Optimizing time in a pen-test

Hello pen-testers,

I need advice on how to economize time in a pen-test. For instance, let's
imagine the following (exagerated) scenario where you've got only 1-2
days to perform a black-box testing over a very large enterprise subnet.
You don't have time to perform a general scanning with
Nessus/nmap/whatever (think in a class-B network or some other huge
subnet; impossible to scan in one day, and moreover you'd have to add
more time to review/check scanning results... so it's prohibitive).

The question is: Which attacks/tools/options would you use and in which
order? Obviously you should only launch attacks where you'd expect
results in a brief time and/or you could launch several of them in
parallel (let's suppose you have only one laptop).

Some thoughts:
- I only could think in some very focused scanning (for instance, let's
look for machines with open VNC port and then try to exploit the
authentication-bypass known bug).
- Scripting is essential (you should try to reduce manual probes). Do you
have some of these scripts you wanted to share?
- It's very important to focus on the kind of attacks easier to launch
and more productive (at the same time). For instance, sniffing.
- Any recent vulnerability has a bigger chance to exist in the
enterprise. Do you have/use some scanning to test only some of these?
Which of them?
- Is it productive trying to exploit a buffer overflow? (where success
depends on many factors: program version, OS version/language, etc).

I'm expecting answers such as:

"What I'd do is:
1.- Launch Cain and start sniffing. Let it woring in background and pass
to step 2.
2.- Launch an arp-scan (it's fast and easy). Try to imagine systems based
on vendor's MAC.
3.- Monitorize Cain's output. Manually test saved user/passwords.
4.- Look for the domain controller using xxxx tool. Launch "enum" to
enumerate users. Launch yyyyy tool for a simple brute-force looking only
for: blank password and password equal to user.

... etc

You're the experienced pen-testers and you better than nobody know which
are the attacks you always use with the best sucess/speed/effort ratio.
I'd like you hear your ideas. I think this could be an interesting
thread. Please, contribute! :)

Thank you.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • RE: Optimizing time in a pen-test
    ... I wouldn't waste my time on "the attacks that always work" - they never ... more time to review/check scanning results... ... Obviously you should only launch attacks where you'd expect ... Cenzic finds more, "real" vulnerabilities fast. ...
    (Pen-Test)
  • AW: Optimizing time in a pen-test
    ... more time to review/check scanning results... ... Obviously you should only launch attacks where you'd expect ... Cenzic finds more, "real" vulnerabilities fast. ...
    (Pen-Test)
  • Re: Iran Behind Rocket Attack On Green Zone! Death to Iran! Bomb Iran NOW!
    ... hasn't been behind any attacks against the US since Reagan bombed his ... by Tehran and Damascus--without quite connecting all the dots. ... OR they won't launch another disaster and be viewed as junkyard dogs. ... Israel has shown extraordinary restraint. ...
    (alt.politics)
  • Re: Audio Innovations silver speaker cable
    ... >>> On the occasions between delurking in here I've witnessed Pinkerton ... >>> launch ... attacks on people. ... Another typical lie from the Churches of the poison mind. ...
    (uk.rec.audio)
  • Tell Afif its local sealing against a farmer.
    ... We imagine the accused wedding. ... discipline as well hers and namely accesses. ... You won't launch me removing amid your accessible loch. ... sacred lap. ...
    (alt.talk.royalty)