mailing list archives
Re: Pen-Testing New Server - Where to start?
From: krymson () gmail com
Date: 16 Nov 2007 16:07:08 -0000
Pen-testing a new system can be difficult, especially if there really are few holes in the system as configured.
I've found it best, for early teaching/learning to make sure you've built the system with known holes in it. Grab an
unpatched Windows XP SP1 box, and attempt to leverage exploits against it (such as Metasploit).
Better yet, get a vulnerable system or application from somewhere else. These will have known issues in them, but you
won't inherently know them because you didn't build the systems. This should get your feet wet enough to be able to
more intelligently tackle something "newer," like Ubuntu 6.06+.
www.de-ice.net has several live cd builds with known vulnerabilities. You'll have to sign up to download them, but I
think this is an excellent service.
DVL (www.damnvulnerablelinux.org) is also a purposefully vulnerable linux distro with various holes in it.
Foundstone Hacme (http://www.foundstone.com/us/resources-free-tools.asp) series is a bit more geared towards
applications, but can be useful.
<- snip ->
Hi, I'm new to the InfoSec industry and would like to try my hand at
penetration-testing (and securing) a new server I've set up at home.
Seeing as I've set up the system, I know all the usernames/passwords
used on the box, as well as how everything is set up, but I'd like to
approach this as an outside user, pretending that I have none of this
information. I want to try to gather information, form an attack plan,
and attempt to crack the system from scratch, so that I can later on go
back and secure the system against those attacks.