Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Vulnerability assessment for small business
From: "Omar A. Herrera" <omar.herrera () oissg org>
Date: Wed, 28 Sep 2005 16:06:38 +0100

Hi Bill,

-----Original Message-----
From: Billy Dodson [mailto:billy () pmicromart com]

When doing a vuln assessment for a small business (25 PC's, no server)
which is using a peer-to-peer windows network, how do you approach this?
Say the customer has a firewall...but they don't host any services.  All
of the PC's have local usernames and passwords that vary from machine to
machine.  There is no one single administrator account across the board,
and you have little time.  So you cant run many automated tools to check
patch levels and what not because you cant get remote access to the
registry.  There are no services to be tested from the outside.  Do you
manually go to each machine and test them individually?  Of course you
can run null scans on the LAN, but that is not going to provide the
depth you need.  Any ideas and pointers would be great.

You might just concentrate in 2 points: the firewall and the workstations.

For the firewall you might try the standard tests to try to map the rules
(which will actually be useful for the other tests).

Most workstations do have some ports open, even if they should not be
visible from the outside (e.g. ports 135, 137-139, 445 on Windows machines).
So, from the outside, you would just make sure this is true.

The main vulnerabilities for workstations that you could test for are their
ability to run things that shouldn't be supposed to run (i.e. malware). To
test this you should change the approach and see if things can run in these
machines and from there jump to the internet (through their firewall). The
best way to do this is to use some kind of Trojan horse that can establish
and test reverse connections.

You should really talk about this approach with your client and explain why
this is a critical vulnerable point in many network. By using a custom made
trojan horse you might be able to show your client that Antivirus and
similar technology is not quite effective against targeted attacks. Just
make sure that you made the TH yourself or have thoroughly (line per line)
reviewed and tested anything that you will be running on your client's

Also testing the security from inside their network (i.e. to see what a
malware that already was able to get in might be able to do) might be

Finally, you could also consider testing ways to install this TH in your
client's computers from the outside (e.g. social engineering with email
attachments) instead of just starting from the inside (you have to talk
about this with your client). But make sure you will be testing the TH (i.e.
if you can't find a way to get your TH into one of their machines in a
reasonable amount of time, document your findings, but do test the TH from
the inside with your client's consent).


Omar Herrera

Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]