mailing list archives
Re: [PEN-TEST] First step of a pen-test
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Tue, 19 Sep 2000 11:42:14 -0500
The first step to any thorough penetration test is some indirect
information gathering. Search USENET/dogpile for @<target domain> to
find information about the employees and usernames.
Traceroute/Firewalk/Nmap their perimeter devices, try to guess SNMP
community strings on their border routers to get network configuration
details, and look for other links into their network. Search for their
UP addresses, oddly enough you can usually find a them in mailing list
archives and web stats pages. This should slowly build a clear picture
of how their network is laid out, what the internal infrastructure is
like (X-Mailer headers...), and help you start preparing your arsenal.
A Zero-Knowledge attack is ideal, as you will be working under the same
conditions as an unknown internet attacker. You do want to verify that
the addresses you are attacking actually belong to your client before
you start testing. An IP range and a list of hosts that are
mission-critical (tread lightly) should be enough to start you off.
War dialing may or may not be part of your pen-test, it really depends
on your agreement with the client.
"Christopher M. Bergeron" wrote:
What is the industry norm for _beginning_ a pen-test after the contract has been made? Would one first map the
network? Try to war-dial the exchange for possible remote (pcanywhere, etc). access machines? VRFY email addresses
to look for user logins? Is it typical to ask for information about the network (ie. network architecture)
beforehand or do most pen-tests start "blindly" and do the network reconnaissance.