Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Pentesting

  1. #1
    Just burned his ISO
    Join Date
    Mar 2011
    Posts
    6

    Default Pentesting

    In a real world pentest, how many of you prefer to use vulnerability scanners (nessus, nexpose) vs getting nitty gritty with grabbing banners and manually searching for exploits? Do some of you like to do both? I'm curious on what real world penetration testers opinions are on this topic.

  2. #2
    Just burned his ISO
    Join Date
    Feb 2010
    Posts
    9

    Default Re: Pentesting

    Well I lost my original reply, because I dont know what Im doing.

    But what I had said, is that my instructor is teaching us to run two or three tools. atleast nessus and nmap. And to my understanding it is due to the banner captures in some tools arent always correct.

    I was also told that an Admin can change a banner to say version 3, when in reality they are running version 2.8. They could make that change to save them the trouble of being caught by the board for not running an official update or upgrade on their insecure apps.

    Just my 2 cents, but I am interested in seeing what other people are doing.

  3. #3
    Just burned his ISO
    Join Date
    Mar 2011
    Posts
    4

    Default Re: Pentesting

    You need both;

    Since Nessus and OpenVAS and friends will give you a good idea of your landscape and what is in front of you. Think of it as a wide-angle view of the Castle

    Once you see that the Castle has a left wall missing 2 or 3 blocks, you can then get into the nitty gritty of trying to figure out why, how, what it is, and how vulnerable it is. And of course then penetrate it.

    So both are a good idea to get you to properly focus on the landscape in front of you and focus exactly on the vulnerable sections.

    So yeah. hope my 2c made sense.

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default Re: Pentesting

    In order to maximize effectiveness and coverage you need both.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  5. #5
    Member
    Join Date
    May 2010
    Location
    Frankfurt/Main
    Posts
    58

    Default AW: Pentesting

    the problem is if you use both, you gonna make alot of noise....sometimes you cant use both or better you shouldnt.....

  6. #6
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default Re: AW: Pentesting

    Quote Originally Posted by MartinBishop View Post
    the problem is if you use both, you gonna make alot of noise....sometimes you cant use both or better you shouldnt.....
    Noise is only an problem if you're running a "black ops" test against both the actual network as well as the security abilities of the admins. Otherwise, concern over noise isn't even a consideration. In any event, that should be all worked out ahead of time when the job is specified, and should be detailed within the contract between your company and the company hiring your services. Besides, if you know the tools, you should know how to mitigate most noise issues.

    I generally use both methods. I prefer it when admins actually can pick out the attacks, it shows that they, and any IDS/IPS, are doing their jobs.
    Last edited by Thorn; 03-08-2011 at 01:07 AM. Reason: Typo
    Thorn
    Stop the TSA now! Boycott the airlines.

  7. #7
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Pentesting

    Both, it improves efficiency and coverage. If you are in the business of competing based on price (and I know not all testers are, but its still worth mentioning), then efficiency is of prime importance. Time is money, etc. In my current job I only perform internal tests myself, but I have been involved in hiring pentesters for external tests on multiple occasions, and given the purchasing requirements I work within overestimating the time taken to perform a test (and therefore the cost) can result in a competitor being chosen. In some environments, its hard to justify a more expensive tester unless you have some experience of the quality of the various testers, so the result is that in the first few instances of hiring pentesters, the decision is likely to be made mainly on cost. Its only more mature clients who can properly judge the quality of a tester and who are more aware of testers reputations who will choose based on other criteria, but these clients are also going to expect that testers be efficient and provide good quality tests.

    I agree with Thorn in that noise is only a problem if testing response capabilities is part of the test, and that is somewhat of an unusual request and should be worked as part of the terms of agreement. Efficient use of the tools can minimise noise.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  8. #8
    Just burned his ISO
    Join Date
    Mar 2011
    Posts
    4

    Default Re: AW: Pentesting

    Quote Originally Posted by Thorn View Post
    Noise is only an problem if you're running a "black ops" test against both the actual network as well as the security abilities of the admins. Otherwise, concern over noise isn't even a consideration.
    Well when pentesting machines in a live environment, noise generated from vulnerability scanners, port scanners, etc as well as normal traffic can be enough to DoS some hosts. Trust me, the last thing you want it so piss of a client by shutting down a production system.

    However, I would say use both. I haven't used OpenVAS but I've used Nessus, and I've seen it not notice ports that were open (and vulnerable). So I'll agree with the other posters: do manual grabbing first, then go to Nessus and compare. Chances are if you notice a vulnerability in both then it is most likely exploitable.

  9. #9
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default Re: AW: Pentesting

    Quote Originally Posted by ahjohnston25 View Post
    Well when pentesting machines in a live environment, noise generated from vulnerability scanners, port scanners, etc as well as normal traffic can be enough to DoS some hosts. Trust me, the last thing you want it so piss of a client by shutting down a production system.
    To be sure, there are a lot of networks that have touchy machines, and those details should be worked out ahead of time. In fact, my contracts specifically exclude deliberate DoSing as a technique, and asking about hosts that a vulnerable to scans is a standard question prior to the test.

    There are a stupendous number of skriddies who come in to these forums and seem to think that "pen test" equals "unauthorized attack", and that they must be quiet to avoid getting caught, and MartinBishop's post seems to reflect that all too common attitude. If I took post out of context, I apologize. My point to him was that a legitimate tester doesn't usually need to be stealthy unless they're also testing the admins ability.
    Thorn
    Stop the TSA now! Boycott the airlines.

  10. #10
    Junior Member jirtos's Avatar
    Join Date
    Jan 2011
    Posts
    28

    Default Re: Pentesting

    Of course, but testing the admins is in my line of duty more usual (double-blind test according to OSSTMM to be specific) then other kinds of testing (well, to be honest, usually it is both, first double-blind models and second is more specific aim), and still, in any kind of test u need profs and audit logs that can prof the problems and the test progress.

    But to answer the original question:

    The main thing is not that u cannot or couldnt use these automated scanners, but to use them effectively and mainly to understand how they work! so you will not generate much noice, you will not DoS fragile machines on the network and IDP/IDS will not trigger alert or proactive measure (or, on the other hand, it will if you want to test recognition level of IDP). But thats still the same thing over and over again: u need to know what you are doing! How tools used by you work and understand more than basics of OSs and networking - if you dont know what you are doing, no mather what you will use (if nessus, openvas,retina or simple ping sweep), you will do bad things to the network and you are idiot. there is nothing worst than a guy messing with higher power (like the one that was asking this week about "wtf, there is Oracle svr, how to hack it").

Page 1 of 2 12 LastLast

Similar Threads

  1. Help with pentesting.
    By vbnet in forum OLD Pentesting
    Replies: 18
    Last Post: 10-01-2009, 05:23 PM
  2. Pentesting an OS
    By UndeniablyRexer in forum OLD Newbie Area
    Replies: 7
    Last Post: 07-24-2009, 09:34 AM
  3. New to pentesting
    By taffy-nay in forum OLD Pentesting
    Replies: 12
    Last Post: 07-12-2009, 01:21 AM
  4. Pentesting help
    By WWJudasD in forum OLD BT4beta HowTo's
    Replies: 0
    Last Post: 03-04-2009, 07:07 PM
  5. SMB and RPC Pentesting?
    By tylenol187 in forum OLD Newbie Area
    Replies: 8
    Last Post: 12-08-2008, 03:44 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •