How can you reliably determine the Operating system and Service Pack of a machine during the scanning/enumeration stage?

@ Sil

pentesting101 is a very good read!

@vivek.ramachandran

Hi Vivek

When will you be producing your scenario based videos you mentioned in a previous post? Fantastic Metasploit videos by the way

Hi Guys

Thanks for the responses but think maybe I should have explained myself a little better.  So staying away from ports 80, 443, 8080 and any other websites running on non standard ports (as I tend to always have some success attacking a web app/webserver).  I wanted to know whether I was missing something when attacking those other services in which i found commonly available during my external network tests i.e 21,22,23,25,53,1723 other than what I mentioned.  Obviously I would check the other services in a slightly different manner to ftp i.e 25 for mail relay, enumerating users using HELO, EXPN, VRFY etc etc but just wanted to know whether external tests always tend to be fairly boring..

@H1t M0nk3y  - They were blackbox tests and didnt have access to their facilities.

The Value of an External Network Penetration Test

So, in my short lived career of a penetration tester, I have performed around 4 external security assessments.  Each assessment consisted of a scope of less than 20 public IP addresses, to which brute force and denial of services attacks were not permitted.  On each occassion 1 or more of the following services are identified in during a full TCP and UDP Port scan.

21,22
23
25
53
80
443
1723
8080

Taking away ports 80, 443 and 8080 where dependant on whether there is a website available publically and not secured so that only particular IP addresses can connect to it I often find that the assessment is not very fruitful.

So what testing do I perform? Well on an FTP service I will check to see if anonymous access is permitted, weak credentials are in use (without running hydra to bruteforce as apparently this is not permitted??), grab banner and check for vulnerabilities in software, on most ocassions I pretty much can only report on the fact that FTP is clear text! Am I missing something or is this how all external network penetration tests are?

@ MindOverMatter

Thanks for replying to the original thread as it has appearted to take a detour down the *BSD road 

@ Methodikal

This course sounds pretty good.  I think I will sign up at the beginning of next year...

MaXe

Yes I agree a web app scanner is certainly just part of the job and performing manual testing is actually what forms a penetration test.

I have found that Burp Scanner is pretty good as it has managed to find vulnerabilities on several occasions where Acunetix didnt detect anything.  I also use Nikto and Nessus but find these are more successful at finding web server vulnerabilities (Although maybe my configuration may need tweaking for better results) and dirbuster for hidden, default directiories and files etc etc

Please check out the list of WebApp vulnerability scanners below.  We currently use Acunetix at work and our licence is soon to expire ( I also use Burp Suite Pro with built in scanner).  Therefore I would like to see what alternatives you would recommend from experience?

Commercial: Acunetix, Netsparker, Appscan, WebInspect

Open-Source: w3af, Wapiti, GrendelScan, Websecurify, Skipfish

@ trighger

Wow that course does sound pretty difficult if only 30% passed. Sounds like it would be good prep for the CREST CCT level if this is the case

Hey Guys

Why does it take much longer to PortScan a Solaris box than Windows and other Linux distros or is just me?

I haven't taken the SANS 560 but managed to get on the SANS 504 (Hacker Techniques, Exploits & Incident Handling) as a facilitator 2 years ago and would recommend the SANS 560 if you have the budget.

Well I have to say I certainly agree with Sil and Grendel on this one.  If you are new to the security field like myself I can totally understand where you are coming from SephStorm because you want to learn and master the concepts ASAP.  I started a thread on EH back in July (see link below) after just a few months of getting into the security field and also felt like yourself where I wanted to find a course that would provide me with as much information as I could in order to pass a cert like the C|EH and feel that I was therefore competent.

4 months on from them my confidence has certainly grown but a lot of it is because I am starting to realise that you cannot take any one course or training material over a short period of time and know what you are doing, but taking your time and learning is the most effective way.  There are some really good guys on this forum so why not maybe try purchasing something cheaper (C| EH study guide) and play with all the tools in a LAB at home and any questions just post them on EH and I can guarantee 9 times out of 10 someone will be able to provide advice or point you in the right direction

I am currently performing the HackinDOJO training and would recommend it.  At $95 per month you can't go wrong, you can even try it for one month and if you decide its not what you want that's fair enough but I would recommend it because Tom has managed to structure it so you have a session with him once a week and then you have 7 days there after to get a good grasp on the material taught from that week.


http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,5712.0/

@ ziggy

That link was just what I needed, thanks 

@H1t M0nk3y

I am sorry to hear this.

I have heard mixed views on the OSCP exam and the general opinion is that it is not an easy at all.

I am currently preparing myself for the CREST Registered Tester exam due next month at the moment and want to go onto to perform the CREST Certified Tester exam next year (provided I pass the CRT  )

I would love to know how the OSCP compares with the CREST CCT exams but am aware that CREST is yet to establish itself world wide and is still very much the main cert to have in the UK.