the following (exagerated) scenario where you've got only 1-2 days to perform a black-box testing over a very large enterprise subnet. You don't have time to perform a general scanning with Nessus/nmap/whatever (think in a class-B network or some other huge subnet; impossible to scan in one day, and moreover you'd have to add more time to review/check scanning results... so it's prohibitive). The question is: Which attacks/tools/options would you use and in which order? Obviously you should only launch attacks where you'd expect results in a brief time and/or you could launch several of them in parallel (let's suppose you have only one laptop). Some thoughts: - I only could think in some very focused scanning (for instance, let's look for machines with open VNC port and then try to exploit the authentication-bypass known bug). - Scripting is essential (you should try to reduce manual probes). Do you have some of these scripts you wanted to share? - It's very important to focus on the kind of attacks easier to launch and more productive (at the same time). For instance, sniffing. - Any recent vulnerability has a bigger chance to exist in the enterprise. Do you have/use some scanning to test only some of these? Which of them? - Is it productive trying to exploit a buffer overflow? (where success depends on many factors: program version, OS version/language, etc). I'm expecting answers such as: "What I'd do is: 1.- Launch Cain and start sniffing. Let it woring in background and pass to step 2. 2.- Launch an arp-scan (it's fast and easy). Try to imagine systems based on vendor's MAC. 3.- Monitorize Cain's output. Manually test saved user/passwords. 4.- Look for the domain controller using xxxx tool. Launch "enum" to enumerate users. Launch yyyyy tool for a simple brute-force looking only for: blank password and password equal to user. ... etc You're the experienced pen-testers and you better than nobody know which are the attacks you always use with the best sucess/speed/effort ratio. I'd like you hear your ideas. I think this could be an interesting thread. Please, contribute! :) Thank you. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ **DISCLAIMER This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Optimizing time in a pen-test Pen Testing (Feb 14)
- AW: Optimizing time in a pen-test puppe (Feb 15)
- Re: Optimizing time in a pen-test Marco Ivaldi (Feb 15)
- RE: Optimizing time in a pen-test Shenk, Jerry A (Feb 15)