Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: VmWare and Pen-test Learning
From: "Lee Lawson" <leejlawson () gmail com>
Date: Mon, 7 Aug 2006 09:01:22 +0100

Good information given there, but back to the thread.  Where does this
guy start to learn pen testing?

That is a question that is forever coming up in the pen testing/hacking forums:
how do I hack this box?
where do I start?

Leaving aside the pre-knowledge that is required to be 'competant' at
penetration testing (TCP/IP, routing, windows, unix, linux, web
coding, sql coding etc) where can we start you off without swamping
you with too much information?

Let's look at a methodology for testing.

Footprinting - Gathering publically available information from DNS
servers, whois databases, Google searches.

Scanning - Identifying active machines, determining what ports are
open and what services are running behind them and trying to
fingerprint the operating system to calculate the version and patch
level.

Enumeration - Obtaining information from the machines/networks without
having to authenticate (apart from some LDAP enumeration!), more
specifically: usernames, account details, shares, network settings
etc.

Vulnerability assessment - Automated scanning for 'known' weaknesses
in the operating system (RPC, ASN.1 etc) and applications (apache, IIS
etc) using tools like Nessus, Retina etc.  Following this up with some
manual verification to eradicate 'false positives'.

Penetration - Running an exploit to gain some kind remote access -
shell, vpn etc.  This is a step that many penetration testing firms do
not perform.  Not because they don't know how, but because many
clients do not want to accept the risk of systems becoming unavailable
after the exploit.

Embedding (can't think of a better word!) - extracting and cracking
passwords, uploading anti-forensics tools, installing backdoors,
installing rootkits etc.

That is enough for now, we don't need to talk about wireless,
databases, web applications etc as you haven't mentioned having them
on the target systems.

You will not need the first step, footprinting.  You are not connected
to the internet in a way that will reveal any useful information.  You
would need a registered domain name, public IP address etc.

So onto the second phase, scanning.  For this, the most popular tool
is nmap - network mapper.  It is a native *nix tool but there is an
adequate windows port.  I won't go into installing the tools as I
won't have time (consider a linux live CD distribution such as
BackTrack www.remote-exploit.org).

To ping a network range:
  nmap -sP 192.168.1.1-254
But systems that are configured to not respond to ping requests will
not appear on the list.

To search for TCP services:
  nmap -sT 192.168.1.1-254
This will scan for TCP services on all IP address on the given range.
nmap has a default port list that it will search for, the most common
(approx 1600) services.

If you want to search for ALL ports:
  nmap -sT -p 1-65535 192.168.1.1-254
The inclusion of the -p switch tells it what ports to scan for.

To search for UDP services:
  nmap -sU 192.168.1.1-254

To determine the vendor/version of a particular service you need to
scan a little deeper:
  nmap -sV -p 25,80 192.168.1.1-254
This will perform a version scan of the SMTP (25) and HTTP (80) services.

This is enough for now.  If somebody else would like to carry on with
some enumeration attacks (null sessions, LDAP, SNMP, FINGERD etc) I
think the thread starter would be grateful!!

Thanks,

On 8/7/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
<sbradcpa () pacbell net> wrote:
I'm not sure though that "RTM" is a valid test... especially for Windows
2000 for several reasons.

1.  Windows 2000 RTM is sooooo not supported that it's not funny... for
a firm to still be running Windows 2000 rtm in a setting that would
provide the means for remote exploitation...well they deserve to be
hacked.  Windows 2000 sp4 is the supported OS.
2.  Windows 2000 rtm'd in Feb of 2000 ...while you site the unicode
exploit of IIS 4.0... IIS 5.0 was known on the map for Code Red/Nimda...
http://www.caida.org/analysis/security/code-red/  In it's day you could
build a box and get nailed while installing the OS.   As you tried to
bring it online to patch it... it would get nailed in the process.
3.  A default installed Windows 2000 was in the era of "Hey, let's get
Mickey to try it!" and everything was running on that system ... IIS 5.0
was default installed on that Windows 2000 .. thus if you have a Windows
2000 RTM box sitting there with no firewall... well let me put it this
way...there was a time in the newsgroups in the 2k era that we'd tell
folks who came in with IIS non functional... "what rock did you crawl
out from under"?

http://www.microsoft.com/technet/security/bulletin/MS01-033.mspx

*I'm running Windows 2000 Server. Am I vulnerable?*
Default installations of Windows 2000 Server *are* vulnerable. IIS 5.0
installs by default as part of Windows 2000 server products, and Idq.dll
is installed as part of the IIS 5.0 installation process.

If you can't nail an RTM Windows 2000 in say... oh... what.. 5 minutes
or less?  I'd be surprised.  I'm not sure that's testing those pool
shots (and what is it with security and people who play pool?) and
exercising anything when that's sooooo vulnerable it's not funny.  You
don't even have to do anything.. just build it and stick it on the
internet.  What kind of pool shot is that?

Even Windows 2003... RTM means that pre blaster and no firewall to
protect that live nic as it comes up on the internet.

RTM of Windows 2003 was April of 2003

Blaster came out in August http://www.sbslinks.com/timeline.htm

RTM of Windows 2003 doesn't have a firewall enabled on boot and is
vulnerable to blaster. Stick that Windows 2k3 live on the web without a
firewall. See how long it lasts before getting nailed. Let us know.

I think SANS had a machine last like 30 minutes before being owned...
http://www.incidents.org/survivalhistory.php?isc=08a65cd9f99ef350d7fa82dbce2c6fc4


For the rest read this:
http://www.sans.org/top20/

....but remember... RTM is not only not secure...but may not be
supported.. Win2k sp4 is the supported version of Windows 2000.  ...
Win2k3 rtm (if my memory of life span is working) will go out when
Win2k3 sp2 is released ...given that they are talking beta of sp2 not
sure when that will occur.
http://support.microsoft.com/gp/lifesupsps#Servers

I would hope that if firms needed OS's like NT and prior versions of 2k
they'd be protecting those and isolating those as they are insecure and
are a risk to the rest of us as well.

Go to the metasploit site and see if some of the oldies but goodies are
there.  Any of the IIS5 stuff will work....
http://www.metasploit.com/projects/Framework/exploits.html




Erin Carroll wrote:
> Welcome to the pen-test world John.
>
> Now before everyone freaks out about why I let essentially a basic newbie
> question on the list here's why and what kind of responses I was hoping for:
> I like to play pool. But in order to get better I do lots of drills of
> simple shots over and over. Some people prefer to practice in other ways. In
> a similar vein, what types of exercises should John do to increase his
> skills and expand his knowledge? I know how I practice my pen-test skills to
> stay sharp but hearing some other methods people use might give me some
> ideas or other ways to tackle things.
>
> So, he's got Vmware and a couple of images to play with. What kinds of
> drills should he work on?
>
> --
> Erin Carroll
> Moderator
> SecurityFocus pen-test list
> "Do Not Taunt Happy-Fun Ball"
>
>
>> -----Original Message-----
>> From: IRM [mailto:irm () iinet net au]
>> Sent: Sunday, August 06, 2006 1:58 AM
>> To: pen-test () securityfocus com
>> Subject: VmWare and Pen-test Learning
>>
>> Hi all,
>>
>> I would like to learn about Penetration testing or maybe
>> Vulnerability Assessment (?) or whatever it is called. I have
>> set up a few machines on VMWare - Windows 2000 Server,
>> Windows 2003 Server and Solaris 9.0. These machines are
>> unpatched with no updates or service pack.
>>
>> Basically what I would like to achieve in this task is to
>> demonstrate that these machine are not secured. Thus by using
>> a well-known exploit that are available in the public space ,
>> people can easily exploit the system and gain administrator
>> privilege either by Local exploit or Remote Exploit.
>>
>> Now, the question is that, where to start? Can people suggest
>> me where should I start?
>>
>> Should I start using Nessus and identify all the
>> vulnerabilities that are applicable on these machines? And
>> start to do some research on securityfocus.com i.e. to find
>> the exploit?
>>
>> Or maybe if there is a list of vulnerabilities for each of
>> the operating system, I think that would be great! Because I
>> know that Unicode Exploit on IIS 4.0 is quite famous at that
>> time. Is there similar thing on Windows 2003? Is there a list
>> available like TOP 10 Exploit or something?
>>
>> Cheers,
>> John
>>
>>
>>
>>
>>
>>
>> --------------------------------------------------------------
>> ----------------
>> This List Sponsored by: Cenzic
>>
>> Concerned about Web Application Security?
>> Why not go with the #1 solution - Cenzic, the only one to win
>> the Analyst's Choice Award from eWeek. As attacks through web
>> applications continue to rise, you need to proactively
>> protect your applications from hackers. Cenzic has the most
>> comprehensive solutions to meet your application security
>> penetration testing and vulnerability management needs. You
>> have an option to go with a managed service (Cenzic
>> ClickToSecure) or an enterprise software (Cenzic Hailstorm).
>> Download FREE whitepaper on how a managed service can help
>> you: http://www.cenzic.com/news_events/wpappsec.php
>> And, now for a limited time we can do a FREE audit for you to
>> confirm your results from other product. Contact us at
>> request () cenzic com for details.
>> --------------------------------------------------------------
>> ----------------
>>
>>
>> --
>> No virus found in this incoming message.
>> Checked by AVG Free Edition.
>> Version: 7.1.394 / Virus Database: 268.10.7/410 - Release
>> Date: 8/5/2006
>>
>>
>>
>
>

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------




--
Lee J Lawson
leejlawson () gmail com
leejlawson () hushmail com

"Give a man a fire, and he'll be warm for a day; set a man on fire,
and he'll be warm for the rest of his life."

"Quidquid latine dictum sit, altum sonatur."

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault