The Perfect Pen Test? Your opinions?

[metafan at intern0t.net (MaXe)]

I must agree with Tommy, however i have my own approach which i have 
been able to improve more and more after gaining hands-on experience but 
also after reading papers like OSSTM (or whatever the name is) and the 
NIST paper etc. Basicly these kind of papers are called 
Penetration/Pentesting Frameworks which are papers of how One could 
perform a pentest.

Most of them covers most of the aspects, though there are some which 
points more in the tools section like the NIST paper, while the OSSTM 
points more in the direction of what you might want to use yourself. I 
believe that every person has his/her own way of performing a 
penetration test and isn't that why it is exciting to see someone else 
than yourself to perform one? :-)

Anyways, here is how i could perform an external pentest: (from this 
method, i only have a company name to start with)

    * 1. Information Gathering Phase (find the company's website,
      emails, employees (and their blogs etc) and anything else related)
    * 2. Network Discovery Phase (find the internal and external
      network(s) of the company if possible, with help from the
      information above)
    * 3. Service Discovery Phase (find all services belonging to the
      company thus the versions, ftp, http and so on.)
    * 4. Vulnerability Match Phase (see if it is possible to find any
      holes directly in the applications.)
    * 5. HTTP-Vulnerability Phase (check out all http-services belonging
      to the company, check for everything ranging from SQL injection to
      XSS)
    * 6. Gaining Access (see if it is possible to gain full or partially
      access to their systems. Social Engineering might work.)
    * 7. Escalation of Privileges (if partial access was gained,
      escalate privileges in order to gain root.)
    * 8. System/Network Browsing (find other nodes on the network if
      possible, if so begin from service discovery phase or information
      gathering phase.)
    * 9. Gaining Internal Access (if it was possible to gain internal
      access, then the job is almost done. If not, we will need to do it
      here. This could be achieved with XSS, Trojans, Eavesdropping,
      Phishing or by Cracking the wireless network if they have such.
      Even Social Engineering can work in this phase))
    * 10. Backdooring Phase (put a rootkit or w/e i like, as long as it
      isn't detectable. This isn't necessary for most companies.)
    * 11. Removal of Traces (if needed, then remove all traces possible.)

Of course this only shows how i _could_ perform a pentest and i must say 
that every pentest i've performed, are different. The reason why is 
quite simple. Every network is different in some way, even if they have 
the same equipment it might be setted up completely different, so that's 
why i use different methods in each test.

The hardest thing for me to do when i perform internal vulnerability 
assesments is to keep within the timelimit (around 2 hours), get as much 
info as possible which isn't that hard, though after knowing what's 
running on the network One can always go one layer deeper and see what 
the services are doing and if there is anything notable about those.

Anyways, i hope this enlightened you or someone else. Please don't flame 
me for giving my personal opinion ;-)


Best Regards,
MaXe

PS: Yes, there's plenty of spelling and grammatical issues i know. 
Main/Mother language is not english as you might have guessed.


Mr Gabriel wrote:
> Dear All,
>
> Thanks for taking the time to read this message. First off - I'd like 
> to say to HD Moore and co; keep up the damn fine work, and also to 
> everyone on this list who helps others who have issues, (and I mean 
> MSF based issues, not like, "my wife left me, because she caught me in 
> my PA" type issues :) ).
>
> I've been trying for a long time to get my head around pen testing, 
> and for me it's not too much of a problem to understand, I usually 
> explain in in these four steps,
>
>     * Take a look around the network, to find as many end points as
>       possible
>     * Take a look at each end point to see what services are running
>       on which ports,
>     * Match the service, service version, port, and OS, to a known
>       vulnerability
>     * Make use of the vulnerability, hence, proving a security
>       breach/hole/issue
>     * ( I know this is a fifth step, but you could also use fuzzing,
>       if no prior known vulnerability exists )
>
> Now, I've had numerous discussions with people that think there is 
> much more to pentesting that what I just stated, and my argument is 
> that, unless I already have a target in mind, how can I be more 
> specific? It was at that point, I realise that people tend to have 
> personal approaches to a pen test rather than a general approach - 
> which leads me to my question - What would be your perfect pen test 
> approach? Personally, I think the steps I have outlined, is the best 
> principal you can follow, but I will be delighted if someone could not 
> only prove me wrong, but improve on it :)
>
> The scenario is as follows;
>
> You are presented with an unknown network, you have no prior 
> knowledge, other than the fact that it is an IP4 based network. You 
> must prove that it has the potential to be compromised - what are your 
> steps?
> ------------------------------------------------------------------------
>
> _______________________________________________
> http://spool.metasploit.com/mailman/listinfo/framework
>