penetration testing

Discussion in 'Computer Security' started by suraku@gmail.com, Jul 6, 2006.

  1. Guest

    i'm involved in a class at my university doing penetration testing of
    various companies in our area however one of the companies apparently
    has good, or at least decent, security, any attempts to nmap the
    address return no open ports and no OS information(even on full 65535
    port scan), nessus and n-stealth do not have any luck either. at this
    point i'm thinking they have a good firewall but would still like to
    try to find some vulnerabilities what would be a good next step to try
    to either gain access WITHOUT DAMAGING THE SYSTEM or obtain more recon
    information on the server to base future actions on.
     
    , Jul 6, 2006
    #1
    1. Advertising

  2. Todd H. Guest

    "" <> writes:

    > i'm involved in a class at my university doing penetration testing of
    > various companies in our area


    I sure hope you have their legal consent to do this. If not, and your
    instructor has told you to do this, I'd say he or she is not too
    bright and just begging for legal action of some sort.

    You simply shouldn't do penetration testing without written legal
    consent of the parties being evaluated. It's a good way to go to jail
    (without passing Go or collecting $200).

    > however one of the companies apparently has good, or at least
    > decent, security, any attempts to nmap the address return no open
    > ports and no OS information(even on full 65535 port scan),


    Actually, that's called a firewall and hopefully is fairly common in
    your survey.

    > nessus and n-stealth do not have any luck either.


    Yeah, no point really in running nessus if there aren't any ports
    listening.

    > at this point i'm thinking they have a good firewall but would still
    > like to try to find some vulnerabilities what would be a good next
    > step to try to either gain access WITHOUT DAMAGING THE SYSTEM or
    > obtain more recon information on the server to base future actions
    > on.


    Track down the paper on firewalking. It details a method of mapping
    out the firewall ruleset at least. It's pretty clever in its
    technique.

    However, you're not likely to get a good handle on the systems behind
    it.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Jul 6, 2006
    #2
    1. Advertising

  3. Todd H. wrote:
    > "" <> writes:
    >
    >> i'm involved in a class at my university doing penetration testing
    >> of various companies in our area

    >
    > I sure hope you have their legal consent to do this.


    As long as you don't actively circumvent measures and actually spy on or
    change data, you don't need any consent to do fully legal things.

    > If not, and your instructor has told you to do this, I'd say he or
    > she is not too bright and just begging for legal action of some sort.
    >

    Admitted, most companies will throw around a lot of lawsuits for maybe
    not so fine, but fully legal actions.

    > It's a good way to go to jail (without passing Go or collecting
    > $200).


    "I've got a 'You get out of jail' free card!" (Trigger Happy TV)

    >> at this point i'm thinking they have a good firewall but would
    >> still like to try to find some vulnerabilities what would be a good
    >> next step to try to either gain access WITHOUT DAMAGING THE SYSTEM
    >> or obtain more recon information on the server to base future
    >> actions on.

    >
    > Track down the paper on firewalking. It details a method of mapping
    > out the firewall ruleset at least. It's pretty clever in its
    > technique.


    Another interesting and/or additional approach is trying to exploit
    well-known common TCP/IP problems like IP versions <> (4,6), various
    types of sizing and fragmentation, certain TCP flag combination, various
    TCP options, various ICMP codes, ... the tools of choice are hping3
    (yes, there's a new version) and Perl (with Net::RawIP from CPAN).

    > However, you're not likely to get a good handle on the systems
    > behind it.


    Indeed. The best way to get a handle is to intercept the line (or doing
    some DNS manipulation) to redirect traffic partitially to your system
    and to pass some arbitrary chosen content that keeps up permanent
    connections, allowing passing chosen traffic as connection-related content.
     
    Sebastian Gottschalk, Jul 6, 2006
    #3
  4. Todd H. Guest

    Sebastian Gottschalk <> writes:

    > Todd H. wrote:
    > > "" <> writes:
    > >
    > >> i'm involved in a class at my university doing penetration testing
    > >> of various companies in our area

    > >
    > > I sure hope you have their legal consent to do this.

