Security Basics mailing list archives
Re: Newbie Hacker Tools
From: H Carvey <keydet89 () yahoo com>
Date: 8 Jan 2005 04:32:07 -0000
In-Reply-To: <MLEFKCDFKBGLOHDKPIODIEDJFGAA.echow () videotron ca> Ed, After reading through the thread, it's abundantly clear to me that just about everyone so far, from your original post through the visible respondants, has the wrong idea about all of this. Indulge me for a moment...comments inline...
My name is Ed and I run a technology consulting company. I have begun offering computer security audits to my clients and, as I am not experienced in hacking, have been subcontracting this work out.
Okay, this is not entirely unusual.
The written reports that I have received back from the hackers leave much to be desired!
And you're suprised? Why is that? You hired a "hacker"...there isn't a great deal associated with the usage of that moniker (coined by the media) that denotes an ability to document, or to communicate clearly.
Not knowing too much about intrusion detection but realizing that when almost nothing is found wrong (from a security viewpoint) with a client's network, I am in big trouble! Either the hacker does not have the experience to find any problems or there really are not any problems.
I wouldn't say that the "hacker" (shudder) doesn't have the experience, b/c for the most part, not a great deal of experience is required. My thought would be that the "hacker" lacks a methodology (more on this later). Something else to consider is that you said you're offering audits, but you haven't defined the terms of the service to the assembled masses. It sounds as if you're offering a penetration testing service of some kind. Also, keep this in mind...you're getting what you pay for.
On my first few audit assignments, I was barely able to break even as I had to hire two independent hackers for each i.e., a second hacker had to be hired to give me an independent assessment of the network. I then cut and pasted the two reports into a final "acceptable" one.
You've used the term 'break [in]' here, so this is what led me to believe that you've offered what amounts to penetration testing services.
I am at a crossroads where I can either give up on the security audits or learn to do them myself. I have chosen the latter and was hoping to get some help from experts like you. I realize that I will have a steep hill to climb but I feel confident that I can learn enough to be much more proficient that the hackers that I am currently paying. I'm really confused about what tools I need in my "toolkit" for Windows-related audits.
When you say, "Windows-related audits", to what are you referring? Are you asking for tools for your 'audits' that run on Windows, are you asking about tools that specifically target Windows systems, or what?
I've heard a lot about Nessus as a freeware program but am confused when I go on the nessus.org site and see that it might not be free. Other programs I've heard of include nmap, SAINT, Newt.
This is the sentence that led to the majority of the responses...most respondants seem to have focused on just "Nessus". And this can be an issue...here's why: Nessus is an excellent tool, without a doubt. However, it's only a tool, albiet a powerful one. The real power of the tool lies in the fact that it's open source...not only can you review the plugins that are used to perform the checks, and even modify them as you see fit, but you can also write your own plugins. Unfortunately, I haven't seen many people doing this...I'm sure some folks are, but most of the folks I've seen using Nessus are simply downloading the tool and running it, without really understanding what it does, or how it does it. By this, I mean that they assume that if Nessus doesn't report a vulnerability, then the system isn't vulnerable. They don't take into account that Nessus may not have a check for that vulnerability. If you want a great place to start with regards to tools, check out Fyodor's site: http://www.insecure.org/tools.html Now...keep in mind, you're running a business. As such, your customers are paying you money for...what? A report? A report of what? Too many folks out there run Nessus and simply print out the PDF report and send it to their customer. What's the value-add? What have you done for them? I'm not even talking about the false-positives issue...simply the report? The point I'm getting at is that far too many folks simply run the freeware or commercial tool and print out the report, and call it a day..."here's all the holes in your god-forsaken network that I found...ta ta!" Again...where's the analysis, the true value-add? I've heard many an analyst/engineer say, "I could interpret that output and put together a plan of action in a matter of minutes." My response is..."so why didn't you?" If you're going to offer a professional service, be professional about it. With Nessus and nmap, you can download Perl modules that allow you to parse the results of both tools, and put those into a mySql database - I'm sticking w/ freeware options for the moment.
And, perhaps, there are tools out there (either free or not) that would provide me with an "audit in a box?" I'm guessing that the pros have a select few tools of the trade that they use. You've listed a bunch of tools on your site as well. I realize that ethical hacking is an art and that no two hackers will use exactly the same tools but I am hoping to learn to use the tools they most often use.
Actually, regardless of what many folks would want you to believe, "ethical hacking" is hardly an "art". There are many folks who will try to get you to believe that it is, but remember this...reduce a computer to it's most basic elements...1s and 0s...and it's deterministic. Abstract that to a vulnerability...a system is either vulnerable or it isn't. In being deterministic, it's a science. You can develop an initial methodology for how you begin conducting your 'audit', and have conditions set for how to proceed (ie, no DoS attacks, etc.). I'll recommend an approach...start by defining what it is you're offering your clients. Given the audience, 'audit' doesn't really say much. Also, many folks are more technical than business-oriented, so make sure you define your deliverables, too. If you're offering what amounts to a pen test or an external vulnerability assessment, then from a technical perspective, you should start by creating a map or target list. After you've defined with your customer how you intend to go about the test (ie, partially/fully blind, etc), start collecting information about your targets via DNS, Google, nmap, etc. Proceed from there...but my point is this...define what service and deliverables you're going to offer, and I'm sure you'll have a better time developing your list of tools. If you'd like to discuss this further, feel free to contact me off-list. H. Carvey "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com
Current thread:
- RE: Newbie Hacker Tools, (continued)
- RE: Newbie Hacker Tools skill2die4 (Jan 07)
- Re: Newbie Hacker Tools AdMod (Jan 07)
- Re: Newbie Hacker Tools Mordread Wallas (Jan 07)
- Re: Newbie Hacker Tools Corey LeBleu (Jan 07)
- Re: Newbie Hacker Tools Yann Autissier (Jan 07)
- Re: Newbie Hacker Tools Leif Ericksen (Jan 07)
- RE: Newbie Hacker Tools Edmond Chow (Jan 07)
- Re: Newbie Hacker Tools Spigga (Jan 10)
- Re: Newbie Hacker Tools James Eaton-Lee (Jan 10)
- RE: Newbie Hacker Tools Brunner, Mark (Jan 07)
- Re: Newbie Hacker Tools H Carvey (Jan 07)