when documenting your findings for a pen test, is it a good idea to briefly explain what the tool is doing and the basics of how it works? For example should i state why nmap found what it found and how it does that? Here is a small excerpt from my documentation as i scan the de-ice disk.

-----------------

Output and displays of various mapping tools used against targets 192.168.1.100 and 1.110:

First tool used is ping:

root@bt:~# ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
^C
--- 192.168.1.100 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7026ms

root@bt:~# ping 192.168.1.110
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
^C
--- 192.168.1.100 ping statistics ---
11 packets transmitted, 0 received, 100% packet loss, time 7084ms

As you can see, no targets were identified. Either they are un-responsive to ICMP requests or they are physically down. I assume the first. For more information on ICMP, please refer to the man pages.

Next i will use a series of namp switches to see what information i can pull from the target. Nmap by default(nmap x.x.x.x) will create a tcp connection to open ports and establish the 3 way handshake which is very detectable by firewalls and IDS's. Imagine your a firewall, and all of a sudden, 8 ports on your machine just had a complete tcp connection on them. wouldnt you be suspicious? hmm? Thats where stealth scans come in. more on this later:

root@bt:~# nmap 192.168.1.100 (nmap -sT 192.168.1.100 does the exact same method)

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-08-01 17:57 EDT
Nmap scan report for 192.168.1.100
Host is up (0.00027s latency).
Not shown: 992 filtered ports
PORT    STATE  SERVICE
20/tcp  closed ftp-data
21/tcp  open   ftp
22/tcp  open   ssh
25/tcp  closed smtp
80/tcp  open   http
110/tcp open   pop3
143/tcp open   imap
443/tcp closed https
MAC Address: 00:0C:29:9A:56:D7 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 17.73 seconds

As you can see, the target has 6 or so ports open. Why is this important you say? Well, think of it this way, you just made a CONNECTION using tcp to an oen port... What happens if you know a username and a possible passwod???

Using the ping sweep switch -sP will send a ICMP packet and a TCP syn packet to the system as well since most targets are set up to drop ICMP:

Thats just my documentation of the hands on portion. i will be suing this info for a final report. Am i supposed to explain what the commands are doing and why in the final report?

thanks guys so much for the last few weeks of help and answers.

Thats what i was thinking. just wanted to make sure. he does say 1.101 multiple times so it must be an older version then. haha. hopefully what i can do to 1.100, i can do to 1.110

but i will find out.

thanks

Awesome. I am hoping the courses on teh dvd are going to help me complete at least level one. I tried reading the book first but got lost in some of the material for the actual pen test when he starts using other things. I then realized, the book is not what walks you trough the de-ice scenes, its the dvd. The book is just extra info that can be used to suppliment the dvd course. So i am doing the dvd courses first and then reading the book to get the more in depth info.

@ shadow zero, thanks for the link of comparison. I will read up on those and once im in a state of understanding it, i wil use them.

last minute question. i notice in the dvd lectures thomas always says to practice against de-ice1.101. i do not and can not find de-ice 1.101. i can find 1.110 but not 1.101.

thanks

ah, thank you. i will read up on ncrack to see what switches are doing. Does ncrack actaully crack the password sorta like hydra?

thanks guys. here is how i am doing this project. I hope you dont mind me telling you but i want to let you know my metho of doing things just in case some one can benifit from it. Plus you have answered my questions and i feel that i need to make sure your info is put to good use

my plan of attack:
watch the videos from my dvd course i purchased from thomas and take notes
take notes on the slides from the movie
document my notes from the movie and slides in a word file
read the required pages he has posted in the course ISSAF .2.1.b (13-61,87-169)
highlight the ISSAF reading and document the highlighted sections
Then any tools he/ethicalhacker.net discuses, write small one paragraph summaries for what i find and what they do to each device including time stamps.
take screen shoots(if i remember)
Follow the examples thomas and you guys show me for de-ice and document those examples in my word file.
take all the documentation including summaries of the ISSAF reading notes and create a technical report that i can give to someone for review.

Thats my course plan. haha

thanks guys.

Thanks for that reply. It provides some awesome info. Especially about the ftp.  I forgot about the ability to log into that as an unclaimed user,

Ok, so i tried to use the hackerdemia live cd to learn hydra but even the new live cd of hackerdemia is still missing the hydra tutorial. is there a fix for that soon?

Some of the other stuff you mentioned i am unfamilular with such as the sql injection stuff. I have never used sql. I think i need to finish the HPTF(thomas willhelms course) course first. haha before moving into more complicated stuff.

 FYI, in case your not sure what i mean by HPTF course. Thomas willhil has made courses to teach this stuff using the de-ice. i started last night. I found my dvd from his book that has the ISSAF course.

Anyway, Back to topic. I was along the same thinking that an open port is just an open port. But ones such as ssh or ftp, that means a user can log in. BUT i do not have the user name or password. I assume my goal is to find a stupid mistake by someone(not stupid but un-logical) and that my give me a password.

Im not sure how much can be done on the lvl 1 disk but i hope i can find the company picnic pictures. I want to see htem getting attacked. haha. But the other interesting thing on the site:

"We hope that Marie M. has a speedy recovery - flowers and cards can be sent to the North Annex of "Our Lady of Unfortunate Demise, Hospital and Backhoe Rental". We will post pictures of the picnic soon, so check back later"

I see the backhoe rental hint  and wonder if i can grab peoples financial data from the rental records. IF the backhoe page does exist. Is there a way to see what other webpages they may have? IE an site map so i can see what other pages they have.

Ill do some more digging but im not sure what has been thought of in the lvl 1 disk so im not to sure what can be done and what cant be done.

Thanks for the help. Time to make a list of names and find that dang hackerdemia live cd tutorial.

EDIT. well, i guess emailing the names from gmail aint a good idea. I was guessing that it would come back as a bad address BUT i was hoping the email address adamsa@herot.net actually worked and maybe be able to get a reply from it. nope. oh well.

Thanks for the awesome reply my friend. I didnt meant ot make the post soooo long winded, but i had to defend my honor of having a bachelors in network engineering that i NEVER use. I can totally see why you guys asked though.

Ok first things frist, you all are gonna laugh at me. So about 2 or 3 years ago i purchased thomas willhelms book " professional penetration testing" didnt read much and didnt check out the dvd. It was during a rough time in school and life so things got put on back burner. So last night i finally got a chance to watch the Heorot Penetration Testing Fundimentals course videos. The dvd comes with the full course for the issaf including lecture notes, videos and live cd's. except hackerdemia must be out of date because all the lessons on it go to a page under construction... so the tutorial on hydra is not there. oh well.

Here where i need to look at things backwards and i may need some help. I watched the video on the dvd where he scans using differnt techniques. He shows that port 80 is open and then goes to the webpage. What is so important about port scanning besides the fact that it shows what types of services are running?

To tell you the truth, sarcastically i thought to my self" yeah so whats the big deal that port 80 is open or 21. So they have a web server up. who doesnt" ok thats what i need some correction on. the importance of open ports. You cant do much if you do not have a password.. which i assume is part of the challange BUT the tutorial on the live cd of hackerdemia does not exist so im stuck at the moment. haha. maybe the vids show me what to do in a sense.

Ok, i also noticed on the webpage that it says pictures comming soon of the picnic and to send flowers and cards to a specific place. are finding the pictures and finding where the cards are going any part of the challange?

ok thanks guys.  i know i have alot to say but im practicing to document everything so i can get a cert and also use the technical report for my engineering writing class.

you guys are fantastic

I have a degree in net engineering along with a CCNA and the routing part of my CCNP. I also have my RHCT. BUT that was 5 years ago and i have never had a job that uses it. I have had IT jobs and was department head BUT our network was sourced out before i got there. Prez said no touchy so i handled the lower end stuff. But i did work for IBM and i installed the back bone for the EBAY HQ in my area. But after that i switched to Mechanical Engineering because that had the career options i wanted. Hard to explain. haha.

 The IP addressing is not hard for me to do. I can supernet and subnet address space for route propagation and ACLS in cisco routers just fine. Supernetting is my favorite especially when you used wild card masks for the Control lists haha What was confusing me was why all the attacks were private side. I was getting the impression from the material that access had already been gained and know you were just trying to enumerate more info. It was confusing me because i thought the material was supposed to teach how to gain access in order to know how to protect. I was not under the impression that such a unsecure server could exist, but then again, this is levle one material and they have to present it somehow for the basics. haha.

lol. BUT it has been 4 or 5 years since i have used my CCNP knowledge.  My friend is Todd Lammle and his ghost writer and editor was my professor(the book was not the professor, haha. It was a real person:)). It was kind of cool.

Now, i will say this. Just because i was excellent at supernetting and configuring routers, does not mean i am good at security. I know how ICMP,TCP and other protocols work pretty well, but that does not mean i know how to manipulate them. I could never figure that part out. haha. Understanding things how they worked normally was easy for me, but to understand how to manipulate them or troubleshoot because they are not working so well, that was the hard part.

