Senior penetration testers - a few questions
Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Senior penetration testers - a few questions

  1. #1
    The Prancing Pirate
    Join Date
    Jul 2004
    Posts
    548

    Senior penetration testers - a few questions

    Hi,

    I know there have been questions like this before: "What tools do you use?" But, I'm trying to gather some information for a survey, so I would be interested in finding out some more recent information.

    Q. What are your favourite pen testing tools, which you would use in a standard pen test on a webserver?

    Only answer if you feel like it - I'm not locking myself down to gathering information from AO alone, but I'd like to know what you all use, whether professionally or as a hobby.

    I've also got another, slightly related question, which was inspired by some emails yesterday on the SecFocus Penetration Testing mailing list.

    Q. What method do you usually use to trigger an IDS?

    I know there is no de facto standard way of doing this, but I was wondering how each individual does it.

    Thanks,

    -jk
    TAZForum <---- click

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    1. Define scope of the pen test - Determine targets, time of test, departments involved, etc. I will assume this is a network pen test because app pen tests are a different animal altogether.
    2. based on #1, tool selection and "talent" are assembled but generally speaking, Nessus, NMAP, nikto (setup to run with Nessus), ip sorcery, Open STA and HPING are part of all of my tests.
    3. Based on the type of IDS being used, different events will trigger different alerts. The question is too vague. That said, statistical and signature based IDS systems both flip out when they see large amounts of half open SYN scans. If that doesn't set off an IDS, rip it out and get a new one.

    Anyway, there are many things to consider other than what tools to use. Remember, you're approaching this as an outsider and you can use many, many things in the test. I also gather information from public information sources and such. The actual logical tools used are a small subset of an overall complicated and involved process. Don't simply rely on a few open source (or closed for that matter) tools to do a pen test.

    2 cents ala TheHorse13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    The Prancing Pirate
    Join Date
    Jul 2004
    Posts
    548
    Hi TH,

    I know the tools don't make up the full pen test - like you said, other aspects like background research and social engineering are vital parts of it. I was just wondering what you used tool-wise

    Thanks for your post - helpful and some more statistics to add to the chart.

    Any others?
    TAZForum <---- click

  4. #4
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Horse - How would do you rate LANGuard for use when pen testing?
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  5. #5
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Originally posted here by J_K9
    Q. What are your favourite pen testing tools, which you would use in a standard pen test on a webserver?
    Like horse said, scope is critical. That said, tools I use...

    Achilles - browser proxy
    Internet Explorer
    Wikto (like Nikto but added functionality)
    N-Stealth (not free)
    E-or (web app scanner)
    WGET
    my hands

    Hope this helps.

  6. #6
    T3h Ch3F
    Join Date
    Sep 2001
    Posts
    718
    Originally posted here by ric-o
    Like horse said, scope is critical. That said, tools I use...

    Achilles - browser proxy
    Internet Explorer
    Wikto (like Nikto but added functionality)
    N-Stealth (not free)
    E-or (web app scanner)
    WGET
    my hands

    Hope this helps.

    Have you guys ever used Ike-scan? Is it still a good utility?


    http://www.nta-monitor.com/index.htm
    Get some good religion from Bad Religion.

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Horse - How would do you rate LANGuard for use when pen testing?
    In the past GFI LanGuard proved to be slow and inaccurate. They have a new build out and although they gave me a free copy, I've yet to take it out of the wrapper. I'm not impressed with their product.

    Thanks for your post - helpful and some more statistics to add to the chart.

    Any others?
    Sure, there are always others depending on what the scope and target of interest happens to be. For instance, if I'm looking to see if I've compromised a VM instance, I use a tool called "red pill".

    The tools I gave you are in my core toolbox. I use literally hundreds of tools depending upon intent.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    For a web application audit try Webscarab its very good.
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  9. #9
    The Prancing Pirate
    Join Date
    Jul 2004
    Posts
    548
    Thanks all for your help - I'd never even heard of red pill before - although it really is just a couple of (four) lines of code

    But, let me approach this from another angle. Let's say you're hired by a small company, and you're taking a black box approach; you will eventually find out that all the network is is a router and several computers behind it, which are all workgrouped together. The router has a DMZ on port 80 to one of the computers (which is a webserver). In this hypothetical situation, what tools do you think you would have used to draw up this conclusion, and then to find holes in the network?

    Thanks for all your contributions so far - especially TH13.

    -jk
    TAZForum <---- click

  10. #10
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Run nmap several times, using a variety of switches. -sV, -sS, -O, -P0, etc. Run it from inside and outside the network. That'll give you a good look at all the computers and what's open.

    Nessus will give you more detailed information on any vulnerabilities. Ettercap will help find the hosts on your network. I'm not up to speed on Nikto/Wikto, so can't help much there.

    Get on the webserver and test the DMZ. Some cheap routers have lousy DMZ's that let you get back into the rest of the network. A good DMZ isolates that computer from the rest of the network. Some cheap routers have very ineffective DMZ's. Smoothwall's DMZ, on the other hand, is very effective. So was Linksys's.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •