Structure of A Pentest

[digitalfriction]

Hi,

I run a small pc business and as a freebie to customers I will demonstrate some security vulnerabilities on their small office networks using BT4. I would usually begin with wireless security, and if that did not work, look at the social engineering toolkit, and demonstrate how tricking someone into visiting the wrong site can cause issues. I would demonstrate MS08_067 and then show a few examples of howmcuh control a potential attacjker would have, without really causing any noticable effect on the 'popped box'.

Where I fall down on these demonstrations, is if the wireless is secure enough to not be an issue, and social engineering is unlikely to work (small office, everyone knows Mr X does the IT, and never trust anything else).

Is there a demonstration, or guide as to the best structure to a pentest? Is it normal practise to look for vulnerabilities on the external/internet IP (I have tried SQL injection before, but to be honest, only the known demo apps seem vulnerable to this).

I would really just like some advise on resources that cover this, or good exploits/tests for external addresses that would help demonstrate vulnerabilities in this area?

thanks again

[thorin]

The success (or failure) or any particular test or exploit depends on the resources exposed. Really since you're doing it for free nothing is lost if you can't find something quickly that'll work. Additionally since you're going a quick and dirty one off flash and glitz kind of thing your clients aren't really getting anything of value. They should be hiring someone that does vulnerability assessments or penetration tests for a living and addressing any and all potential vulnerabilities, not just the one that you happen to get working the day you're there. I won't even go into the fact that you're doing things without being asked/authorized.

To answer your basic question, generally the structure of a full pentest goes something like:
1) Reconnaissance - Find everything exposed relating to a particular entity (person or business).
2) Identification - Identify as much as you can about those exposed resources. Software version numbers, OS, etc.
3) Vulnerability Assessment - Using tools (i.e.: Nessus, OpenVAS, etc) and DBs (i.e.: Mitre/CVE, Secunia, etc) figure out if the identified resources have any known vulnerabilities. 3b) Find out if the exposed resources have any unknown vulnerabilities (web app issues etc).
4) Exploitation/Penetration Testing - Exploit any discovered vulnerabilities.

[Thorn]

Aside from what Thorin said, what you're doing isn't even close to a pen test. It isn't even a half-assed vulnerability assessment. You're pointing out a couple of common issues that you happen to know about, but you aren't doing anything comprehensive,and you aren't doing even the basics.

If you're serious about doing real pen tests, you may want to look at this site for a framework that should give you a good start: http://www.vulnerabilityassessment.co.uk/

[lupin]

Ditto on the "not a pentest" comment. Is that actually what you want to provide though, or are you just after a way to demonstrate value for your IT support and maintenance services? Sort of like, "Here's a demonstration of one bad thing that could happen to you with badly configured systems - now pay me lots of money!"

Have a search through the forum to find the last rant I made when someone misused the term "pentest" if you want a better idea of what a real pentest involves.

Plus Thorin alluded it, and I'll say it more clearly, you are playing with fire if you're exploiting systems without obtaining informed written consent from the owner.

OSSTMM and ISSAF are some other things you may want to look into in addition to the link Thorn provided. ISSAF is a bit old but I still quite like it, at least from the perspective of providing a good overview. And if web pentesting interests you - the OWASP Testing guide.

[digitalfriction]

Hi, thanks for your replies, I just want to clear a couple of things up that I didnt say in my original post:

1) All the tests are done with permission, I have a short disclaimer form that the business owner signs explaining that I will attempt to gain access to the computer system/network in a manner designed to simulate a break-in/hack. It also says that there is no guarentee that I will be able to get access, and that although I will do my best to cause no damage or downtime this is not guaranteed.

2) I have never claimed that this is a full pentest, what I am trying to do is raise awareness that these tools are available, and with some very basic knowledge people can try to break in/damage systems. I always recommend that if the customer feels concerned over anything I have demonstrated that they contact a certified security specialist, other than that I inspect the firewall rules for anything unusual/uneccesarry, patch all windows boxes with the latest updates, and check installed software for security updates. I ensure that the AV software is reputable,and up to date, and check the msconfig startup services and programs for anything unusual/unneccesary. I would normally then perform a cleanup of any spyware/adware not detected in the previous steps using tools such as mbam etc.

Basically what I'm trying to say is I'm not passing myself off as a pentester, or a professional, or any of those things. Its just a free quickie check to try and help customers understand a bit more.

I would like to develop my abilities more, which is why I have asked the question, I have decided to look at a couple of publications by Thomas Wilhelm which I hope will help. I would like to be able to offer a full service at some point, as I think this is a valuable thing to offer.

"Here's a demonstration of one bad thing that could happen to you with badly configured systems - now pay me lots of money!" - This is not what I do, it is a demonstration for awareness, that is all, they have already called me in to help patch up and clean down the pc's, I really gain nothing other than maybe a bit of appreciation for showing them something new.

Have a search through the forum to find the last rant I made when someone misused the term "pentest" if you want a better idea of what a real pentest involves - I appreciate what you are saying, but I didn't say I was doing a pentest, I said I demonstrate SOME security vulnerabilities, I then asked about the correct structure of a pentest, I did not mean to infer that I was performing pentests.

[lupin]

"Here's a demonstration of one bad thing that could happen to you with badly configured systems - now pay me lots of money!" - This is not what I do, it is a demonstration for awareness, that is all, they have already called me in to help patch up and clean down the pc's, I really gain nothing other than maybe a bit of appreciation for showing them something new.

That's essentially the impression I got from what you posted above, that you were performing a demonstration. Im not saying that thats a bad thing, as long as you are upfront about what you are doing, and you have the appropriate permission. The "now pay me lots of money" comment was me being flippant. I do that sometimes. It's intended as humour.

If you havent already, you might want to get a lawyer to look over that form you get the business owner to sign before you perform these demonstrations, and also check to see if your insurance will cover you in case of any system damages.

Have a search through the forum to find the last rant I made when someone misused the term "pentest" if you want a better idea of what a real pentest involves - I appreciate what you are saying, but I didn't say I was doing a pentest, I said I demonstrate SOME security vulnerabilities, I then asked about the correct structure of a pentest, I did not mean to infer that I was performing pentests.

I didnt say that you were claiming that you were doing a pentest either, I just mentioned those previous posts of mine because I have actually explained what a pentest involves in those ranting threads, and that was what you were asking about. It's also to head off any misconceptions that others who may come across this thread may have.

[Thorn]

OSSTMM and ISSAF are some other things you may want to look into in addition to the link Thorn provided.

The OSSTMM is very, very good, and I use it myself, but I neglected mentioning in my initial reply as it tends to be very general. As well it should be, given that it's a methodology and not a checklist. I like vulnerabilityassessment.co.uk's Pen Test Framework -especially as a beginner's reference- as it gives a very detailed look at many of the things someone should be considering for a pen test.

2)...
I have never claimed that this is a full pentest, what I am trying to do is raise awareness that these tools are available, and with some very basic knowledge people can try to break in/damage systems. ...
Basically what I'm trying to say is I'm not passing myself off as a pentester, or a professional, or any of those things. Its just a free quickie check to try and help customers understand a bit more.
...

Fair enough, although the thread title and the questions in the first post are slightly misleading. If you just want to do some security demos as a marketing technique or even just to raise awareness, there are a number of things you might consider. If you want to do pen testing, then that's really a different subject.

...
I would like to develop my abilities more, which is why I have asked the question, I have decided to look at a couple of publications by Thomas Wilhelm which I hope will help. I would like to be able to offer a full service at some point, as I think this is a valuable thing to offer.
...

Tom Wilhem's a good guy, and knows his stuff. I've taken several of his training courses, and obtained several pen testing certs from him. Plus, his Professional Penetration Testing is on the table in front of me as I write this. It's a great book, and I highly recommend you get it ASAP. (I have to say that, I did a review and wrote one of the recommendations on the back cover! ) Tom is also an adherent of the OSSTMM.

[digitalfriction]

Thankyou all for your replies, and apologies if my original post caused confusion, or was misleading.

I will check my liability insurance, as I actually hadn't thought of that, I nievely assumed I would be able to fix anything I damaged (stupid!!). Thankfully, I have had no bad experiences so far, and as I said before, I dont try to break anything, I really do just perform a simple demo, much like a tutorial video if you like.

The information you have provided is excellant, and although my use of BT is limited to the basic demo's mentioned and my personal test setup of VMWare machines, I think the release is brilliant, and having looked at the BT roadmap, I am looking forward to the future, and the mention of BT5 looks very good !

Ive actually just re-read my first post, and can see exactly why you werent impressed, and got the wrong impression (I so didnt want to get flamed for it too !). I will, once again, try to think harder before posting a question, and try to make myself clear !

[Archangel-Amael]

Aside from what Thorin said, what you're doing isn't even close to a pen test. It isn't even a half-assed vulnerability assessment. You're pointing out a couple of common issues that you happen to know about, but you aren't doing anything comprehensive,and you aren't doing even the basics.

Thorn thanks for this post. Hilarious but truth.

No offense OP. It's not personal.

I will, once again, try to think harder before posting a question, and try to make myself clear !

OP just be honest with your intentions and your questions (not saying you haven't been), and you'll be ok.

As for liability insurance and talking with a lawyer, those would probably be some of your smartest business moves.
Think of it this way, you do a demo on Company X and your demo causes a DOS and company X loses or claims to have lost $1million. How are you going to fix or repay that? It's generic I know but, best to CYA.

Good luck.

[lupin]

The OSSTMM is very, very good, and I use it myself, but I neglected mentioning in my initial reply as it tends to be very general. As well it should be, given that it's a methodology and not a checklist. I like vulnerabilityassessment.co.uk's Pen Test Framework -especially as a beginner's reference- as it gives a very detailed look at many of the things someone should be considering for a pen test.

Its an excellent reference for some of the non technical/procedural aspects of a pentest, but I agree that it is very hard to follow during a specific test - as a step by step guide (and yes, it definitely doesnt appear to have been written to be used in that way). I prefer some of the other guides to give an idea of the actual technical steps used in a test - OWASP for example is an excellent reference for the technical steps of a web app test, as is the Vulnerability Assessment link you provided for network pentests.