Re: Newbie Hacker Tools

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <MLEFKCDFKBGLOHDKPIODIEDJFGAA.echow () videotron ca>

Ed,

After reading through the thread, it's abundantly clear to me that just about everyone so far, from your original post 
through the visible respondants, has the wrong idea about all of this.  

Indulge me for a moment...comments inline...

> My name is Ed and I run a technology consulting company.  I have begun
> offering computer security audits to my clients and, as I am not experienced
> in hacking, have been subcontracting this work out.

Okay, this is not entirely unusual.

> The written reports that I have received back from the hackers leave much to
> be desired! 

And you're suprised?  Why is that?  You hired a "hacker"...there isn't a great deal associated with the usage of that 
moniker (coined by the media) that denotes an ability to document, or to communicate clearly.

> Not knowing too much about intrusion detection but realizing
> that when almost nothing is found wrong (from a security viewpoint) with a
> client's network, I am in big trouble!  Either the hacker does not have the
> experience to find any problems or there really are not any problems.

I wouldn't say that the "hacker" (shudder) doesn't have the experience, b/c for the most part, not a great deal of 
experience is required.  My thought would be that the "hacker" lacks a methodology (more on this later).  

Something else to consider is that you said you're offering audits, but you haven't defined the terms of the service to 
the assembled masses.  It sounds as if you're offering a penetration testing service of some kind.

Also, keep this in mind...you're getting what you pay for.

> On my first few audit assignments, I was barely able to break even as I had
> to hire two independent hackers for each  i.e., a second hacker had to be
> hired to give me an independent assessment of the network.  I then cut and
> pasted the two reports into a final "acceptable" one.

You've used the term 'break [in]' here, so this is what led me to believe that you've offered what amounts to 
penetration testing services.

> I am at a crossroads where I can either give up on the security audits or
> learn to do them myself.  I have chosen the latter and was hoping to get
> some help from experts like you.  I realize that I will have a steep hill to
> climb but I feel confident that I can learn enough to be much more
> proficient that the hackers that I am currently paying.
>
> I'm really confused about what tools I need in my "toolkit" for
> Windows-related audits. 

When you say, "Windows-related audits", to what are you referring?  Are you asking for tools for your 'audits' that run 
on Windows, are you asking about tools that specifically target Windows systems, or what?

> I've heard a lot about Nessus as a freeware program
> but am confused when I go on the nessus.org site and see that it might not
> be free.  Other programs I've heard of include nmap, SAINT, Newt.

This is the sentence that led to the majority of the responses...most respondants seem to have focused on just 
"Nessus".  And this can be an issue...here's why:

Nessus is an excellent tool, without a doubt.  However, it's only a tool, albiet a powerful one.  The real power of the 
tool lies in the fact that it's open source...not only can you review the plugins that are used to perform the checks, 
and even modify them as you see fit, but you can also write your own plugins.  Unfortunately, I haven't seen many 
people doing this...I'm sure some folks are, but most of the folks I've seen using Nessus are simply downloading the 
tool and running it, without really understanding what it does, or how it does it.  By this, I mean that they assume 
that if Nessus doesn't report a vulnerability, then the system isn't vulnerable.  They don't take into account that 
Nessus may not have a check for that vulnerability.

If you want a great place to start with regards to tools, check out Fyodor's site:  http://www.insecure.org/tools.html

Now...keep in mind, you're running a business.  As such, your customers are paying you money for...what?  A report?  A 
report of what?  Too many folks out there run Nessus and simply print out the PDF report and send it to their customer. 
 What's the value-add?  What have you done for them?  I'm not even talking about the false-positives issue...simply the 
report?  

The point I'm getting at is that far too many folks simply run the freeware or commercial tool and print out the 
report, and call it a day..."here's all the holes in your god-forsaken network that I found...ta ta!"  Again...where's 
the analysis, the true value-add?  I've heard many an analyst/engineer say, "I could interpret that output and put 
together a plan of action in a matter of minutes."  My response is..."so why didn't you?"  

If you're going to offer a professional service, be professional about it.  With Nessus and nmap, you can download Perl 
modules that allow you to parse the results of both tools, and put those into a mySql database - I'm sticking w/ 
freeware options for the moment.

> And, perhaps, there are tools out there (either free or not) that would
> provide me with an "audit in a box?"  I'm guessing that the pros have a
> select few tools of the trade that they use.  You've listed a bunch of tools
> on your site as well.  I realize that ethical hacking is an art and that no
> two hackers will use exactly the same tools but I am hoping to learn to use
> the tools they most often use.

Actually, regardless of what many folks would want you to believe, "ethical hacking" is hardly an "art".  There are 
many folks who will try to get you to believe that it is, but remember this...reduce a computer to it's most basic 
elements...1s and 0s...and it's deterministic.  Abstract that to a vulnerability...a system is either vulnerable or it 
isn't.  In being deterministic, it's a science.  You can develop an initial methodology for how you begin conducting 
your 'audit', and have conditions set for how to proceed (ie, no DoS attacks, etc.).  

I'll recommend an approach...start by defining what it is you're offering your clients.  Given the audience, 'audit' 
doesn't really say much.  Also, many folks are more technical than business-oriented, so make sure you define your 
deliverables, too.

If you're offering what amounts to a pen test or an external vulnerability assessment, then from a technical 
perspective, you should start by creating a map or target list.  After you've defined with your customer how you intend 
to go about the test (ie, partially/fully blind, etc), start collecting information about your targets via DNS, Google, 
nmap, etc.  Proceed from there...but my point is this...define what service and deliverables you're going to offer, and 
I'm sure you'll have a better time developing your list of tools.

If you'd like to discuss this further, feel free to contact me off-list.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com