From: puppe@hisolutions.com
Date: Fri Feb 15 2008 - 05:42:31 EST
Salve,
if you really have to do such an assignment, which I would try to talk the customer out of it, as he can not expect quality results in such short a time.
But, this said, my steps would be:
1. Sniff a bit to check for: AD, Routers
1.a start a trace test to see which internal networks are routed
1.b get a means to find the SAP/ERP/Treasure Trove (shoulder surfing, sniffing, redirecting single workstations, browse the local intranet website, dns axfr or brute force)
2. Establish the networking range with the treasure trove systems
3. scan, attack, take over all you can in this part of the net
4. go for the windows infrastructure, start in the vicinity of the AD
5. see if the routers have a common numbering scheme, try to scan and attack all routers
Keeps u busy for the two days and should result in impressive findings, as the treasure trove is to be expected to be unpatched, the routers hopefully old images and the AD, u need some luck there, but access token cache and MS0x-0XX will guide u to the domain admin lair ;)
-- Mit freundlichen Grüßen Christoph Puppe Security Consultant We secure your business.(TM) _______________________________________________________ HiSolutions AG Phone: +49 30 533289-0 Bouchéstrasse 12 Fax: +49 30 533289-99 D-12435 Berlin Internet: http://www.hisolutions.com _______________________________________________________ Mindestinformationen im geschäftlichen E-Mail-Verkehr nach §37a HGB: Sitz der Gesellschaft / registered office: Berlin Handelsregistereintrag / Commercial register: Amtsgericht Berlin Charlottenburg - HRB 80155 Vorstand / Management Board: Torsten Heinrich, Timo Kob, Michael Langhoff Vorsitzender des Aufsichtsrates / Chairman of the supervisory board: Prof. Dr. Klaus Müller > -----Ursprüngliche Nachricht----- > Von: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] Im > Auftrag von Pen Testing > Gesendet: Mittwoch, 13. Februar 2008 21:37 > An: pen-test@securityfocus.com > Betreff: Optimizing time in a pen-test > > Hello pen-testers, > > I need advice on how to economize time in a pen-test. For instance, let's > imagine the following (exagerated) scenario where you've got only 1-2 > days to perform a black-box testing over a very large enterprise subnet. > You don't have time to perform a general scanning with > Nessus/nmap/whatever (think in a class-B network or some other huge > subnet; impossible to scan in one day, and moreover you'd have to add > more time to review/check scanning results... so it's prohibitive). > > The question is: Which attacks/tools/options would you use and in which > order? Obviously you should only launch attacks where you'd expect > results in a brief time and/or you could launch several of them in > parallel (let's suppose you have only one laptop). > > Some thoughts: > - I only could think in some very focused scanning (for instance, let's > look for machines with open VNC port and then try to exploit the > authentication-bypass known bug). > - Scripting is essential (you should try to reduce manual probes). Do you > have some of these scripts you wanted to share? > - It's very important to focus on the kind of attacks easier to launch > and more productive (at the same time). For instance, sniffing. > - Any recent vulnerability has a bigger chance to exist in the > enterprise. Do you have/use some scanning to test only some of these? > Which of them? > - Is it productive trying to exploit a buffer overflow? (where success > depends on many factors: program version, OS version/language, etc). > > I'm expecting answers such as: > > "What I'd do is: > 1.- Launch Cain and start sniffing. Let it woring in background and pass > to step 2. > 2.- Launch an arp-scan (it's fast and easy). Try to imagine systems based > on vendor's MAC. > 3.- Monitorize Cain's output. Manually test saved user/passwords. > 4.- Look for the domain controller using xxxx tool. Launch "enum" to > enumerate users. Launch yyyyy tool for a simple brute-force looking only > for: blank password and password equal to user. > > ... etc > > You're the experienced pen-testers and you better than nobody know which > are the attacks you always use with the best sucess/speed/effort ratio. > I'd like you hear your ideas. I think this could be an interesting > thread. Please, contribute! :) > > Thank you. > > ------------------------------------------------------------------------ > This list is sponsored by: Cenzic > > Need to secure your web apps NOW? > Cenzic finds more, "real" vulnerabilities fast. > Click to try it, buy it or download a solution FREE today! > > http://www.cenzic.com/downloads > ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:24 EDT