Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Given a penetration job, don't know whats next!

  1. #1
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    5

    Default Given a penetration job, don't know whats next!

    Hi, First i would like to thank re@lity for point me in a couple of right directions.
    I have blagged my way into a position to pen test a public schools isd. I have gathered loads of information through some of the tools in BT3 information gathering and zone transfers. But I am at a standstill on what to do next. gooscan has returned several possible vulnerabilities. But thats just on the web server. The mail server and ftp also returned some but not as many. There are literally 100's of ip's for this client should I scan every one of them? how are they identified as being vulnerable? Any help would be much appreciated. I feel like I have jumped in over my head but will work hard to accomplish my goal.
    Thanks,
    Kuroda

  2. #2
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by Kuroda_Shun View Post
    Hi, First i would like to thank re@lity for point me in a couple of right directions.
    I have blagged my way into a position to pen test a public schools isd. I have gathered loads of information through some of the tools in BT3 information gathering and zone transfers. But I am at a standstill on what to do next. gooscan has returned several possible vulnerabilities. But thats just on the web server. The mail server and ftp also returned some but not as many. There are literally 100's of ip's for this client should I scan every one of them? how are they identified as being vulnerable? Any help would be much appreciated. I feel like I have jumped in over my head but will work hard to accomplish my goal.
    Thanks,
    Kuroda
    Nmap.

    I hope you're not actually charging the school system, since it seems you don't know the basics and are clearly in WAY over your head.
    Thorn
    Stop the TSA now! Boycott the airlines.

  3. #3
    Senior Member DaKahuna's Avatar
    Join Date
    Jan 2010
    Posts
    103

    Default

    Quote Originally Posted by Kuroda_Shun View Post
    Hi, First i would like to thank re@lity for point me in a couple of right directions.
    I have blagged my way into a position to pen test a public schools isd. I have gathered loads of information through some of the tools in BT3 information gathering and zone transfers. But I am at a standstill on what to do next. gooscan has returned several possible vulnerabilities. But thats just on the web server. The mail server and ftp also returned some but not as many. There are literally 100's of ip's for this client should I scan every one of them? how are they identified as being vulnerable? Any help would be much appreciated. I feel like I have jumped in over my head but will work hard to accomplish my goal.
    Two recommendations:

    Go grab yourself a huge slide of "humble pie" and eat that in front of the school.

    Dowload, read, understand and follow something like the Open-Source Security Testing Methodology Manual (OSSTMM). I believe that the latest version is 2.2.

    Next time stick withink your skill set boundaries.

  4. #4
    Member PeppersGhost's Avatar
    Join Date
    Jan 2008
    Posts
    204

    Default

    Being it is a school. 99% chance its windows. Therefore, you need to run the windows tool from microsnot. Whats it called WMA or something. Thats what I would do first. Make sure all systems are updated before you're pen test.
    <EeePc 1000HA BT4/W7 USB boot Alfa500 GPS BlueTooth>

  5. #5
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by PeppersGhost View Post
    Being it is a school. 99% chance its windows. Therefore, you need to run the windows tool from microsnot. Whats it called WMA or something. Thats what I would do first. Make sure all systems are updated before you're pen test.
    Then the Pentest wouldn't really be valid would it? A pentest is supposed to be about the current state of the system. The client shouldn't know it's going to happen and shouldn't be taking measures to prepare for it.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  6. #6
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by streaker69 View Post
    Then the Pentest wouldn't really be valid would it? A pentest is supposed to be about the current state of the system. The client shouldn't know it's going to happen and shouldn't be taking measures to prepare for it.
    That's one way to do it, but it depends on what is being tested. The OSSTMM defines six types of pen tests. Here's a quick summary pulled from OSSTMM:
    • Blind The auditor engages the target with no prior knowledge of its defenses, assets, or channels.
    • Double Blind The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The target is not notified in advance of the scope of the audit, the channels tested, or the test vectors.
    • Gray Box The auditor engages the target with limited knowledge of its defenses and assets and full knowledge of channels. The target is prepared for the audit knowing in advance all the details of the audit.
    • Double Gray Box or White Box The auditor engages the target with limited knowledge of its defenses and assets and full knowledge of channels. The target is notified in advance of the scope and time-frame of the audit but not the channels tested or the test vectors.
    • Tandem or Crystal Box The auditor and the target are prepared for the audit, both knowing in advance all the details of the audit.
    • Reversal The auditor engages the target with full knowledge of the target, it's processes,and operational security but the target knows nothing of what, how, or when the auditor will be testing.


