Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Optimizing time in a pen-test

from [Pen Testing] Network Security [Permanent Link]
Subject: Optimizing time in a pen-test
Date: Wed, 13 Feb 2008 21:36:56 +0100 
Hello pen-testers,

I need advice on how to economize time in a pen-test. For instance, let's
imagine the following (exagerated) scenario where you've got only 1-2
days to perform a black-box testing over a very large enterprise subnet.
You don't have time to perform a general scanning with
Nessus/nmap/whatever (think in a class-B network or some other huge
subnet; impossible to scan in one day, and moreover you'd have to add
more time to review/check scanning results... so it's prohibitive).

The question is: Which attacks/tools/options would you use and in which
order? Obviously you should only launch attacks where you'd expect
results in a brief time and/or you could launch several of them in
parallel (let's suppose you have only one laptop).

Some thoughts:
- I only could think in some very focused scanning (for instance, let's
look for machines with open VNC port and then try to exploit the
authentication-bypass known bug).
- Scripting is essential (you should try to reduce manual probes). Do you
have some of these scripts you wanted to share?
- It's very important to focus on the kind of attacks easier to launch
and more productive (at the same time). For instance, sniffing.
- Any recent vulnerability has a bigger chance to exist in the
enterprise. Do you have/use some scanning to test only some of these?
Which of them?
- Is it productive trying to exploit a buffer overflow? (where success
depends on many factors: program version, OS version/language, etc).

I'm expecting answers such as:

"What I'd do is:
1.- Launch Cain and start sniffing. Let it woring in background and pass
to step 2.
2.- Launch an arp-scan (it's fast and easy). Try to imagine systems based
on vendor's MAC.
3.- Monitorize Cain's output. Manually test saved user/passwords.
4.- Look for the domain controller using xxxx tool. Launch "enum" to
enumerate users. Launch yyyyy tool for a simple brute-force looking only
for: blank password and password equal to user.

... etc

You're the experienced pen-testers and you better than nobody know which
are the attacks you always use with the best sucess/speed/effort ratio.
I'd like you hear your ideas. I think this could be an interesting
thread. Please, contribute! :)

Thank you.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Thanks to all, ExploitSearch in Top5 security must-have, Security Basic
Next by Date:  RE: PPP authentication brute-force attack?, Matheus Michels
Previous by Thread:  Thanks to all, ExploitSearch in Top5 security must-have, Security Basic
Next by Thread:  AW: Optimizing time in a pen-test, puppe
Indexes:  [Date] [Thread] [Top] [All Lists]