Pen Test

[redemption]

Im looking to do a remote pen test on an active server of mine running Redhat 7.3. I was wondering if anyone could provide assisantce on how to go about this by conducting the test myself. I was wondering if you knew any links and stuff to cover scanning and emmeration. Thanks

[Gump]

There are several ways to Enumerate (check your spelling) an OS. Since you already know it is Red Hat 7.3 you can check out Bugtraq and know exactly what to look for. Founstones' Hacking Exposed (TM) books devote entire chapters to tools and usage for enumeration. Although that shouldn't be necessary since it is your box and you know the OS and presumably what services are running.

However, for a simple Pentest just use nessus:

http://www.nessus.org/

It will do it all for you and give you tips on how to fix it.

[phishphreek]

I agree with gump. Nessus is a great tool for remote vul testing.

However... don't do just remote... check your local too..

I've found Tiger to be a great tool for this.

TIGER is a set of Bourne shell scripts, C programs, and data files which are used to perform a security audit of Unix systems. The security audit results are useful both for system analysis (security auditing) and for real-time, host-based intrusion detection.

http://freshmeat.net/projects/tiger-audit/

I've found it to be very useful when securing a box...

Download it from http://savannah.nongnu.org/download/tiger/

SARA is also a great tool... however, its a bit outdated?
Still has useful info. Not quite as good as nessus though.
http://www-arc.com/sara/sara.html

Also, examine your services. There are vuln scanners based just on services... cgi scanners, http scanners, etc. Sometimes they will give you more detailed info.

[JP]

Greetings All:

I have never understood the logic of people that do their own penetration tests.

You set up a server to the best of your ability and the limits of your knowledge, then you examine it for vulnerability based on that same skill set and knowledge base? What is that supposed to accomplish?

It would seem to me, if you're lacking proficiency in an area when you set up the server, you would lack the same proficiency in finding the error you made in the first place?

Sure there are a bunch of point-and-click, or type-command-and-hit-enter vulnerability scanners available, but each checks for its own set of things. Again, for the most part you're only going to be checking for things that you know to look for.

I've found it to be much more beneficial, when the need is not significant enough, or the budget isn't big enough, to have a professional do a penetration test, to simply have a friend or colleague that you trust do one for you.

At the very least, you know that someone's looking at your system that has a different knowledge base about him or her, and that will be seeing things from a different perspective than your own.

[thehorse13]

Redemption. If you'd like, I can run a non DoS Nessus scan against your host. PM me with the details (IP, etc.)

[Cybr1d]

JP indeed thats true for most pen test you'd be much better off having a second or third person doing the audit. If you're patching up certain holes, I believe its ok to do your own penetration test by using tools which exploit those holes. One thing that many users will do though, is run the tests from the same box that they're patching up. Correct me if I'm wrong but wouldn't it be much more effective and productive running the tests from a computer outside the network. At least run the test from an outside computer first then check for intrusion from inside the network.

[thehorse13]

Originally posted here by JP
Greetings All:

I have never understood the logic of people that do their own penetration tests.

You set up a server to the best of your ability and the limits of your knowledge, then you examine it for vulnerability based on that same skill set and knowledge base? What is that supposed to accomplish?

It would seem to me, if you're lacking proficiency in an area when you set up the server, you would lack the same proficiency in finding the error you made in the first place?

Sure there are a bunch of point-and-click, or type-command-and-hit-enter vulnerability scanners available, but each checks for its own set of things. Again, for the most part you're only going to be checking for things that you know to look for.

I've found it to be much more beneficial, when the need is not significant enough, or the budget isn't big enough, to have a professional do a penetration test, to simply have a friend or colleague that you trust do one for you.

At the very least, you know that someone's looking at your system that has a different knowledge base about him or her, and that will be seeing things from a different perspective than your own.

A few years back, this would be a valid argument/position. Today, there are so many tools that "do it all for you" that an indepth understanding is no longer a requirement when doing pen testing. A perfect example of this is when auditors show up on-site with 100K worth of vulnerability assessment software yet none of them know what a PGP key is.

While I am from the oldskool and truly believe that you should be an expert when doing these sort of things, current industry conditions dictate otherwise.

[PM8228]

Oh! oH! I wanna be old school!! I am looking into stuff so I can be l337 like horse :P. It's not very fun to pen-test by running someone else's little proggy.

-Cheers-

[steve.milner]

Originally posted here by JP
Greetings All:

I have never understood the logic of people that do their own penetration tests.

I've found that before going to outside sources to do pen testing, doing it myself is most useful - Nessus told me several things I wasn't aware of and that then allowed me to take action before I 'phoned a friend'

You set up a server to the best of your ability and the limits of your knowledge, then you examine it for vulnerability based on that same skill set and knowledge base? What is that supposed to accomplish?

