Penetration Testing mailing list archives
Re: [PEN-TEST] Hypothetical Wargaming
From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
Date: Mon, 9 Oct 2000 10:09:32 -0500
Good question, actually... A few friends of mine (myself included) will actually be setting up a "WarGame Network" in the near future, I'll keep everyone posted. So far, it looks like NetBSD, Win2k, A few linux distros, and maybe some other OS's, machines provided. As for the question at hand... I won't specifically command-line script this, and there's no really good way to judge what my initial response to each machine will be. It depends on what services are running, and that can vary from machine to machine. Right now, the heavy-hitters are IIS, and NetBIOS over TCP (NBT). Use the evil whax0r tool "Whois" (on Windoze or UNIX) and find some information about contacts for the company. You can learn quite a bit just from this alone. Maybe generate "account names" from the people's names in the contact list (or use e-mail addresses you find in whois.) Try to determine what their network structure is. Does it look like they're using NAT (Masquerading, whatever)? If so, there's probably a packet filter as well (be it another system or a firewall.) Try looking at ARIN and figure out how many IP addresses they own. Use programs like "NetBios Auditing Tool" (can be acquired from packetstorm.securify.com) to pry account and filesharing info from the hosts. From here, you should have some information to get started with, and maybe even a few password hashes to run through L0phtcrack (www.l0pht.com) Focus on vulnerabilities you can find with IIS (you can even be a scriptkiddiot and use programs that other people have written, they're out there... check the Security Search engines such as http://packetstorm.securify.com or http://astalavista.box.sk. For a "Hypothetical Wargame", Physical Site Penetration may be just a little overkill... but Social Engineering might be okay. It never hurts to call the company and mess with people's heads. You just might talk to someone interesting. Remember that this is totally hypothetical though. A "Practical" attack is going to vary an order of magnitude from a "Theoretical" attack of the same. --Noah Dunker -----Original Message----- From: H Carvey [mailto:keydet89 () YAHOO COM] Sent: Saturday, October 07, 2000 6:53 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Hypothetical Wargaming Assume you're given a pen test. All you have is a domain name. A couple of quick checks tell you that the systems in question are Win32 machines. Your goal is to "tag" a file. No DoS allowed. IIS, Exchange, and MS DNS are being used. What steps do you take? At each step, what do you hope to gain, and what programs/scripts/techniques do you use (give program name, and command line switches/GUI options)? At each step, assume both NT and Win2K.
Current thread:
- [PEN-TEST] Hypothetical Wargaming H Carvey (Oct 07)
- Re: [PEN-TEST] Hypothetical Wargaming Mark Teicher (Oct 09)
- Re: [PEN-TEST] Hypothetical Wargaming Etaoin Shrdlu (Oct 11)
- Re: [PEN-TEST] Hypothetical Wargaming Bennett Todd (Oct 11)
- Re: [PEN-TEST] Hypothetical Wargaming van der Kooij, Hugo (Oct 12)
- <Possible follow-ups>
- Re: [PEN-TEST] Hypothetical Wargaming Dunker, Noah (Oct 09)
- Re: [PEN-TEST] Hypothetical Wargaming Deus, Attonbitus (Oct 10)
- Re: [PEN-TEST] Hypothetical Wargaming Danny DS Stieler (Oct 09)
- Re: [PEN-TEST] Hypothetical Wargaming H Carvey (Oct 11)
- Re: [PEN-TEST] Hypothetical Wargaming Deus, Attonbitus (Oct 11)