    In any event, whether the client's engineers/technicians knows the what is going to happen or not is one of the things that should be worked out well in advance, and placed in the terms of the contract, along with things like time and attack limits, as well as "get out of jail' letters.
    Thorn
    Stop the TSA now! Boycott the airlines.

  7. #7
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    5

    Default

    Well, first of all the schools not being charged, It's a test to understand my knowledge of security. To see if I am able to locate any, if any. If I succeed then I would be in a position to take it up full time and learn more along the way. Isn't that the way? But thanks for the responses I was told that I could quickly weed through the guys that offer helpful advice and the guys who think they know enough. Thorn, you are right, thats why I have no set time limit on it. My company wants to ease into the fundamentals, them create our own methodology. I have time to learn it and get it right. So, i'm here to stay.
    Thanks guys for your answers. But no one commented on weather or not I should test all the ip's or not.

  8. #8
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    5

    Default

    I guess it would be blind, I don't plan on going in, just identifying them. We are a company that manages them and I am not sure they were told about it. The thing is I mentioned pen testing as a way to broaden our client base to the bosses about 6 months ago. I thought they forgot or didn't care for it. about a week ago I was called into the office and given this assignment. So I am going to do my best.


    Quote Originally Posted by Thorn View Post
    That's one way to do it, but it depends on what is being tested. The OSSTMM defines six types of pen tests. Here's a quick summary pulled from OSSTMM:
    • Blind The auditor engages the target with no prior knowledge of its defenses, assets, or channels.
    • Double Blind The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The target is not notified in advance of the scope of the audit, the channels tested, or the test vectors.
    • Gray Box The auditor engages the target with limited knowledge of its defenses and assets and full knowledge of channels. The target is prepared for the audit knowing in advance all the details of the audit.
    • Double Gray Box or White Box The auditor engages the target with limited knowledge of its defenses and assets and full knowledge of channels. The target is notified in advance of the scope and time-frame of the audit but not the channels tested or the test vectors.
    • Tandem or Crystal Box The auditor and the target are prepared for the audit, both knowing in advance all the details of the audit.
    • Reversal The auditor engages the target with full knowledge of the target, it's processes,and operational security but the target knows nothing of what, how, or when the auditor will be testing.


    In any event, whether the client's engineers/technicians knows the what is going to happen or not is one of the things that should be worked out well in advance, and placed in the terms of the contract, along with things like time and attack limits, as well as "get out of jail' letters.

  9. #9
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by Kuroda_Shun View Post
    Well, first of all the schools not being charged, It's a test to understand my knowledge of security. To see if I am able to locate any, if any. If I succeed then I would be in a position to take it up full time and learn more along the way. Isn't that the way? But thanks for the responses I was told that I could quickly weed through the guys that offer helpful advice and the guys who think they know enough. Thorn, you are right, thats why I have no set time limit on it. My company wants to ease into the fundamentals, them create our own methodology. I have time to learn it and get it right. So, i'm here to stay.
    Thanks guys for your answers. But no one commented on weather or not I should test all the ip's or not.
    Create your own methodology? That's reinventing the wheel. There are several out there that are very good.

    As to whether you are going to test all the IPs or not, the answer is "it depends." It should be determined when the scope of the test is discussed with the client, and what you know of the target network. Are you looking at the school operations area? Or academic records? Just the public web server? Or everything including the kitchen sink because it's all on the same network? Are you doing this from inside the network or outside?

    Here's an example that's close to what you're doing: A few years back, I worked in a school system for two semesters to aid in cash flow when I was starting my business. In the high school, the lab and student use machines were under constant attack from the students, and the tech staff knew it. But the machines were set up with a image, and we'd routinely use Ghost to re-image them whenever there was any kind of problem.

    In that particular school, and if a pen tester knew the layout of the network, then he's know that scanning those 100 or so machines would have been a waste of time, since the were re-imaged fairly often, and were on a separate subnet from those machines that were holding anything of value like academic records, staff personnel records, or operations information. On the other hand, if the pen tester knew nothing of that network, a basic scan would be merely the a starting point.

    Like I said, this is all stuff that should be determined when the scope of the test is discussed with the client along with all the other things that should be talked about , like test limits and liability.

    DaKahuna had the best advice so far: Get the OSSTMM and read it. That should at least let you know how much you don't know.
    Thorn
    Stop the TSA now! Boycott the airlines.

  10. #10

    Default

    since you haven't given us or you dont know the scope and type of test you are doing (VA vs. Pen Test) and if you are inside or outside the network...

    then yes, you should test all the IPs

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •