Home page logo

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] First step of a pen-test
From: "Tonick, Mike" <Mike.Tonick () PS NET>
Date: Thu, 21 Sep 2000 17:00:45 -0500

I may be even more rusty than you...but, wouldn't the following be right?
sed 's/ /\\n/g'
-----Original Message-----
From: Dawes, Rogan [mailto:rdawes () DELOITTE CO ZA]
Sent: Thursday, September 21, 2000 2:00 AM
Subject: Re: First step of a pen-test

Try something like wget


$ wget -r -l 5 http://www.example.com (specify html files only, no images,
an appropriate level of recursion, etc)
$ find www.example.com/ -name \*.htm\* -type f -print | xargs cat |
"translate spaces to \n" | sort | uniq > wordlist

(My sed is rusty, but I guess "translate spaces to \n" could be somthing
like sed 's/ /\n/g' )

You will end up with a bunch of HTML tags, and URL's as well, but those you
can filter if you want to.


-----Original Message-----
From: Loschiavo, Dave [mailto:DLoschiavo () FRCC CC CA US]
Sent: Wednesday, September 20, 2000 8:27 PM
Subject: Re: [PEN-TEST] First step of a pen-test

With checking out the website being a first step...

Does anyone know if there is a tool that will comb through a
website to pull
nouns down into a dictionary file that you use for a
customized dictionary
attack specific to that company?

-----Original Message-----
From: Erik Tayler
Sent: 9/19/00 9:25 AM
Subject: Re: [PEN-TEST] First step of a pen-test

In my experience, the first step of a pen-test is the recon &
enumeration. Personally, I research the company, find out as much
information I can from their webpages, or from google
(employees, recent
acquisitions and the like). For example, if Company ABC recently
acquired Company DEF, they might have improperly assimilated Company
DEF's network architecture into their own, which might be a gateway of
sorts into penetrating Company ABC's systems. Gathering names of
employees and important persons from the web would be a good start for
the social engineering aspect of things. After that I would typically
map the network according to operating system, listening services, et
cetera. If routers/firewalls block the presence, planning of
some source
routing attacks would happen. One of the last steps [for me] is banner
grabbing, checking versions of listening services and such,
and finally
exploiting known [and sometimes unknown holes]. This process
varies from
person to person, whatever makes you comfortable.

Erik Tayler

"Christopher M. Bergeron" wrote:

What is the industry norm for _beginning_ a pen-test after the
contract has been made?  Would one first map the network?  Try to
war-dial the exchange for possible remote (pcanywhere, etc). access
machines?  VRFY email addresses to look for user logins?  Is
it typical
to ask for information about the network (ie. network architecture)
beforehand or do most pen-tests start "blindly" and do the network

Thanks to anyone who addresses even one of my many questions.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]