AW: Optimizing time in a pen-test
- From: <puppe@xxxxxxxxxxxxxxx>
- Date: Fri, 15 Feb 2008 11:42:31 +0100
Salve,
if you really have to do such an assignment, which I would try to talk the customer out of it, as he can not expect quality results in such short a time.
But, this said, my steps would be:
1. Sniff a bit to check for: AD, Routers
1.a start a trace test to see which internal networks are routed
1.b get a means to find the SAP/ERP/Treasure Trove (shoulder surfing, sniffing, redirecting single workstations, browse the local intranet website, dns axfr or brute force)
2. Establish the networking range with the treasure trove systems
3. scan, attack, take over all you can in this part of the net
4. go for the windows infrastructure, start in the vicinity of the AD
5. see if the routers have a common numbering scheme, try to scan and attack all routers
Keeps u busy for the two days and should result in impressive findings, as the treasure trove is to be expected to be unpatched, the routers hopefully old images and the AD, u need some luck there, but access token cache and MS0x-0XX will guide u to the domain admin lair ;)
--
Mit freundlichen Grüßen
Christoph Puppe
Security Consultant
We secure your business.(TM)
_______________________________________________________
HiSolutions AG Phone: +49 30 533289-0
Bouchéstrasse 12 Fax: +49 30 533289-99
D-12435 Berlin Internet: http://www.hisolutions.com
_______________________________________________________
Mindestinformationen im geschäftlichen E-Mail-Verkehr nach §37a HGB:
Sitz der Gesellschaft / registered office:
Berlin
Handelsregistereintrag / Commercial register:
Amtsgericht Berlin Charlottenburg - HRB 80155
Vorstand / Management Board:
Torsten Heinrich, Timo Kob, Michael Langhoff
Vorsitzender des Aufsichtsrates / Chairman of the supervisory board:
Prof. Dr. Klaus Müller
-----Ursprüngliche Nachricht-----
Von: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] Im
Auftrag von Pen Testing
Gesendet: Mittwoch, 13. Februar 2008 21:37
An: pen-test@xxxxxxxxxxxxxxxxx
Betreff: Optimizing time in a pen-test
Hello pen-testers,
I need advice on how to economize time in a pen-test. For instance, let's
imagine the following (exagerated) scenario where you've got only 1-2
days to perform a black-box testing over a very large enterprise subnet.
You don't have time to perform a general scanning with
Nessus/nmap/whatever (think in a class-B network or some other huge
subnet; impossible to scan in one day, and moreover you'd have to add
more time to review/check scanning results... so it's prohibitive).
The question is: Which attacks/tools/options would you use and in which
order? Obviously you should only launch attacks where you'd expect
results in a brief time and/or you could launch several of them in
parallel (let's suppose you have only one laptop).
Some thoughts:
- I only could think in some very focused scanning (for instance, let's
look for machines with open VNC port and then try to exploit the
authentication-bypass known bug).
- Scripting is essential (you should try to reduce manual probes). Do you
have some of these scripts you wanted to share?
- It's very important to focus on the kind of attacks easier to launch
and more productive (at the same time). For instance, sniffing.
- Any recent vulnerability has a bigger chance to exist in the
enterprise. Do you have/use some scanning to test only some of these?
Which of them?
- Is it productive trying to exploit a buffer overflow? (where success
depends on many factors: program version, OS version/language, etc).
I'm expecting answers such as:
"What I'd do is:
1.- Launch Cain and start sniffing. Let it woring in background and pass
to step 2.
2.- Launch an arp-scan (it's fast and easy). Try to imagine systems based
on vendor's MAC.
3.- Monitorize Cain's output. Manually test saved user/passwords.
4.- Look for the domain controller using xxxx tool. Launch "enum" to
enumerate users. Launch yyyyy tool for a simple brute-force looking only
for: blank password and password equal to user.
... etc
You're the experienced pen-testers and you better than nobody know which
are the attacks you always use with the best sucess/speed/effort ratio.
I'd like you hear your ideas. I think this could be an interesting
thread. Please, contribute! :)
Thank you.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
- References:
- Optimizing time in a pen-test
- From: Pen Testing
- Optimizing time in a pen-test
- Prev by Date: RE: Security/Pen-testing Courses?
- Next by Date: Re: Security/Pen-testing Courses?
- Previous by thread: Optimizing time in a pen-test
- Next by thread: Re: Optimizing time in a pen-test
- Index(es):
Relevant Pages
|
