Penetration Testing

Re: Pentest Criteria

Thu, 09 Sep 2010 01:06:41 GMT

Posted by Pete Herzog on Sep 08

Wim,

You misunderstand. ISO isn't reviewing the OSSTMM 3 to better the
OSSTMM- they are doing it to see how it fits in the ISO family. The
PEER REVIEW of the OSSTMM happens by anyone who can and will review
it. We put out calls for reviewers and people show up to review it.
Most people never respond back but some do and we go on from there.
Some of the best reviews though come from people who just take that
which we put out there and start...

Re: Pentest Criteria

Thu, 09 Sep 2010 00:58:27 GMT

Posted by Wim Remes on Sep 08

Pete,

"OSSTMM 3 does exactly that. Currently it's being reviewed to either
include in the ISO27000 series or be its own ISO."

vs

"the "written manual" OSSTMM 3 does not exist yet.
It is merely a book still being written. "
"it's merely a concept."

can you explain how exactly an ISO committee is reviewing a "written manual" that does not exist yet ? And do you
believe more in the feedback...

Re: Attack Server

Thu, 09 Sep 2010 00:55:12 GMT

Posted by Terry M on Sep 08

Another good vm for pre-configured web apps is the OWASPBWA (it
includes DVWA). You might check that out.

http://code.google.com/p/owaspbwa/

-Terry

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full...

RE: Attack Server

Wed, 08 Sep 2010 19:02:38 GMT

Posted by Kettlewell, Nate (Kansas City) on Sep 08

I used VmWare ESXi, PfSense as the Internet-facing VM with OpenVPN for remote access, it has 3 virtual
NICs configured for Internet, Attack, and Victim network, with the attack VM's on one segment that can
access the Internet and the victim subnet, the victim VM's are isolated and can only talk to the
attacker subnet.

It's worked nice for me so far, and I can route my attack machines out to the real world for the
one-off audit.

Cheers,

Nate...

Re: Pentest Criteria

Wed, 08 Sep 2010 19:02:38 GMT

Posted by Pete Herzog on Sep 08

Ulisses,

Because it is. For one, OSSTMM 2.2 is there, free and available around
the world. I can Google for it and it's there and always has been.
Anybody can take it and read it and use it and distribute it.

Where I think you get confused is with OSSTMM 3. So I'll make this a
bit clearer for you- as far as the world is concerned, the "written
manual" OSSTMM 3 does not exist yet. It is merely a book still being
written. Much like...

Re: Attack Server

Wed, 08 Sep 2010 18:58:58 GMT

Posted by phillip () bailey st on Sep 08

Check this,

http://blog.metasploit.com/2010/05/introducing-metasploitable.html

Phillip

Re: Attack Server

Wed, 08 Sep 2010 18:55:50 GMT

Posted by TAS on Sep 08

Hey Kurt,

I end up responding to most of your emails :)

If you are also looking at setting up vulnerable web applications in the lab then have a look at a comprehensive list
complied at

Http://securitythoughts.wordpress.com

TASQ

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you...

Re: Attack Server

Wed, 08 Sep 2010 17:05:49 GMT

Posted by Robin Wood on Sep 08

I'd personally do it as separate machines. You don't want vulnerable
apps on your testing machines and to get some vulnerable apps working
you might need older libraries which stop new tools from working.

install everything into VMs, your attack machine into one then the
rest into others. That way you keep them distinct.

I've been at an airport and seen someone running Karma to try to lure
people to his machine but he had left some vulnerable...

Attack Server

Wed, 08 Sep 2010 16:07:14 GMT

Posted by Kurt M. John on Sep 08

Hey Guys,

I got another one for you. I'm looking to create a combination
attack/testing server. The idea here is to have a server than can
perform remote analysis and attacks (and perform such services as tftp).
The server will also double as a testing server. Ideally I'd like to
have a few VMs on there such as Damn Vulnerable Linux (for training) and
Windows Server 2003 (for fine-tuning attacks before launching it against
client systems)....

Re: WAF Testing..suggestions??

Wed, 08 Sep 2010 16:00:44 GMT

Posted by Dotzero on Sep 08

Joe McCray gave a presentation at DC18 that had a section on WAFs -
slides are available online
http://defcon.org/images/defcon-18/dc-18-presentations/McCray/DEFCON-18-McCray-Still-Got-Owned.pdf

WAF section starts at slide 22.

http://defcon.org/images/defcon-18/dc-18-presentations/McCray/DEFCON-18-McCray-Still-Got-Owned.pdf

------------------------------------------------------------------------
This list is sponsored by: Information Assurance...

Re: Pentest Criteria

Wed, 08 Sep 2010 15:53:49 GMT

Posted by Pete Herzog on Sep 08

Wim,

Your opinion is duly respected. I doubt I can say anything to you
which I haven't said before. OSSTMM 3 is not done. It's been a lot of
work. It's close to being done. Even I don't have a finished version.
I'm sorry.

But you know I disagree with you about open source. The OSSTMM is
"open source" because it doesn't hide the method inside some tool or
checklist. All concepts, ideas, processes, formulas and methods are
openly...

Re: Pentest Criteria

Wed, 08 Sep 2010 15:50:44 GMT

Posted by Wim Remes on Sep 08

Pete,

with all due respect but don't you think you have abused the open source predicament long enough for something that
will never be open nor free?
I know companies that got involved with v2, that invested in getting resources trained in v3, or the subset of it that
was available at the moment of the trianing, and now have the
outlook that they'll be pointing their customers to another ISO standard instead of an open source standard and....

Re: Released DllHijackAuditor v2 with New Debugger based Interception Engine

Wed, 08 Sep 2010 15:47:08 GMT

Posted by Nagareshwar Talekar on Sep 08

Welcome, Hopefully in the next version, we will support 64 bit as well.

Cheers
Nagareshwar

Re: Released DllHijackAuditor v2 with New Debugger based Interception Engine

Wed, 08 Sep 2010 15:43:16 GMT

Posted by Jacky Jack on Sep 08

Thanks for the update.
Support auditing on 64 bit applications is desired as nowadays' Home
users are on Vista/Seven.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to...

Released DllHijackAuditor v2 with New Debugger based Interception Engine

Wed, 08 Sep 2010 00:10:53 GMT

Posted by Nagareshwar Talekar on Sep 07

Hi,

The new version v2 of DllHijackAuditor is available now.
DllHijackAuditor is the FREE tool to audit against the recently
discovered Dll Hijack Vulnerability.

Current version brings in following changes
* Smart Debugger based 'Interception Engine' for consistent and
efficient performance without intrusion.
* Support for specifying as well as auditing of application with
custom & multiple Extensions.
* Timeout Configuration to...