- Posts: 1700
- Thank you received: 0
Penetration Testing - Tools Of The Trade
20 years 6 months ago #1496
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Penetration Testing - Tools Of The Trade was created by sahirh
I find there's a lack of worthwhile information online about penetration testing -- nobody really goes about describing a good pen test, and what you should and shouldn't do. So I've hand picked a couple of good papers on the subject and then given you a list of my favourite tools, and the way I like to do things.
Papers :
'Penetration Testing Methodology - For Fun And Profit' - Efrain Tores and LoNoise
'An Approach To Systematic Network Auditing' - Mixter (can be found somewhere at mixter.void.ru
'Penetration Testing - The Third Party Hacker' - Jessica Lowery. Boy is this ever a good paper !
www.sans.org/rr/papers/index.php?id=264
'Penetration Testing - Technical Overview' - Timothy P. Layton Sr. also from the www.sans.org reading room
Pen-test Setup
I don't like working from laptops unless its absolutely imperative, like when you have to do a test from the inside. For the external tests I use a Windows XP machine with Cygwin ( www.cygwin.com ) and vmware ( www.vmware.com ) most linux exploits compile fine under cygwin, if they don't then I shove them into vmware where I have virtual machines of Red Hat, Mandrake and Win2k boxes.
In case that doesnt work, the system also dual boots Red Hat 9.
Tools
I keep my pen-tests strictly to the network level, there is no social engineering involved or any real physical access testing other than basic server room security and workstation lockdown (I don't go diving in dumpsters for passwords).
I try as far as possible to determine the Rules Of Engagement with an admin or some other technically adept person with the right authorisation, not a corporate type. Offer to allow one of their people to be present for your testing if they want.
I start by visiting the target website, running a whois, DNS zone transfer (if possible) and other regular nonsense.
Now for a part of the arsenal -- not in any order and far from the complete list.
nmap www.insecure.org/nmap - Mine (and everyone elses) workhorse port scanner with version scanning, multiple scan types, OS fingerprinting and firewall evasion tricks. Most tests start and end here :)
nessus www.nessus.org - My favourite free vulnerability scanner, usually finds something on every host. Not too quiet though.
Retina www.eeye.com - Commercial vulnerability scanner, I stopped using this after I started with nessus but its very very quick and good
nikto www.cirt.net/code/nikto.shtml - Webserver vulnerability scanner. I use my own hacked up version of this perl program which uses the libwhisker module. It has quite a few IDS evasion modes and is pretty fast. Not that subtle though, which is why I modified it.
Cisco Scanner - A small little windows util I found that scans IP ranges for routers with the default password of 'cisco'. Has turned up some surprising results
Sophie Script - A little perl script coupled with user2sid and sid2user which can find me all the usernames on a windows box.
Legion- Windows file share scanner by the erstwhile Rhino9. Fast as hell.
Pwdump2 razor.bindview.com/tools/desc/pwdump2_readme.html - Dumps the content of the windows password sam file
L0phtcrack 3.0 www.atstake.com/research/lc/ - Cracks the passwords I get from the above or from its own internal SAM dump. It can also sniff the network for password hashes or obtain them via remote registry.
Netcat www.atstake.com/research/tools/ - TCP/UDP connection backend tool, oh boy I am lost without this ! Half my scripts rely on it. There is also an encrypted version called cryptcat which might be useful if you are walking around an IDS.
Hping2 www.hping.org - Custom TCP packet creation utility, great for testing firewalls.
Bunch of common exploits effeciently sorted :
This is my collection of exploits in source and binary form. I sort
them in subdirectories by Operating System, then depending on how they attack - Remote / Local and then according to what they attack - BIND / SMTP / HTTP / FTP / SSH etc etc. The binary filenames are arbitrary but the source filenames instantly tell me the name of the exploit and the version of the software vulnerable.
This is essential when you're short on time and you need to 'pick one'. I don't include DoS or DDoS exploits, there is nobody I know who would authorise you to take down a production system. Don't do it -- and tell them you arent doing it.. and only if they plead with you should you do it.
Presenting Reports
This is the critical part -- its about presenting what you found to people who probably don't understand a word of what your job is about. You have to show them that there are some security problems in your network, and this is how serious they might be.
A lot of people end the pen-test after the scanning stage. Unless someone specifically tells me to do this, I believe it is important you exploit the system to at least level 1. This is important because there is a very big difference in saying something is vulnerable and actually seeing that the vulnerability is executable. Not to mention when dealing with a corporate type, seeing 'I gained access to the server' usually gets more attention than 'the server is vulnerable to blah blah'.
After you're done, make a VERY detailed chronological report of everything you did, including which tools you used, what version they are, and anything else you did without using tools (eg. SQL injection). Give gory technical details in annexes -- make sure the main document has an executive summary and lots of pie charts that they can understand. Try and include figures and statistics for whatever you can.
To cater to the admins, provide a report for each host you tested and make sure that for every security hole you point out, you provide a link to a site with a patch or fix, . Try to provide a link to a site with detailed information about the hole preferably bugtraq or some well known source -- many admins are very interested in these things and appreciate it.
Now if you read through this gigantic post, and learned something from it, you'll be a better pen-tester in my eyes at least
Hope this helps you figure out how to test network security better. Even if you're an admin in an organisation, you can offer to perform a pen-test and then use the techniques above to make it meaningul. Make sure you're very familiar with your tools and know what to look for. You have an advantage as you already know your network inside out.
Comments / Questions / Criticism ?