Actually, using the right tools it can accomplish a lot, since most are updateable to test for the latest exploits

It would seem to me, if you're lacking proficiency in an area when you set up the server, you would lack the same proficiency in finding the error you made in the first place?

Sure there are a bunch of point-and-click, or type-command-and-hit-enter vulnerability scanners available, but each checks for its own set of things. Again, for the most part you're only going to be checking for things that you know to look for.

Not entirely accurate JP

That's the beauty of using the automated tools - you are relying on the authors' proficiency in vunerability testing, and the more tools you use, the more proficiency you will bring to bear. Better still most tools (nessus esp.) will tell you about the problem and then either tell you how to resolve it, or point you in the direction of further info. Contrary to what you are suggesting, the use of these tools will actually improve your proficiency & knowledge.

Using nessus pointed out a low risk problem with my SSH - First fixing the problem and then further reading had important benefits.

1) I gained more knowledge, enough to use private keys for ssh authentication, disabling password authentication so that disctionary/brute force is not now a concern. I use a usb flash drive for physical security to store the key on.
2) I wrote a basic tutorial on SSH here.
3) Further research assisted me understanding SHFS and another tutorial here.

I've found it to be much more beneficial, when the need is not significant enough, or the budget isn't big enough, to have a professional do a penetration test, to simply have a friend or colleague that you trust do one for you.

I think I've heard it mentioned before that you should never perfrom vunerability/pen testing without a contract

At the very least, you know that someone's looking at your system that has a different knowledge base about him or her, and that will be seeing things from a different perspective than your own.

I don't want to knock the benefits of getting someone else to do the testing as well, but don't understimate the value of doing it yourself.

Steve

[Tiger Shark]

I'm inclined to agree with JP.... But only up to a point. I also agree with others that have taken issue with him too...... I'm a fence-sitter you see.....

It really all comes down to skill/knowledge level. Even if you are not proficient in certain areas if you have a level of knowledge that allows you to understand the potential threats and comprehend a deficiency and be able to mitigate it yourself then doing a pen test yourself will probably result in you selecting various tools that you know will work in slightly different ways, that will cover the entire spectrum and will result in a thorough test of the exposed system. OTOH, if your base of knowledge is only sufficent to be able to set up you shiny new web server so that it serves pages to the public network then I side with JP. You simply aren't aware of the threats _and_ you don't know the tools that will enumerate them for you. Even if you get lucky and use a tool that enumerates a threat you probably don't understand it and are therefore less likely to be able to mitigate said threat.

Best practice, (at least the versions of it I have read), indicate that a professional, independent security audit should take place when your systems first become exposed to the public network, every three years subsequent and any time significant changes take place in the general structure/stance of those exposed assets. In the two years between independent audits a thorough annual audit should be carried out by qualified IT staff.

I recently altered significantly the stance of my exposed machines. Best practice says I should have spent the reather large quantity of cash to have an independent audit.... But I work for a non-profit...<sigh>... so I can't afford the big bucks required for that. So I took a two pronged approach. I thoroughly audited my systems myself from the inside prior to opening the firewall to the boxes and immediately after. This was just to make sure that I hadn't made a mistake. Then I took Hoss up on his offer of a scan by him. I granted him permission on a proper fashion, laid out what was acceptable and what was not and let him go ahead. I'm far from a lawyer but the sanitized text below is what I wrote to him and I believe it covers both our rears.

I, "Tiger Shark", (name replaced), Manager of Information Systems for xxxxxxxx company in Detroit, MI authorize you to run non-invasive and non-destructive scans using NMap, Nessus and any other non-destructive tools you wish to determine the systems and services that are accessible from the public internet on the server located at XXX.XX.XXX.XX only. Your scans and techniques are to be restricted to determining what is available, whether it could be exploited without actually carrying out the exploits themselves. Denial of Service, (DoS) attacks are not to be used be they of the bandwidth consumption methods, crashing/overworking exposed services or any other DoS against that IP address or any other IP you may find within the address block.

When I asked Hoss for his assistance I was actually quite confident that he wasn't going to find anything I don't already know about. He didn't. But there is nothing quite like that warm fuzzy feeling you get knowing that you are right.....

So you can "do it yourself", you can have competent friends do it and you can have high priced professionals do it too. When you get right down to it though you, and only you, determine the quality. If you don't know what is required in the first place you will end up getting it wrong or spending far too much and have too much "sold" to you by "professionals" who, in some cases, know how to talk a good game but their proficiency stops there... But you can't tell that if you don't know what is required and acceptable in the first place.