Senior penetration testers - a few questions

[thehorse13]

1) Enumerate open ports and draw a network map. As already stated, NMAP and Nessus can do this for you. The services running and banners are an excellent starting point for building an attack strategy.
2) Determine exactly how robust the router is by using tools like HPING and IP Sorcery to see how the router responds to various types of malformed packets. You may choke it at this point so be careful. A smoked router will certainly draw attention.
3) "FireWalk" the router to see exactly how the rules are setup. Typically you will find something at this stage because many people who write the rules don't do a good job. I've heard that NMAP has this capability now but I have yet to try it out.
4) Review your findings and develop an attack strategy. For the record, a DOS is not an appropriate attack strategy if you can't compromise the router.
5) Conduct your attack.
6) Document your results and present them to management/customer.

Now, if I was able to get into the network and root a box, I would use additional tools such as ettercap or dsniff to gather even more information to continue forward in the penetration. However, before I even attempted that, I would do some basic traffic analysis to see if:
a) I would impact network performance to the point of bringing down the network by using one of the aforementioned tools. Remember, you're going to route all network traffic through the rooted host. Be SURE that it can handle it.
b) determine if I would blind any monitoring devices which may cause someone to start investigating. If an IDS suddenly stopped working or reporting unusual information, someone will be looking into it before long.

* This all assumes that the network is switched.

Anyway, this is how I would conduct the technical part of the attack. If indeed this was a network that was accessable by the public, there would be several social engineering attacks to go along with this and perhaps even a physical one or two.

--TH13

[genXer]

On the tools discussion, in addition to the tools mentioned already, we also use Foundstone's SuperScan to enumerate ports ( http://www.foundstone.com/ - Resources->Free Tools).

In addition, we have been working on developing our social engineering skills to test our help desk and the clients at various sites during a pen test.

Application pen testing - we are working to come up with an effective methodology to test this area, as you can presume and as TH13 already mentioned, it is quite different an animal to take down. We have been working through the databases right now and then attacking the OS/OE. Crude - but effective in a lot of cases. However - it still does not look at the application so much.

WARNING - SIDE QUESTION TO FOLLOW:

TH13 and any others willing to answer: In your pen test results and your report to management - do you explain your results in regards to what risk(s) are facing the organization based on your findings? Do your reports go to people outside of an IT organization? If so - do you have to word your reports, such that non-IT management can understand the business impact of the results of a penetration test, in regards to potential risk to that organization?

[Sky_Angus]

like what thehorse said, pen test can be categories to different type: - Network, Application and System. Although Network & System might seems alike to each other, but actually they are not. Maybe u can said they are inter-related to each other.

For Network pen test, u need to have great knowledge of networking stuff(protocol, layer,packet, standard...) not to mention deep understanding of architecture of how different layer & tier communicate to each other. Tools that you used, are gather info for u within the infrastructure, what u need is to accumulate these info and make it useful to u(e.g. chart out the whole backbone architecture layout).

In System pen test, u more specific focusing on the system architecture itself. U need to get urself familiar with the kernel, how the system handle process, vulnerabilities & etc.. then u also need to have good documentation skill like generate some checklist, policies & guideline...(u will never wanna present ur report that are directly geneate fr those pen test tools) and later stage might involve System Hardening and patchup.

For Application pen test, which is what i moving my direction to(as well as the most lack of expertise in market). Basically u need to know in-and-out for programming (not all, but most common), u need to understand how API called fr each other(fr web,app or db tier), u need to do code-review & walk-thru. u need to understand web services technology(weblogic,websphere, ant, tomcat..) if it involve a banking or ecommerce system.

Lastly also depend what type of the nature u dealing with. The solution u doing pen test for is on what basis. Likewise, u also need to get urself involve in software(encryption-SSL,IPSec, 3DES,VPN, SSH++) & hardware(Firewall, IPS, Token, Smart-card, HSM+++) based security products.

Opss, damn.. i'm like writing a guide to choose Pen Tester as ur career~~~

Well, for the tools that i used, bascially i will choose 1 or 2 best on particular area & focus on it. for instance, to perform traceroute, i will just used Scapy, etc... beside i used combination of virtual machine, Live CD and other commerical tools like CoreImpact, Nessus, SATAN+++

But most of the time, i more reply on the tools/environment i developed myself.. just like building some fuzzy framework, update and repository huge latest exploit and fly the test.

I'm not an expert, this all based on my previous experience, so i might be wrong or the method i used might not suitable for u ^_^

[thehorse13]

do you explain your results in regards to what risk(s) are facing the organization based on your findings? Do your reports go to people outside of an IT organization? If so - do you have to word your reports, such that non-IT management can understand the business impact of the results of a penetration test, in regards to potential risk to that organization?

The purpose of our pen tests are:
1) To asses risk - what could happen, how likely is it, how bad can it be, how accurate are my responses to the first three questions. Then place a dollar value on it.
2) IT management receives the report along with business unit management that is effected and C level personnel.
3) We produce a single report that begins with an executive summary and follows with technical details.

--TH13

[genXer]

Cool - thanks Sky_Angus and TH13! That is what I needed... well that and another vacation on the beach - but I'll takes what I can gets. It confirms what I already know - it's just that we have had some difficulty explaining the actual impact to the business from vulnerabilities or attack vectors discovered from a pen test; usually to non-IT management - ok - they're finance management. Your explanations will help me better frame my responses when asked "So you can compromise a server - so what?"

Thanks again!

[thehorse13]

Translating risks to business units is a skill. The best thing to do, it attempt to use some type of quantitative measure, typically in the form of value or loss there of, or perhaps in qualitative form, i.e., negative perceptions, etc. I find a good mix of both does the trick.

[Spekter1080]

would someone kindly point out what a pen test is? I might know the concept without knowing the vocabulary...

[Spekter1080]

Originally posted here by Spekter1080
would someone kindly point out what a pen test is? I might know the concept without knowing the vocabulary...

ignore my last statement, I didn't read the 2nd page...*feels like a newbie*....I think I know what you guys are talking about now...lol