Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Help - Can I do an external pen-test in this network?
From: Joseph McCray <joe () learnsecurityonline com>
Date: Fri, 07 Mar 2008 19:49:38 -0500

Tushar, I'm really not trying to single you you (so please don't take
offense to what I'm about to say).

[quote]
I have just completed my classes of Penetration Testing and have been
asked to do a project.[end quote] <---- And now you are doing a test????

A few days ago I posted here about certification courses vs. having the
background (e.g. Admin-level OS experience, Admin-level Network
experience, a few years of programming, and the certs to back all of
that up). Once you have that background it'd be a good idea to do this a
few times with someone that is a pen-tester.

Ok - off my soapbox...too late now you've got a client to take care of.


Tips:

1. Client-side Attacks
It's fairly common now to have to use client-side exploitation to get
into a network. Ping-sweep, port scan, banner grab, gcc -o exploit
exploit.c type of hacking is pretty much dead....

Reference:
www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Caceres-up.pdf


2. Windows Command-line Tools
Whatever point and click hack tools you have - GET RID OF THEM!!!!!!!!!

Once you pop a shell you'll be sitting at a windows command prompt
inside the target company's LAN. Now you need to be able to move your
tools and exploits over too that compromised host. Watch out for
anti-virus as it will snatch up damn near every publicly available
hacking tool\exploit (e.g. netcat, popular .exe versions of exploits).

So it would be a good idea to re-compile your own versions of these
tools from source with minor (non-function affecting changes) so they
don't get picked up by AV.

Windows Tool Sites:
http://www.ntsecurity.nu/toolbox/
http://packetstormsecurity.org/Win/indexdate.html
http://www.nirsoft.net/utils/index.html
http://www.hammerofgod.com/download.html


3. Don't do anything stupid
Especially since this is your first test. 

DON'T USE AN EXPLOIT ON A PRODUCTION MACHINE THAT YOU'VE NEVER TRIED
BEFORE IN YOUR OWN LAB!!!!!!!!!!

Let me repeat that....

DON'T USE AN EXPLOIT ON A PRODUCTION MACHINE THAT YOU'VE NEVER TRIED
BEFORE IN YOUR OWN LAB!!!!!!!!!!

When I teach hacking classes I always tell a story about some pentesters
that were at a site and attempted a man-in-the-middle attack without
enabling IP forwarding so all of the redirected traffic could get to the
real default gateway. They took down the entire network, and got kicked
off site.




4. Properly Assessing your target

[QUOTE]
Internet -> router / modem provided by ISP (only static IP in
organization)-> Switch -> about 100 systems in internal network (pvt
IPs)
        
        blah blah blah blah

Is there anyway I can get into this organization by doing an external
pen-test. This is a small company into s/w development and uses only
messengers to communicate with the outside world / clients etc. No major
servers inside organization and none with pub IP address.[END QUOTE]


If you know they only have 1 public IP address with no publicly
available services running on it - Why are you port scanning it for
vulnerabilities?

Tushar - I don't know you from Adam, and I hope I'm not coming across as
being harsh or insulting, but you've stepped into a list where this type
of question seems to get asked here once a month by newbie testers. It's
the typical "I'm port scanning a PIX, Checkpoint, ISA Server, or
whatever firewall - how do I bypass it?" question. The question we
usually ask each other after this is posted on the list is "Where do
these people find clients?"

People rarely answer the firewall bypass question on this list because
if you really think about it - it's kind of a stupid question. If there
is an exploitable service that the firewall is allowing you to get to -
then you exploit the service (not the firewall) - and those types of
vulnerabilities are so rare these days that when you do find them on a
pentest - it's not a pentest anymore - it's INCIDENT RESPONSE because I
guarantee you that box is already compromised.


So Tushar - now I'm officially handing over to you the task of answering
it next month when another newbie that has just passed his CEH, CPTS,
SANS, BackTrack Course, or whatever it is this week.


-- 
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe () learnsecurityonline com
Web:        https://www.learnsecurityonline.com


Learn Security Online, Inc.

* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access

"The only thing worse than training good employees and losing them 
is NOT training your employees and keeping them." 

        - Zig Ziglar

Attachment: signature.asc
Description: This is a digitally signed message part


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault