Hi, First i would like to thank re@lity for point me in a couple of right directions.
I have blagged my way into a position to pen test a public schools isd. I have gathered loads of information through some of the tools in BT3 information gathering and zone transfers. But I am at a standstill on what to do next. gooscan has returned several possible vulnerabilities. But thats just on the web server. The mail server and ftp also returned some but not as many. There are literally 100's of ip's for this client should I scan every one of them? how are they identified as being vulnerable? Any help would be much appreciated. I feel like I have jumped in over my head but will work hard to accomplish my goal.
Go grab yourself a huge slide of "humble pie" and eat that in front of the school.
Dowload, read, understand and follow something like the Open-Source Security Testing Methodology Manual (OSSTMM). I believe that the latest version is 2.2.
Next time stick withink your skill set boundaries.
Being it is a school. 99% chance its windows. Therefore, you need to run the windows tool from microsnot. Whats it called WMA or something. Thats what I would do first. Make sure all systems are updated before you're pen test.
<EeePc 1000HA BT4/W7 USB boot Alfa500 GPS BlueTooth>
A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.
- Blind The auditor engages the target with no prior knowledge of its defenses, assets, or channels.
- Double Blind The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The target is not notified in advance of the scope of the audit, the channels tested, or the test vectors.
- Gray Box The auditor engages the target with limited knowledge of its defenses and assets and full knowledge of channels. The target is prepared for the audit knowing in advance all the details of the audit.
- Double Gray Box or White Box The auditor engages the target with limited knowledge of its defenses and assets and full knowledge of channels. The target is notified in advance of the scope and time-frame of the audit but not the channels tested or the test vectors.
- Tandem or Crystal Box The auditor and the target are prepared for the audit, both knowing in advance all the details of the audit.
- Reversal The auditor engages the target with full knowledge of the target, it's processes,and operational security but the target knows nothing of what, how, or when the auditor will be testing.
In any event, whether the client's engineers/technicians knows the what is going to happen or not is one of the things that should be worked out well in advance, and placed in the terms of the contract, along with things like time and attack limits, as well as "get out of jail' letters.
Stop the TSA now! Boycott the airlines.
Well, first of all the schools not being charged, It's a test to understand my knowledge of security. To see if I am able to locate any, if any. If I succeed then I would be in a position to take it up full time and learn more along the way. Isn't that the way? But thanks for the responses I was told that I could quickly weed through the guys that offer helpful advice and the guys who think they know enough. Thorn, you are right, thats why I have no set time limit on it. My company wants to ease into the fundamentals, them create our own methodology. I have time to learn it and get it right. So, i'm here to stay.
Thanks guys for your answers. But no one commented on weather or not I should test all the ip's or not.
I guess it would be blind, I don't plan on going in, just identifying them. We are a company that manages them and I am not sure they were told about it. The thing is I mentioned pen testing as a way to broaden our client base to the bosses about 6 months ago. I thought they forgot or didn't care for it. about a week ago I was called into the office and given this assignment. So I am going to do my best.
As to whether you are going to test all the IPs or not, the answer is "it depends." It should be determined when the scope of the test is discussed with the client, and what you know of the target network. Are you looking at the school operations area? Or academic records? Just the public web server? Or everything including the kitchen sink because it's all on the same network? Are you doing this from inside the network or outside?
Here's an example that's close to what you're doing: A few years back, I worked in a school system for two semesters to aid in cash flow when I was starting my business. In the high school, the lab and student use machines were under constant attack from the students, and the tech staff knew it. But the machines were set up with a image, and we'd routinely use Ghost to re-image them whenever there was any kind of problem.
In that particular school, and if a pen tester knew the layout of the network, then he's know that scanning those 100 or so machines would have been a waste of time, since the were re-imaged fairly often, and were on a separate subnet from those machines that were holding anything of value like academic records, staff personnel records, or operations information. On the other hand, if the pen tester knew nothing of that network, a basic scan would be merely the a starting point.
Like I said, this is all stuff that should be determined when the scope of the test is discussed with the client along with all the other things that should be talked about , like test limits and liability.
DaKahuna had the best advice so far: Get the OSSTMM and read it. That should at least let you know how much you don't know.
Stop the TSA now! Boycott the airlines.
since you haven't given us or you dont know the scope and type of test you are doing (VA vs. Pen Test) and if you are inside or outside the network...
then yes, you should test all the IPs