RE: Pen testing techniques

From: Shenk, Jerry A (jshenk@decommunications.com)
Date: Wed Apr 09 2008 - 16:18:51 EDT

• Next message: Hugo Fortier: "Re: Computer Security Videos"
• Previous message: Atif Azim: "Pen testing techniques"
• In reply to: Atif Azim: "Pen testing techniques"
• Next in thread: Nathan Sportsman: "Re: Pen testing techniques"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Well, for starters, I'd never tell anybody that "there are no
vulnerabilities" unless perhaps the computer was powered off, all cables
cut, the hard drive melted down and buried in tons of concrete under a
dam...maybe;)

You might want to manually test the web site and see if you can find
anything. Any tool is only as good as a tool can be...it can't put
things together like a human brain can so you might see some little
think that will turn into a big thing.

How about doing some manual reconnaissance? Check out their DNS scope,
see if they've posted any router configs on the internet (I actually
found one once...wow!!). What e-mail addresses can you find on the
internet? Does the web server leak any internal information? ...that
might not be an immediately exploitable tidbit but it's still
information that you could give them to help them make their security a
little bit better. Did you figure out what kind of router and firewall
they have? What's the makeup of this web site - any interesting static
content, how about any sample code laying around.

One thing you can do with CORE is generate some e-mails or just the
attachments that you can send to them. If they have an older version of
acrobat (not unreasonably old either), maybe you can get an agent
installed on a box on the inside. You'll probably need a lab to play
with that idea a bit before you start throwing e-mails
around...actually, you probably ought to play with all this stuff before
you start throwing packets around.

Oh, on the e-mail idea...what mail server are they running? What mail
clients? Don't know, send a few e-mails and see if you can get a
response. Check out the headers and see what you can learn.

You might want to check out a few other tools too. CORE does a ton of
stuff but there are a lot of other tools out there. The best tool is
your brain...use it to understand your victim (client).

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Atif Azim
Sent: Wednesday, April 09, 2008 3:49 PM
To: pen-test@securityfocus.com
Subject: Pen testing techniques

Hello,
I am new to pen testing and am currently involved in doing an external
pen test for one of our clients.We are doing it through Core
Impact.Reconnaisance showed only port 80 as open and the web server
running IIS 6.0.Core Impact did not find any vulnerabilities in the
server and hence was unable to penetrate.The web application was also
tested for SQL Injection and PHP remote file inclusion and did not
find any vulnerabilities there either.

My question is what else can we do besides relying on Core Impact for
this pen test.And what impression can a client get if we say to them
that there are no vulnerabilites in your network or web app.Its
dificult to digest something like that for a security specialist that
everythings alright.

Looking forward to some great views.Thanks.

Regards,
Atif Azim

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received this communication in error, please notify the sender and delete this e-mail message. The contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

• Next message: Hugo Fortier: "Re: Computer Security Videos"
• Previous message: Atif Azim: "Pen testing techniques"
• In reply to: Atif Azim: "Pen testing techniques"
• Next in thread: Nathan Sportsman: "Re: Pen testing techniques"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:30 EDT