Pen Testing..
Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Pen Testing..

  1. #1
    Senior Member
    Join Date
    May 2004
    Posts
    140

    Pen Testing..

    We are about to have someone do some external pen testing. i know its this week but my boss wants me to monitor activity on the firewall and syslogs and such. he wants me to discover the activity and come to him with it. I am obvioulsy still in traning on this stuff and would really appreciate anyones advice on what i should be looking for and where i can find this info? where are sys logs typicaly located?
    Romans 7:14-20
    14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.

  2. #2
    where are sys logs typicaly located?
    Control Panel-> Administrative Services - > Event Viewer. If you mean those,

    the firewall logs can be usualy found in the firewall folder, and the firewall action history can also be usualy viewd from the firewall itself !

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    274
    What kind of firewalls are you using?

    I really only would call myself really proficient with the PIX. But it's not that hard to do.

    Rather than type out the instructions, you can look it up here.

    As far as what you should be looking for...look for ip/port/ping scans coming in from the outside. Honestly, if you know what addresses you have that should be talking, and what direction they should be talking, you should identify it pretty easily.

    Common ports that people will try to exploit include (but are not limited to) 21, 22, 23, 25, 80, 110, 135, 136, 137 ,138, 139, 443, and 445,. I also see traffic directed at 5190 (AIM port) and 8080 (commonly used by a bunch of stuff). Another trick they might use is sourcing their port from a diffrent service. So if you see say....an rlogin connection attempted on the smtp port, something is amiss.

  4. #4
    Senior Member
    Join Date
    May 2004
    Posts
    140
    Thank you guys. it is a pix.
    I know where event view is and how to view those logs i guess i just dont knwo what i am looking at. but mor eon the lines of the firewall i dotn knwo what to lopok for and dont knwo where the sys logs get stored so i can look at them. I access the firewall through a GUI via HTTPS and the IP.
    Romans 7:14-20
    14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.

  5. #5
    What firewall do you use Jason? We can probably give you a more specific answer if we know which one you're using.

    /edit -- PIX, not familiar with that one, but ThreadKiller has the right advice. Watch for those log events he described in the PIX's log. Also, make sure you're blocking all incoming traffic from the outside, except for trusted sources, of course.

    You won't find much network security related in the event log (correct me if I'm wrong guys) because it pertains to logging errors within the computer, but you do need to make sure security auditing is active. That will log failed password attempts and other important events.

  6. #6
    Senior Member
    Join Date
    Jan 2003
    Posts
    274
    Actually AngelicKnight you can log every single packet that passes through the pix. I export mine to a slackware 8.0 box where cron jobs run scripts against those logs and migrate it off-box to a machine in my office. Then more scripts parse that info against the Snort logs for interesting traffic. If something really weird is in there, I get an E-mail.

    Knowing what you're looking for though, that is the trick of it.

  7. #7
    Member
    Join Date
    Sep 2001
    Posts
    31
    i think you should e listening for conections in uncommon hours.....tcp conections to ports that aren't used by your compani....the load of the network...versus THE RAL LOAD OF THE NETWORK(what services are been used...stuff like that...)also unsuccesesfull logins...form inside the fariweall as from outside.....if you need specific help....em mail me.....faith_in_death ARROBA hotmail DOT com
    we work in the dark - we give what we have - we do what what we can - our doubt`s our passion - our passion our task - the rest....- is the madness of art.

  8. #8
    Senior Member
    Join Date
    May 2004
    Posts
    140
    we have webtrands but i dont know how it works
    Romans 7:14-20
    14 We know that the law is spiritual; but I am unspiritual, sold as a slave to sin. 15 I do not understand what I do. For what I want to do I do not do, but what I hate I do. 16 And if I do what I do not want to do, I agree that the law is good. 17 As it is, it is no longer I myself who do it, but it is sin living in me. 18 I know that nothing good lives in me, that is, in my sinful nature. For I have the desire to do what is good, but I cannot carry it out.

  9. #9
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Do you mean Webtrends Firewall Suite? If so, it's good for preparing reports on your firewall activity, but that is after the fact. You need something more 'real time'. Do you have any intrusion detection systems installed (e.g. snort)?

    Cheers:
    DjM

  10. #10
    Member
    Join Date
    Sep 2001
    Posts
    31
    if i where you...i'll isntall some sniffer on the ipnputs....etherals is just great...but if you don't configure it well...you'll get tons of garbage.....also..check treh proxy for options to monitoring....
    we work in the dark - we give what we have - we do what what we can - our doubt`s our passion - our passion our task - the rest....- is the madness of art.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •