I'm doing some pentesting on my network and here's where I'm at right now. First, I'll list what my network consists of;
1 machine with XP installed, no service packs (computer A)
1 machine with XP, service pack 3 installed (computer B)
2 machines with W7 installed (W7 ultimate, no service packs - computer C and W7 premium with SP1 installed - computer D)
I'm relatively new to Backtrack and require some advice on what to pentest next.
First thing I've tested are the obvious metasploit exploits against open ports after scanning. Computer A was victim to a msXX_XXX_netapi exploit, giving me access. I was unable to exploit any other machines - good news. Question - I guess after I update machine A with a service pack, no metasploit exploits will work making my network safe from these type of attacks? I looked at a range of other types of exploit like the ones that create .rtf or .doc files but I would never open a file like this from an untrusted source. Same goes for the attacks where you must direct the target to an IP; I'd never click on something like this, making the attempt redundant.
Next I explored Ettercap, running MITM attacks to receive traffic and sniff out any username and passwords. I tried a range of browsers, each warning me that the connection could not be trusted and that I should not continue. Firefox was especially good at this as recent versions do NOT allow the user to click on "Let me continue anyway" - excellent protection. When I used to use BT3 to test my network, earlier versions of the Firefox browser showed a 'continue anyway' Perhaps I'm not using Ettercap correctly as I imagined it to attack without the user knowing.
I then had a look at SET as I could find a lot of information about this - I like learning on my own accord and not being spoonfed! It's a bit more fun that way too .
Again though, I would never open any type of file (especially .exe!!) from someone I didn't know, making these types of attack unlikely to work on my machines. I have AV on all machines anyway and when trying to email the file to the other machines, my email handler quite nicely stopped me from sending the email as it had detected a virus despite various msfencode attempts.
So that's what I've explored so far; a relatively basic attempt to ensure my network is secure. What would be good to try next or would you say this is enough testing for a home network? Please, no spoon-feeding with tutorials or anything like that but just a mention of a technique, program or something e.g. "Look into Metasploit exploits (the msXX_XXX_netapi)" so I can learn myself.
Some ideas I've come up with - if you could confirm if these are a good way to go with any added topics of interest, it'd be much appreciated.
-Look into the router (I've done no work here so far) and how this can be used in an attack. Maybe there is some way to spoof the router (but not in the way of the above mentioned MITM attacks) so the machines allow it to connect, and eventually upload/run backdoors? The reason I haven't looked into this is because I have a secure WPA password and would imagine the ISP (uk based) would already have some things set up from the factory to easily reject any type of attack/compromise. Still be fun to learn about though. I'm not really interested in aircracking my network by the way. Y'know, when you send/receive loads of packets and then run a words file against it. Would never happen as I obviously know my wifi password.
-Read a bit more into how TCP/IP works, UDP and other types of port. Maybe the above tools *would* work if used in a different way?
-Learn some new tools and how they work. Any mentions here to get me started would be great.
-You're at the point where now you'll have to learn some language skills; consider going on a few courses or something before going forward with pentesting.
In my research and trawling of forums (mainly this one), I've come to find machines with new OS (W7) are secure and the only way to successfully gain access would be to send a file that the user runs to open a backdoor up. Can someone confirm this? In my case, this would never happen so I'm looking to see if my network is vulnerable to the type of attacks where I wouldn't even notice.
If I was to hire a professional white hat, would they just say "Yep...that's the only way; your network is pretty secure." ?
I'm hoping that won't be the answer because A) It's really fun learning Backtrack, Linux in general and networking - I don't want it to stop! B) I'm certain Backtrack can do much more.
I watched the 'Pentesting In The Real World' vid from the Offensive Security team and thought it was brilliant. Gaining access to the last machine which actually didn't have a routable connection to the internet....yet access was gained! Very impressive stuff. Sadly I don't use an FTP or anything like that so those type of SQL exploits (I think that's what they were) wouldn't be applicable to me. Maybe the idea in that video could be applied to router spoofing as mentioned above? Also, SSH tunnelling interests me...
Anyway, if anyone could advise on what to try/learn next, that'd be great! I've stopped for a little bit now and want to continue learning!