mailing list archives
Re: [PEN-TEST] First step of a pen-test
From: H Carvey <keydet89 () YAHOO COM>
Date: Wed, 20 Sep 2000 10:11:39 -0000
What is the industry norm for _beginning_ a
pen-test after the contract has been made?
As others have said, it depends upon the scope of
the work. I prefer an internal (in-house)
assessment, as it uncovers much more than a pen
However, if the pen-test is what's called for, you
need to develop a footprint of the system you're
dealing with. Keep in mind...there really is no
such thing as an "industry norm". Certain
factors come into play, such as the scope of the
contract (very important!!), what info you're
Generally, the way I like to start my footprinting
is with a multi-phase approach. In the first
phase, collect info from sources other than the
target itself...Mark mentioned WHOIS and SEC/EDGAR
searches. This is a good way to get things like
names, email addresses, phone numbers, addresses
(some of which can be useful if social engineering
is called for). If you have access to a
Lexis/Nexis account, you can find a lot out about
the company, as well.
Search media sources for names of key individuals,
and references to what the target's business
is...what they do.
Do searches of public online databases...DogPile,
Deja, etc. If you have a domain name
("example.com"), look for Usenet entries or even
Web pages that contain "@example.com" or even any
of the email addresses you've already collected.
A good example is that the biotech industry has a
web site based in the UK for trading company
gossip back and forth. Many posts contain valid
Another example is that on 11 Nov '98, a telecomm
company had a huge rollout...big full page ads in
the papers as well as major space in Times Square
and the subways of NY. That day, someone posted
on a telecomm newsgroup asking what the company
was up to...the responses that followed contained
detailed info, such as domain zone transfers,
identification of multiple ISPs servicing the
organization...all very useful to an attacker.
Later searches also revealed that the person
maintaining an online billing system was having
trouble, and posted (from his company account) a
complete description of the entire billing
platform...machines, how many, what os's and
The point is that you can find a lot out about an
organization without ever sending a packet
anywhere near their systems.
Once you develop a profile in accordance with the
contract (based on provided info, time, etc) you
may then decide to move on toward active probing
of the network. Start small/slow...use nmap to
perform stealth scans of only limited ranges of
ports. Attempt to identify systems by function,
or some other criteria. Once you have an idea of
what types of machines you're dealing with, focus
your attempts to gain access based on the system.
Too many times you'll see someone just identify a
range of IP addresses and plug them into ISS w/ a
full profile. Not elegant at all...very noisy...
Once you identify systems, you're well on your
Just my $0.02...