Senior penetration testers - a few questions

[J_K9]

Hi,

I know there have been questions like this before: "What tools do you use?" But, I'm trying to gather some information for a survey, so I would be interested in finding out some more recent information.

Q. What are your favourite pen testing tools, which you would use in a standard pen test on a webserver?

Only answer if you feel like it - I'm not locking myself down to gathering information from AO alone, but I'd like to know what you all use, whether professionally or as a hobby.

I've also got another, slightly related question, which was inspired by some emails yesterday on the SecFocus Penetration Testing mailing list.

Q. What method do you usually use to trigger an IDS?

I know there is no de facto standard way of doing this, but I was wondering how each individual does it.

Thanks,

-jk

[thehorse13]

1. Define scope of the pen test - Determine targets, time of test, departments involved, etc. I will assume this is a network pen test because app pen tests are a different animal altogether.
2. based on #1, tool selection and "talent" are assembled but generally speaking, Nessus, NMAP, nikto (setup to run with Nessus), ip sorcery, Open STA and HPING are part of all of my tests.
3. Based on the type of IDS being used, different events will trigger different alerts. The question is too vague. That said, statistical and signature based IDS systems both flip out when they see large amounts of half open SYN scans. If that doesn't set off an IDS, rip it out and get a new one.

Anyway, there are many things to consider other than what tools to use. Remember, you're approaching this as an outsider and you can use many, many things in the test. I also gather information from public information sources and such. The actual logical tools used are a small subset of an overall complicated and involved process. Don't simply rely on a few open source (or closed for that matter) tools to do a pen test.

2 cents ala TheHorse13

[J_K9]

Hi TH,

I know the tools don't make up the full pen test - like you said, other aspects like background research and social engineering are vital parts of it. I was just wondering what you used tool-wise

Thanks for your post - helpful and some more statistics to add to the chart.

Any others?

[Nokia]

Horse - How would do you rate LANGuard for use when pen testing?

[ric-o]

Originally posted here by J_K9
Q. What are your favourite pen testing tools, which you would use in a standard pen test on a webserver?

Like horse said, scope is critical. That said, tools I use...

Achilles - browser proxy
Internet Explorer
Wikto (like Nikto but added functionality)
N-Stealth (not free)
E-or (web app scanner)
WGET
my hands

Hope this helps.

[Galdron]

Originally posted here by ric-o
Like horse said, scope is critical. That said, tools I use...

Achilles - browser proxy
Internet Explorer
Wikto (like Nikto but added functionality)
N-Stealth (not free)
E-or (web app scanner)
WGET
my hands

Hope this helps.

Have you guys ever used Ike-scan? Is it still a good utility?


http://www.nta-monitor.com/index.htm

[thehorse13]

Horse - How would do you rate LANGuard for use when pen testing?

In the past GFI LanGuard proved to be slow and inaccurate. They have a new build out and although they gave me a free copy, I've yet to take it out of the wrapper. I'm not impressed with their product.

Thanks for your post - helpful and some more statistics to add to the chart.

Any others?

Sure, there are always others depending on what the scope and target of interest happens to be. For instance, if I'm looking to see if I've compromised a VM instance, I use a tool called "red pill".

The tools I gave you are in my core toolbox. I use literally hundreds of tools depending upon intent.

--TH13

[bAgZ]

For a web application audit try Webscarab its very good.

[J_K9]

Thanks all for your help - I'd never even heard of red pill before - although it really is just a couple of (four) lines of code

But, let me approach this from another angle. Let's say you're hired by a small company, and you're taking a black box approach; you will eventually find out that all the network is is a router and several computers behind it, which are all workgrouped together. The router has a DMZ on port 80 to one of the computers (which is a webserver). In this hypothetical situation, what tools do you think you would have used to draw up this conclusion, and then to find holes in the network?

Thanks for all your contributions so far - especially TH13.

-jk

[brokencrow]

Run nmap several times, using a variety of switches. -sV, -sS, -O, -P0, etc. Run it from inside and outside the network. That'll give you a good look at all the computers and what's open.

Nessus will give you more detailed information on any vulnerabilities. Ettercap will help find the hosts on your network. I'm not up to speed on Nikto/Wikto, so can't help much there.

Get on the webserver and test the DMZ. Some cheap routers have lousy DMZ's that let you get back into the rest of the network. A good DMZ isolates that computer from the rest of the network. Some cheap routers have very ineffective DMZ's. Smoothwall's DMZ, on the other hand, is very effective. So was Linksys's.