A Beginner Wanting To Move Forward (Long Read)
I'm doing some pentesting on my network and here's where I'm at right now. First, I'll list what my network consists of;
1 machine with XP installed, no service packs (computer A)
1 machine with XP, service pack 3 installed (computer B)
2 machines with W7 installed (W7 ultimate, no service packs - computer C and W7 premium with SP1 installed - computer D)
I'm relatively new to Backtrack and require some advice on what to pentest next.
First thing I've tested are the obvious metasploit exploits against open ports after scanning. Computer A was victim to a msXX_XXX_netapi exploit, giving me access. I was unable to exploit any other machines - good news. Question - I guess after I update machine A with a service pack, no metasploit exploits will work making my network safe from these type of attacks? I looked at a range of other types of exploit like the ones that create .rtf or .doc files but I would never open a file like this from an untrusted source. Same goes for the attacks where you must direct the target to an IP; I'd never click on something like this, making the attempt redundant.
Next I explored Ettercap, running MITM attacks to receive traffic and sniff out any username and passwords. I tried a range of browsers, each warning me that the connection could not be trusted and that I should not continue. Firefox was especially good at this as recent versions do NOT allow the user to click on "Let me continue anyway" - excellent protection. When I used to use BT3 to test my network, earlier versions of the Firefox browser showed a 'continue anyway' Perhaps I'm not using Ettercap correctly as I imagined it to attack without the user knowing.
I then had a look at SET as I could find a lot of information about this - I like learning on my own accord and not being spoonfed! It's a bit more fun that way too ;).
Again though, I would never open any type of file (especially .exe!!) from someone I didn't know, making these types of attack unlikely to work on my machines. I have AV on all machines anyway and when trying to email the file to the other machines, my email handler quite nicely stopped me from sending the email as it had detected a virus despite various msfencode attempts.
So that's what I've explored so far; a relatively basic attempt to ensure my network is secure. What would be good to try next or would you say this is enough testing for a home network? Please, no spoon-feeding with tutorials or anything like that but just a mention of a technique, program or something e.g. "Look into Metasploit exploits (the msXX_XXX_netapi)" so I can learn myself.
Some ideas I've come up with - if you could confirm if these are a good way to go with any added topics of interest, it'd be much appreciated.
-Look into the router (I've done no work here so far) and how this can be used in an attack. Maybe there is some way to spoof the router (but not in the way of the above mentioned MITM attacks) so the machines allow it to connect, and eventually upload/run backdoors? The reason I haven't looked into this is because I have a secure WPA password and would imagine the ISP (uk based) would already have some things set up from the factory to easily reject any type of attack/compromise. Still be fun to learn about though. :) I'm not really interested in aircracking my network by the way. Y'know, when you send/receive loads of packets and then run a words file against it. Would never happen as I obviously know my wifi password.
-Read a bit more into how TCP/IP works, UDP and other types of port. Maybe the above tools *would* work if used in a different way?
-Learn some new tools and how they work. Any mentions here to get me started would be great.
-You're at the point where now you'll have to learn some language skills; consider going on a few courses or something before going forward with pentesting.
In my research and trawling of forums (mainly this one), I've come to find machines with new OS (W7) are secure and the only way to successfully gain access would be to send a file that the user runs to open a backdoor up. Can someone confirm this? In my case, this would never happen so I'm looking to see if my network is vulnerable to the type of attacks where I wouldn't even notice.
If I was to hire a professional white hat, would they just say "Yep...that's the only way; your network is pretty secure." ?
I'm hoping that won't be the answer because A) It's really fun learning Backtrack, Linux in general and networking - I don't want it to stop! B) I'm certain Backtrack can do much more.
I watched the 'Pentesting In The Real World' vid from the Offensive Security team and thought it was brilliant. Gaining access to the last machine which actually didn't have a routable connection to the internet....yet access was gained! Very impressive stuff. Sadly I don't use an FTP or anything like that so those type of SQL exploits (I think that's what they were) wouldn't be applicable to me. Maybe the idea in that video could be applied to router spoofing as mentioned above? Also, SSH tunnelling interests me...
Anyway, if anyone could advise on what to try/learn next, that'd be great! I've stopped for a little bit now and want to continue learning! :)
Re: A Beginner Wanting To Move Forward (Long Read)
You really do have a great overview of the topic of pentesting and your home network seems to be pretty secure. As far as how secure you want your network to be the sky is the limit. In my opinion there is always a way around all the protections but with your computers being protected against the most common script kiddie attacks I highly doubt anyone would take the time required to further compromise your system (unless your hiding something that someone really wants). As far as whats next I would recommend you jump into a programming language. Any language of your choice of course because everyone has their starting prefference but ruby and python are my recommendations. With this knowledge you can take your pentesting to the next level, and instead of spending time learning more tools, you can spend some time building your own and truly learn whats happening behind the scenes. I too like to learn by research and trial and am currently learning to build pentesting tools using python. Best of luck in your next venture and I can also recommend possibly starting a blog or website where you can post your learnings and ideas, because that can be a great way to get others input and advice on the topics your currently working on.
Re: A Beginner Wanting To Move Forward (Long Read)
Funny you should mention these 2; I'm in the middle of a Python course right now! :) I started a few days ago. I'm looking at Bash scripting to also get me into the whole programming thing; just another thing to learn y'know. Quite overwhelming to be honest (all of the different terms; strings, arrays etc..) but I think this is exactly what I need; a subject I'm completely new to.
Originally Posted by Phildeeze
So thanks for your reply - you mentioned starting a blog and stuff. Have you got one at all? I'd like to keep track of your progress as well as be another source of info for my learning of this - what seems to be - excellent starter language.