Results 1 to 10 of 10

Thread: Penetration Test Diagram WebPage

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323

    Lightbulb Penetration Test Diagram WebPage

    Rather interesting page...

    http://www.vulnerabilityassessment.c...on%20Test.html

    Kinda hard to see on my small laptop screen but seems rather broad in all the things you can do during a pen test.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Wow...what a great link..

    Thanks MsM

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    Senior Member kr5kernel's Avatar
    Join Date
    Mar 2004
    Posts
    347
    thats pretty slick....now if I only had my plotter......
    kr5kernel
    (kr5kernel at hotmail dot com)
    Linux: Making Penguins Cool Since 1994.

  4. #4
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252
    Awesome! Thanks much for providing the link MsM.

    This may actually help in a discussion we are having here. Someone in our audit organization has suggested that we (internal Audit) start performing "sample penetration testing" and rely on tests from our internal IT security organization as part of our sampling. Does that seem feasible? Objective? Logical? Let me know if I need to clarify.

    Thanks again MsM!
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  5. #5
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Yes...it is a really nice list of the steps to perform a pen test or self audit

    ...for newbs in security...like me

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  6. #6
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Wow, that site's rich. So much software, so little time. It begs the question, where does one start?

    Is it better to learn a basic set of security apps well, or throw yourself into ALL these ass't apps? Am I correct in assuming a pentest this extensive is conducted by a team of individuals?

    Also note the absence of "Cain & Abel".

    edit -- no "ettercap" either.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  7. #7
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    I'd have to say that while I'm partially impressed with the effort that went into this and the fact that it's centralized some information... I'm not overly impressed with the quality...

    Many of the steps listed are redundant... you'll be gathering the information for yourself time and time again... Some of the utilities in question are rather useless...

    Generally when you are performing a penetration test only one person knows of it.... The person who has authorized it... The remainder of the company is in the dark... part of the reason for this is that one of the things you want to see is how well your IT Staff identifies incoming threats and handles them... How they respond...

    If anyone ever hired a pen-test company to run a brute force attempt... I'd have to question them... an internal audit may test password complexity but a brute force... it ain't going to happen... Connecting to a server to grab the banner and then connecting again to use it... If their IDS watches for repeated connections to the same service all you are doing is bumping the counters up as the data has to only be returned once... WHen you connect to a service to use it.. the banner is returned.. even if you don't see it... That's what a sniffer is for... To see what is returned that you don't normally see..

    and p0f... I couldn't imagine waiting to passively fingerprint hosts once you're inside... and you'd have to already be inside the network... generally... especially in companies... you can determine the device type and sometimes OS by the naming convention and there's less obvious ways to do it... Or you could send out a few ICMPs and watch the responses... ICMPs are part of regular traffic quite often and would be much quicker to determine the hosts..

    Brokencrow: You're an interesting character... for someone who throws themselves around as a security heavy weight quite often in many other threads your questions show little to no knowledge... but you would never perform everything on this pentest chart... brute forcing wouldn't be done.. and a number of other things would not be done... as for the tools... it's a very small subset of what I consider "standard" tools... grab them all and play with them... no need to learn a basic set and move on.. they all do different things... You'll find practically all of these... and many more available on the Backtrack CD.... grab it and play...

    Peace,
    HT

  8. #8
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252
    Interesting viewpoint HT. Before they officially move pen testing out of our department, I wanted to update our program, and was curious as to know what you would change on the layout from the link MsM provided? I have gone over various material here already on AO, and I also look to ISACA, SANS and a list of other resources, but I am always open to learn more. To badger a cliche, "I find the more I learn, the more I don't know." TIA.

    I still have to question the move my department is making with this. At this point, and I could be having my own personal issue here, but have IT pen test IT seems to be a conflict of interest. And for me and my cohorts needing to rely on those pen test results, I question the objectvity of it. Also, and believe me, I am not expert, but it has taken years to develop us to cover the breadth of our enterprise, and I know these resources do not exist now in security, how will they handle this? However, as I stated, that could just be my own interests coming into play.

    MsM - please continue to share as well if you find more information on pen testing! Thanks!
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  9. #9
    Junior Member
    Join Date
    Apr 2006
    Posts
    14
    Very well said HTRegz.

  10. #10
    good!

    this schema is the most near from penetration web reality, so, exist another methods or another software? the schema is good.


    greetz

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •