Re: [PEN-TEST] Hypothetical Wargaming

["Dunker, Noah" <NDunker () FISHNETSECURITY COM>]

Good question, actually...

A few friends of mine (myself included) will actually be
setting up a "WarGame Network" in the near future, I'll
keep everyone posted.  So far, it looks like NetBSD, Win2k,
A few linux distros, and maybe some other OS's, machines
provided.  As for the question at hand...

I won't specifically command-line script this, and there's
no really good way to judge what my initial response to each
machine will be.  It depends on what services are running,
and that can vary from machine to machine.  Right now, the
heavy-hitters are IIS, and NetBIOS over TCP (NBT).

Use the evil whax0r tool "Whois" (on Windoze or UNIX) and
find some information about contacts for the company.  You
can learn quite a bit just from this alone.  Maybe generate
"account names" from the people's names in the contact list
(or use e-mail addresses you find in whois.)

Try to determine what their network structure is.  Does it
look like they're using NAT (Masquerading, whatever)?  If so,
there's probably a packet filter as well (be it another system
or a firewall.)  Try looking at ARIN and figure out how many
IP addresses they own.

Use programs like "NetBios Auditing Tool" (can be acquired from
packetstorm.securify.com) to pry account and filesharing info
from the hosts.  From here, you should have some information to
get started with, and maybe even a few password hashes to run
through L0phtcrack (www.l0pht.com)

Focus on vulnerabilities you can find with IIS (you can even be
a scriptkiddiot and use programs that other people have written,
they're out there... check the Security Search engines such as
http://packetstorm.securify.com or http://astalavista.box.sk.


For a "Hypothetical Wargame", Physical Site Penetration may be
just a little overkill... but Social Engineering might be okay.
It never hurts to call the company and mess with people's heads.
You just might talk to someone interesting.  Remember that this
is totally hypothetical though.  A "Practical" attack is going
to vary an order of magnitude from a "Theoretical" attack of the
same.

--Noah Dunker

-----Original Message-----
From: H Carvey [mailto:keydet89 () YAHOO COM]
Sent: Saturday, October 07, 2000 6:53 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Hypothetical Wargaming


Assume you're given a pen test.  All you have is a
domain name.  A couple of quick checks tell you
that the systems in question are Win32 machines.

Your goal is to "tag" a file.  No DoS allowed.

IIS, Exchange, and MS DNS are being used.

What steps do you take?  At each step, what do you
hope to gain, and what programs/scripts/techniques
do you use (give program name, and command line
switches/GUI options)?

At each step, assume both NT and Win2K.