EH-Net

Can I just ask from a non-tech perspective (please bare this in mind with your responses), when you do network pen testing or vulnerability scanning services for your clients, perhaps simulating an “internal employee” angle, how do you get your set of vulnerability scanning and exploitation tools into your clients network – i.e. if there network admin says something along the lines of…

“you can’t install any vulnerability scanning tools on any of my servers, and you can’t attach your own vulnerability scanning laptop to our network to use that, plus all our devices use full disc encryption so you can’t use boot discs, and you won’t have administrator rights on any corporate device we give you to install whatever you chose”

- where do you store and run your tools from? Are network admins typically like this? Can your tools be run as “portable apps” from a USB device? But then I guess there may also be USB policies restricting those. I don’t even know which tools are current, but I have always wondered how you get your armoury in a position to scan the network if the admin has demanded compliance and restraints.

Second part of the question - If there are ways to run vulnerability scanning tools direct from USB, can you recommend any free ones that will run from USB and produce a management freidnly vulnerability report on say a windows file server, so OS vulns, 3rd party software vulns, server software vulns etc. I am not bothered about exploit just a top level scan with potential issues.

Apologies for the basic level of the question but it is something that has always interested me. I guess from a network admin perspective their priority is keeping services online and at optimum performance, and not facilitating a platform for an ethical hacker. Please keep your answers pretty basic if at all possible and thanks in advance for any responses.

Cheers

We bring our laptops on-site and connect directly to the client's network. We work with the client during the pre-engagement/scoping phase to identify and define any limitations that we must adhere to. We don't typically make an issue out of them as long as they're reasonable (i.e. automated scans kill the mainframe, please don't run automated scans against that server). If they're too extreme, that's usually indicative of a client trying to game the test and get an easy "pass" mark. You see this more when people are required to have regular pen tests performed (i.e. PCI) as opposed to when they go out of their way to get one to legitimately test their defenses.

Slightly off-topic, but someone I know was recently put in a situation where he had to test from a Windows kiosk system that was extremely locked down. You know, for "security" reasons. He just browsed through the shares via Network Neighborhood and found domain admin credentials in a batch file in an open share. It's sad to see more effort being put into cheating through a pen test than basic security.

Regarding portability, I'd just setup something like a BackTrack VM on an external USB or thumb drive. For free vulnerability scanners, you're pretty much stuck with OpenVAS, or a Home Feed for Nessus if you're using it for personal or testing/evaluation reasons.

Many thanks for your response. What is your view of OpenVAS as a vulnerability scanner?

I use it all the time. Prefer it over Nessus... community support, open source, active updates, all have pushed it slightly ahead of nessus in my opinion.

I haven't used OpenVAS yet. Is this compared to the home version of Nessus or the paid version with all its bells and whistles? I haven't used the paid version either, but have read a little bit about it.

There are no limitations with OpenVAS regarding IP ranges you can target, unlike the home version.I'm not sure what other bells and whistles you might be mentioning regarding Nessus, but I'm just after the scan results so I can validate it or other findings using other scanners.

There' a fairly recent post on here discussing OpenVAS vs Nessus which may be of interest: http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,9379.0/

I was under the impression that the Professional version gave you access to some scripts that weren't included in the free one..? And is there a delay in plugin updates on the free one as well?

The professional feed does have additional features: http://www.tenable.com/plugins/

Historically the home feed did have a delayed feed, but this is no longer the case. AFAIK it's been that way for a few years now.

That's good to know, thanks!


And I think I can see where Tom's coming from.  The features in Professional, just going off that link, looks to be more geared toward enterprises setting it up for internal use?  As far as using for a pentesting situation, all you're really looking for is the scanning vulns aspect.

It's quite common to bring our laptops on-site, and sometimes even scanner appliances as well, which can be quite huge and bulky. Sometimes when we do a host security assessment, remotely via a VPN connection or via another encrypted channel, we are told that we should save all our files in /tmp, and that any tools we install must in some cases be installed by them, or in other cases, be removed immediately after we have used them.
That's pretty much how we perform those kinds of tests. When we do wireless penetration tests, we bring our own laptops and alpha cards with good antennas as well. Otherwise, how would we be able to perform a test adequately and to e.g. high standards?  :)

Typically when I run across situations like this where the customer is trying to put restrictions on how we conduct the test, I try to explain that without the restrictions the client will get a more valuable report. If they continue to insist, I work within the Rules of Engagement and caveat the report where necessary.

Our normal setup for internal-type assessments is a laptop with pre-installed VMs with all our attack/assessment tools installed.

Just to add an obvious point, I have never seen once a client that would allow me to install backdoors, rootkits or other malware. And I can understand them!

That being said, I tell them in my report that once I have got a system shell, I could have install them.

Also, bringing my own laptop also implies bringing my personal notes, scripts, etc. I don't know about you guys, but if I have, let's say, performed a VA on an Oracle database a year ago and haven't touched it since then, I would be a bit rusty...

Anyways, obvious but worth mentioning.

I think you need to be careful how you define a backdoor. The MSF psexec module uploads a malicious exe to System32 (by default) and runs it via a service? Is that a backdoor? Perhaps.

I've strangely enough found this in back-to-back engagements, so I did a short write-up about it: https://www.infosiege.net/2013/01/wbemmof-based-exploitation-via-freeftpd/

I'd certainly consider that to be a backdoor, but it was necessary to compromise the system.

At the same time, I've never instead a RAT that gives me access from anywhere in the world. When in doubt, consult your client contact before proceeding.

Regarding notes, check out Evernote. That'll sync your notes between pretty much any device. Even if I couldn't use my laptop for whatever reason, I'd still have access to my notes on my iPhone and iPad.