Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Auditing / Logging
From: "Rob Shein" <shoten () starpower net>
Date: Fri, 16 Jan 2004 20:01:16 -0500

If you want the function of a keylogger without having to worry about
software/OS compatibility, simply use a Key Katcher (www.keykatcher.com)
between your keyboard and computer.  Just be sure to sed out any
password/login combinations to your own stuff that you use.  Oh, one thing;
I don't think it'll work on Sun hardware.

-----Original Message-----
From: Don Parker [mailto:dparker () rigelksecurity com] 
Sent: Monday, January 12, 2004 6:18 PM
To: R. DuFresne; Don Parker
Cc: n30; security-basics () securityfocus com; pen-test () securityfocus com
Subject: Re: Auditing / Logging

Well, you raise a valid point as to the commands not being logged. 
Again I would prefer simplicity, so just install a keylogger. 
There is no need to overcomplicate things. Though a keylogger 
will not work 
on most *nix systems to my knowledge. Though all of this should be 
negotiated with the client prior to the pen test being done ie: what 
kinds of logs will be retained and the such. This is one thing which 
should be spelt out clearly prior to any pen test actually 
taking place.


Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc 
www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319

On Jan 12, "R. DuFresne" <dufresne () sysinfo com> wrote:

On Mon, 12 Jan 2004, Don Parker wrote:

The simplest solution would be to simply log all activity using 
tcpdump in binary
format. This decreases the file size, is faster, and allows 
you to manipulate it after. 
You can also input this binary log into any protocol 
analyzer afterwards as well ie: 
ethereal, etherpeek nx and the such. 

Doing the above also gives you and your client a copy of 
exactly what 
it is you have
done during your pen test should there be any questions/complaints.

Which s great on the data being obtained, yyet fails to 
retain the nature of the exact command that retrieved the 
data, so make sure one either tee's allcommands to a file 
<date stamps can help here> or one runs script or something.  
This helps if one has data results that are similiar and they 
need to know which command applies to which data, as well as 
make it possible to dupe scenarios.


Ron DuFresne
        admin & senior security consultant:  sysinfo.com

"Cutting the space budget really restores my faith in 
humanity.  It eliminates dreams, goals, and ideals and lets 
us get straight to the business of hate, debauchery, and 
                -- Johnny Hart

testing, only testing, and damn good at it too!

Ethical Hacking at InfoSec Institute. Mention this ad and get 
$720 off any 
course! All of our class sizes are guaranteed to be 10 
students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, 
Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at <a 
ityfocus</a> to get $720 off 
any course!  



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]