Need to write an audit checklist for penentration testing...

[KuiXing-2005]

Hello,

Part of my work includes penetration testing. While I know there are methodologies out there already, I wanted to base my audit checklist off of a hacker methodology (specifically one from Foundstone) and for that I wanted to post that methodology here and then ask for comments about how to take that hacker methodology and turn that into an audit checklist - like including what to report back to the client, what, if anything should be harvested as evidence and the like.

Before I do that however, I wanted to get a general feel from the community in general about doing something like that so that I would not get negged from here to Jupiter, well at least negged to Mars.

Thanks in advance for your insight on this.

[ss2chef]

If your information is useful and not just another 1/2 baked "tutorial" I'm sure it will be fine.
Oh, avoid dipshit hacker speak as a bonus... Be sure to use real words..

Posting a small example of content you are worried about might be helpful to those who care to comment..

[KuiXing-2005]

Ok. Not looking to post a tutorial, rather a checklist for something I want to deploy for myself and other IT auditors. I was thinking that trying to follow a type of hacker methodology might work best to try and show our auditees what possible risks they are exposing our company to. I would have the methodology and then within each step of the methodology, the controls to look for in each OS we support. Before posting the whole thing, this is the thought I had:

Example of adapting a hacker methodology to an IT audit checklist.

Note that step 1A will be taken care through a survey we send to the auditee - meaning they know we are coming, which we want:

0. OS/OE to include: RH Linux, WINNT, W2K, W2K3
1. Footprint
A. Site contacts, server/workstation, ip ranges, domains (if applicable). Check computer survey
B. Review auditee's HTML, if applicable.
B. Review HTML for additional information, if applicable
C. Check public sites for information about our company(?)
(1) Google ( http://www.google.com )
(2) Netcraft ( http://www.netcraft.com )
(3) Big Brother ( http://www.bb4.com )
D. Check to see if reverse dns lookup is enabled - does it need to be?
(1) Explanation on how to check for zone transfers...
E. Check to see


...

Actually - before I go on, I think I cannot use this type of methodology for an internal audit. I am going back to the drawing board as I just remembered some SANS training I had as well, and I will combine the above Foundstone ideas with the SANS and just post for comments and see what shakes loose.

Thanks anyway.

[nihil]

Hi KuiXing-2005

I hate to volunteer others' services but try sending a PM to catch and cacosapo.............tell them I suggested it

There are several others but those are the ones I would start with, as they are both professional consultants and will certainly be able to point you in the right direction.

[KuiXing-2005]

Thanks much nihil! Will do.

Also - part of what I was going to include in my checklist (and I will also run this by catch and cacosapo) the following from SANS:

When conducting an IT audit don't rely solely on automated tools, rather employ the following strategy:

1. Automated scanning tools
2. Time at the console with the administrator(s)
3. Interviews

Now SANS states that with 2 and 3 above, you would get more information than just using the scanning tools alone. So far in my experience, I would say that is possible, but it depends on 1) interviews: your interview style and the willingness/comfort level of the interviewee 2) console: know what you are looking for.

Anywho - thanks again.