Penetration Testing mailing list archives
Re: [PEN-TEST] First step of a pen-test
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Tue, 19 Sep 2000 11:42:14 -0500
Hi Chris, The first step to any thorough penetration test is some indirect information gathering. Search USENET/dogpile for @<target domain> to find information about the employees and usernames. Traceroute/Firewalk/Nmap their perimeter devices, try to guess SNMP community strings on their border routers to get network configuration details, and look for other links into their network. Search for their UP addresses, oddly enough you can usually find a them in mailing list archives and web stats pages. This should slowly build a clear picture of how their network is laid out, what the internal infrastructure is like (X-Mailer headers...), and help you start preparing your arsenal. A Zero-Knowledge attack is ideal, as you will be working under the same conditions as an unknown internet attacker. You do want to verify that the addresses you are attacking actually belong to your client before you start testing. An IP range and a list of hosts that are mission-critical (tread lightly) should be enough to start you off. War dialing may or may not be part of your pen-test, it really depends on your agreement with the client. -HD http://www.digitaloffense.net/ "Christopher M. Bergeron" wrote:
What is the industry norm for _beginning_ a pen-test after the contract has been made? Would one first map the network? Try to war-dial the exchange for possible remote (pcanywhere, etc). access machines? VRFY email addresses to look for user logins? Is it typical to ask for information about the network (ie. network architecture) beforehand or do most pen-tests start "blindly" and do the network reconnaissance.
Current thread:
- Re: [PEN-TEST] First step of a pen-test Stiles, Robert (Nov 01)
- <Possible follow-ups>
- Re: [PEN-TEST] First step of a pen-test H D Moore (Nov 01)
- Re: [PEN-TEST] First step of a pen-test Michel Kaempf (Nov 01)