From: Shenk, Jerry A (jshenk@decommunications.com)
Date: Fri Feb 15 2008 - 08:23:28 EST
If you want the maximum coverage in the shortest amount of time, you're
going to need to just hammer away with some automated too. Your
parameters really don't make too much sense but, in the scenario you
just described, I'd run CORE Impact. It looks for a ton of stuff and it
can automatically install agents which can give you command-line access.
Since you only have one laptop, I'd make sure that laptop has as much
memory and CPU power as you can get. That will increase the number of
simultaneous threads you can have running.
I wouldn't waste my time on "the attacks that always work" - they never
work;) One site will have vulnerable VNC installations, another will be
missing some obscure patch. Each site is just so different. While the
"big scan" is running, you might want to run some password guessing
attacks on services that you find.
I also like your idea of running Cain in the background, just sniffing
traffic that gets thrown your way...who knows, you very well may find
something interesting that way.
I think the best way to optimize time is to walk in with three laptops
but, that option is off the table. Normally, my goal is to assist the
internal IT staff in finding things that they missed, so walking in with
three boxes really works pretty well.
I also generally talk with the IT people a good bit to understand the
network because, the more I understand about their network, the more
helpful I can be in helping them find the issues. I even ask if they
have things that they suspect are issues - sometimes, they suspect that
some process is insecure but they can't prove it and they can't get
management support to fix it....maybe I can work with them to help on
that front. Sometimes, they have auditors or somebody who insists that
it be totally "black box" - that's rather unfortunate, if the goal is
security, why not go in and do testing with some knowledge.
-----Original Message-----
From: listbounce@securityfocus.com [
mailto:listbounce@securityfocus.com] On Behalf Of Pen Testing
Sent: Wednesday, February 13, 2008 3:37 PM
To: pen-test@securityfocus.com
Subject: Optimizing time in a pen-test
Hello pen-testers,
I need advice on how to economize time in a pen-test. For instance,
let's
imagine the following (exagerated) scenario where you've got only 1-2
days to perform a black-box testing over a very large enterprise subnet.
You don't have time to perform a general scanning with
Nessus/nmap/whatever (think in a class-B network or some other huge
subnet; impossible to scan in one day, and moreover you'd have to add
more time to review/check scanning results... so it's prohibitive).
The question is: Which attacks/tools/options would you use and in which
order? Obviously you should only launch attacks where you'd expect
results in a brief time and/or you could launch several of them in
parallel (let's suppose you have only one laptop).
Some thoughts:
- I only could think in some very focused scanning (for instance, let's
look for machines with open VNC port and then try to exploit the
authentication-bypass known bug).
- Scripting is essential (you should try to reduce manual probes). Do
you
have some of these scripts you wanted to share?
- It's very important to focus on the kind of attacks easier to launch
and more productive (at the same time). For instance, sniffing.
- Any recent vulnerability has a bigger chance to exist in the
enterprise. Do you have/use some scanning to test only some of these?
Which of them?
- Is it productive trying to exploit a buffer overflow? (where success
depends on many factors: program version, OS version/language, etc).
I'm expecting answers such as:
"What I'd do is:
1.- Launch Cain and start sniffing. Let it woring in background and pass
to step 2.
2.- Launch an arp-scan (it's fast and easy). Try to imagine systems
based
on vendor's MAC.
3.- Monitorize Cain's output. Manually test saved user/passwords.
4.- Look for the domain controller using xxxx tool. Launch "enum" to
enumerate users. Launch yyyyy tool for a simple brute-force looking only
for: blank password and password equal to user.
... etc
You're the experienced pen-testers and you better than nobody know which
are the attacks you always use with the best sucess/speed/effort ratio.
I'd like you hear your ideas. I think this could be an interesting
thread. Please, contribute! :)
Thank you.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:24 EDT