    >
    > As long as you don't actively circumvent measures and actually spy on or
    > change data, you don't need any consent to do fully legal things.


    Sebastianeriffic, my delightful fault finding friend, you're good at
    picking apart definitions. Look up a few definitions of penetration
    testing for us would ya?

    Penetration testing vs network or vulnerability scanning is all about
    testing that next step--i.e. the ability to actively circumvent
    measures.

    Or, just run a true pentest against a few sites of a sufficiently
    clueful governement from your own IP and let me know how that works
    out for ya.

    On the corporate side, as you correctly say, whether laws are broken
    is unrelated to whether or not you can be successfully sued for your
    unauthorized pentest. Try pentesting a financial institution in or
    around the time they have something go down. If downtime costs them
    $100,000 a minute, you'll have a problem.

    > "I've got a 'You get out of jail' free card!" (Trigger Happy TV)


    Yup, you got it. That's actually what our security group refer to the
    legal indemnity letter as. And it's absolutely what one should have
    before conducting a pentest upon targets you don't exclusively own.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Jul 6, 2006
    #4
  5. Todd H. wrote:

    > Penetration testing vs network or vulnerability scanning is all about
    > testing that next step--i.e. the ability to actively circumvent
    > measures.


    Actively circumventing is modification or bypassing, not using
    legitimate channels. Or is knocking on your door a trivial of actively
    circumventing your door? Please don't twist it with a successful
    penetration and going further on penetrating. A penetration test is
    supposed to show that a penetration on that way is not successful.
     
    Sebastian Gottschalk, Jul 6, 2006
    #5
  6. Bit Twister Guest

    On Thu, 06 Jul 2006 20:51:24 +0200, Sebastian Gottschalk wrote:
    >
    > As long as you don't actively circumvent measures and actually spy on or
    > change data, you don't need any consent to do fully legal things.


    Heheheh, sounds good but it will depend on laws made by the country
    in which the event happens. Here in the United States of America some
    states make it a crime to ping an ip address. :)
     
    Bit Twister, Jul 6, 2006
    #6
  7. Todd H. Guest

    Sebastian Gottschalk <> writes:

    > Todd H. wrote:
    >
    > > Penetration testing vs network or vulnerability scanning is all about
    > > testing that next step--i.e. the ability to actively circumvent
    > > measures.

    >
    > Actively circumventing is modification or bypassing, not using
    > legitimate channels. Or is knocking on your door a trivial of actively
    > circumventing your door? Please don't twist it with a successful
    > penetration and going further on penetrating. A penetration test is
    > supposed to show that a penetration on that way is not successful.


    Successful penetration -- be it as simple as logging onto a box using
    a guessed default admin password is enough to put you in harm's way in
    many countries unless you have consent.

    This distinction is also a useful one to draw here as well
    http://www.darknet.org.uk/2006/04/penetration-testing-vs-vulnerability-assessment/

    The moral: a professor who tells his students to penetration test
    random companies on the internet is an irresponsible moron IMNSHO.

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Jul 6, 2006
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Simon Watson
    Replies:
    1
    Views:
    1,326
    Hansang Bae
    May 24, 2005
  2. =?Utf-8?B?RXhlY3VUcmFpbg==?=

    Free Penetration Testing Workshop in Bristol, UK

    =?Utf-8?B?RXhlY3VUcmFpbg==?=, Oct 21, 2004, in forum: MCSE
    Replies:
    4
    Views:
    1,132
    TechGeekPro
    Oct 28, 2004
  3. Lord Shaolin
    Replies:
    2
    Views:
    1,152
    Lord Shaolin
    Aug 12, 2003
  4. nobiscuit

    Account for penetration testing

    nobiscuit, Aug 17, 2005, in forum: Computer Security
    Replies:
    15
    Views:
    839
    Winged
    Aug 18, 2005
  5. saddam hoisin

    Penetration Testing Books

    saddam hoisin, Jul 12, 2008, in forum: Computer Security
    Replies:
    1
    Views:
    508
    Todd H.
    Jul 12, 2008
Loading...

Share This Page