Hello,
On Wed, 13 Feb 2008, Pen Testing wrote:
Hello pen-testers,
I need advice on how to economize time in a pen-test. For instance, let's
imagine the following (exagerated) scenario where you've got only 1-2
days to perform a black-box testing over a very large enterprise subnet.
You don't have time to perform a general scanning with
Nessus/nmap/whatever (think in a class-B network or some other huge
subnet; impossible to scan in one day, and moreover you'd have to add
more time to review/check scanning results... so it's prohibitive).
The question is: Which attacks/tools/options would you use and in which
order? Obviously you should only launch attacks where you'd expect
results in a brief time and/or you could launch several of them in
parallel (let's suppose you have only one laptop).
*** Disclaimer: don't blindly do what i'm saying, YMMV. ***
Just a few hints off the top of my head:
1) Start with an automated portscan of the whole enterprise network, using
a fast portscanner. This way, you get the big picture of the target
network spending only cpu-cycles instead of precious brain-time:
- zucca scanner (http://lab.mediaservice.net/code/singsing/).
- if you can enumerate active hosts (ICMP ECHO packets are often
allowed), build a list of targets and work on that from now on.
- arp-scan is cool too, if you're in a flat network.
2) While the scanner is running, perform some quick mass-information
gathering tasks, e.g.:
- CIFS enum (http://0xdeadbeef.info/code/samba-hax0r).
- SNMP enum (http://www.phreedom.org/solar/onesixtyone/).
- SMTP/FINGER/etc. enum (http://0xdeadbeef.info/code/brutus.pl)
on UNIX hosts.
- other services with known information leaks, such as LDAP.
- as you said, sniffing can be very helpful too, even though i
personally prefer active attacks;)
3) Launch some password guessing and "gentle" bruteforce attacks:
- on Local and Domain users on Windows boxen, after verifying the
account locking policy in use (try enum.exe): the aforementioned
samba-hax0r script is pretty good for this task too.
- on UNIX hosts (hydra, medus, the aforementioned brutus.pl).
- on network equipment (also, exploit rw SNMP communities you
found during step 2 above).
4) Scan for your favorite subset of services with known vulnerabilities:
- HINT#1: even if proper update procedures are in place (which is
seldom the case anyway), third-party software will often be
outdated and potentially vulnerable.
- HINT#2: databases are usually a great entry point to OS command
execution (not to mention the sensitive information they often
contain;).
Based on what you've found so far, and with the help of the Customer if
possible, select a sample of hosts as a subset of the scope and use it as
the target: depending on the network size and architecture, you should
still have plenty of time for an in-depth pen-test on the newly defined
target sample. If you're not alone, distribute the workload among Red Team
members.
Yeah, you don't even need exploits to perform a thorough pen-test. On this
subject, see also hdm's remarkable work at:
http://www.metasploit.com/confs/blackhat2007/tactical_paper.pdf
http://www.metasploit.com/confs/blackhat2007/tactical_blackhat2007.pdf
Ciao,
--
Marco Ivaldi, OPST
Red Team Coordinator Data Security Division
@ Mediaservice.net Srl http://mediaservice.net/
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