Cheers,
Papers :
'Penetration Testing Methodology - For Fun And Profit' - Efrain Tores and LoNoise
'An Approach To Systematic Network Auditing' - Mixter (can be found somewhere at mixter.void.ru
'Penetration Testing - The Third Party Hacker' - Jessica Lowery. Boy is this ever a good paper !
www.sans.org/rr/papers/index.php?id=264
'Penetration Testing - Technical Overview' - Timothy P. Layton Sr. also from the www.sans.org reading room
Pen-test Setup
I don't like working from laptops unless its absolutely imperative, like when you have to do a test from the inside. For the external tests I use a Windows XP machine with Cygwin ( www.cygwin.com ) and vmware ( www.vmware.com ) most linux exploits compile fine under cygwin, if they don't then I shove them into vmware where I have virtual machines of Red Hat, Mandrake and Win2k boxes.
In case that doesnt work, the system also dual boots Red Hat 9.
Tools
I keep my pen-tests strictly to the network level, there is no social engineering involved or any real physical access testing other than basic server room security and workstation lockdown (I don't go diving in dumpsters for passwords).
I try as far as possible to determine the Rules Of Engagement with an admin or some other technically adept person with the right authorisation, not a corporate type. Offer to allow one of their people to be present for your testing if they want.
I start by visiting the target website, running a whois, DNS zone transfer (if possible) and other regular nonsense.
Now for a part of the arsenal -- not in any order and far from the complete list.
nmap www.insecure.org/nmap - Mine (and everyone elses) workhorse port scanner with version scanning, multiple scan types, OS fingerprinting and firewall evasion tricks. Most tests start and end here :)
nessus www.nessus.org - My favourite free vulnerability scanner, usually finds something on every host. Not too quiet though.
Retina www.eeye.com - Commercial vulnerability scanner, I stopped using this after I started with nessus but its very very quick and good
nikto www.cirt.net/code/nikto.shtml - Webserver vulnerability scanner. I use my own hacked up version of this perl program which uses the libwhisker module. It has quite a few IDS evasion modes and is pretty fast. Not that subtle though, which is why I modified it.
Cisco Scanner - A small little windows util I found that scans IP ranges for routers with the default password of 'cisco'. Has turned up some surprising results
Sophie Script - A little perl script coupled with user2sid and sid2user which can find me all the usernames on a windows box.
Legion- Windows file share scanner by the erstwhile Rhino9. Fast as hell.
Pwdump2 razor.bindview.com/tools/desc/pwdump2_readme.html - Dumps the content of the windows password sam file
L0phtcrack 3.0 www.atstake.com/research/lc/ - Cracks the passwords I get from the above or from its own internal SAM dump. It can also sniff the network for password hashes or obtain them via remote registry.
Netcat www.atstake.com/research/tools/ - TCP/UDP connection backend tool, oh boy I am lost without this ! Half my scripts rely on it. There is also an encrypted version called cryptcat which might be useful if you are walking around an IDS.
Hping2 www.hping.org - Custom TCP packet creation utility, great for testing firewalls.
Bunch of common exploits effeciently sorted :
This is my collection of exploits in source and binary form. I sort
them in subdirectories by Operating System, then depending on how they attack - Remote / Local and then according to what they attack - BIND / SMTP / HTTP / FTP / SSH etc etc. The binary filenames are arbitrary but the source filenames instantly tell me the name of the exploit and the version of the software vulnerable.
This is essential when you're short on time and you need to 'pick one'. I don't include DoS or DDoS exploits, there is nobody I know who would authorise you to take down a production system. Don't do it -- and tell them you arent doing it.. and only if they plead with you should you do it.
Presenting Reports
This is the critical part -- its about presenting what you found to people who probably don't understand a word of what your job is about. You have to show them that there are some security problems in your network, and this is how serious they might be.
A lot of people end the pen-test after the scanning stage. Unless someone specifically tells me to do this, I believe it is important you exploit the system to at least level 1. This is important because there is a very big difference in saying something is vulnerable and actually seeing that the vulnerability is executable. Not to mention when dealing with a corporate type, seeing 'I gained access to the server' usually gets more attention than 'the server is vulnerable to blah blah'.
After you're done, make a VERY detailed chronological report of everything you did, including which tools you used, what version they are, and anything else you did without using tools (eg. SQL injection). Give gory technical details in annexes -- make sure the main document has an executive summary and lots of pie charts that they can understand. Try and include figures and statistics for whatever you can.
To cater to the admins, provide a report for each host you tested and make sure that for every security hole you point out, you provide a link to a site with a patch or fix, . Try to provide a link to a site with detailed information about the hole preferably bugtraq or some well known source -- many admins are very interested in these things and appreciate it.
Now if you read through this gigantic post, and learned something from it, you'll be a better pen-tester in my eyes at least
Hope this helps you figure out how to test network security better. Even if you're an admin in an organisation, you can offer to perform a pen-test and then use the techniques above to make it meaningul. Make sure you're very familiar with your tools and know what to look for. You have an advantage as you already know your network inside out.
Comments / Questions / Criticism ?
Cheers,
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 6 months ago #1500
by tfs
Thanks,
Tom
Replied by tfs on topic Re: Penetration Testing - Tools Of The Trade
Got some pretty good stuff there.
Competing with Chris on his tutorials, are we?
Competing with Chris on his tutorials, are we?
Thanks,
Tom
20 years 6 months ago #1517
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Penetration Testing - Tools Of The Trade
Lol you gotta be kidding, do you see a kick ass 3d diagram anywhere in my post ? Btw did you read the alexa review he sent us ? Wonder who Gabriel is.. and I bet I answered his post 
Btw I like your idea of a separate tips / tutorial type forum section. I was initially contemplating making the post sticky.
Btw I like your idea of a separate tips / tutorial type forum section. I was initially contemplating making the post sticky.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 6 months ago #1532
by sahirh
lol
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Penetration Testing - Tools Of The Trade
Maybe Chris will do a diagram for you. Just a small one. We all have to start with baby steps. :lol:
lol
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.153 seconds