This is why i am wanting to complete the heorot courses. I feel that as an mechanical engineer, this can and will help my problem solving skills and a sense of accomplishment. haha.  I never know if in the future, i will be called to the office because the IT team needs some help. So i do like to review concepts every so often. BUT security is something i have never done. I mean its easy to follow a firewall tutorial to protect your house or company, but if you dont know why its doing what it is doing, well then. haha and thats why i am here. to learn security. haha.

That was a LONG winded reply but i wanted to make sure i expressed my unawareness of security but also let you know that i have some excellent exp in networking.

you guys are awesome and i trust you all. thanks much.

AWESOME. ok. so i was somewhat right about just pretend they are public facing ip's. I was just making sure.  It was really confusing me.

Im still trying to remember everything i learned from 5 years ago in my ccna and ccnp classes. i never used the info so its kind of dusty. haha.

as for my lab, my ultimate would be to have an online lab that is virtual(vmware) and have some virtual cisco and firewall products in it. But that will be after i know what i am doing. haha. As of right now, i would love to have a vpn set up and run rdc over it to run my labs or some sort of online lab for this.

My next question i need some light on is ssh. I know its a secure shell. I think of it like a type of vpn. it logs me into the system/network from a remote location. so sorta like the early stages of rdc. My question is this. once i have ssh'd from my ubuntu 11.10 laptop into a remote machine running backtrack5, i can issue backtrack commands that would be unfamiliar to ubuntu 11.10 if i were not in a ssh session right? IE, i can type metasploit and it will run the program because i have ssh'd into the BT5 machine right?

Here is what my ultimate virtual lab would be. basically the hacking dojo has somehow read my mind and created it. haha.

http://hackingdojo.com/lab/

But for now, i need to learn how to set up a basic vpn that is easy to use and understand. i have no firewall. just a basic centry link router. I think hamachi or open vpn might be best.

thnaks for the help so far. Im not sure where to post my other questions. I have no idea what i am doing when it comes to security. i have tried the last couple of years but i end up just stopping because i have no help or idea. I would love to find a full tutorial that explains how to complete de-ice lvl1 and why they chose that path and why it is important. I really do need my hand held. haha cuz i have no idea what im doing. haha

thanks guys

Thats cool about the scanme.nmap.org site. thanks for sharing that.

Ok, so why are all the tutorials out there about hacking from the private side? I dont understand that. IE, the de ice challange lvl 1, you scan and enumerate from the private side as if you had already gained access. But i thought the whole point of pen test training is to show how to gain access, but if you are attacking from the private side, then that assumes you already have gained access. Are you supposed to sorta"pretend" that the web server on de ice or any other challenge has a "public" ip and your just using a private ip as your fake/unreal public?

thanks. I hope this is not confusing. Im just trying to make sense of it all. I am totally new to this whole hacking thing. I mean i need someone to hold my hand for levle one because i have no idea where to start or why. Even watching movies does not help because it does not explain why they chose to do that.

thanks guys.

I have been reading thomas wilhelms book pro pen testing and i have been reading some other resoirces from his site as well. Here is a question i have. I have noticed that every lab scenero from countless tutorials have you always preform a nmap scan to see what hosts are on the network that could be potentual placers for hackers. Such as open ports i assume. Thats fine but i noticed its all private side scanning. What if a hacker is from a remote location and has to go through public ip. He or they would have to gain inside private access first then do scans. So it seems pointless to me to do pen testing from private side cuz that assumes the hacker has gotten in apready. Can you scan a public ip for open ports? Thanks guys

Perfect. thanks for the help. I know they sound like very basic questions but it has been 5 years or so since i have dabbled in this stuff. My isp is pretty quick, well, my dads is, the one i will be remotly viewing from, im not sure how fast they will be. haha. Some hotels are pretty slow.
I was not sure what a RDC user could do once logged in. So im glad to hear that they can actually launch the VM or VB software and leave it running. I know when i have used citrix(i did not set it up, just a user) if i logged out, all my stuff wnet away so i learned to just disconect.

Maybe i should try and get citrix. hmm.  Anyway. I think this week i am going to start getting the local lab built and then work on the online part.
My ultimate lab would be able to incorperate packet tracer(cisco) and tie it to my virtual machines and then be able to use wireshark to scan the network including the packet tracer stuff.  that would be cool. Be able to do that hassle free. But i cant even get BT5 to work. makes me mad. ha ha

thanks
Matt

Perfect. Thanx for the info. I was not entirely sure if RDC needed a VPN in order for it to work.  But like you siad it is HIGHLY recomended. Dont need any one else trying to use RDC against my public ip once i have that port open. haha. SO i will use a vpn.

Ok, so once i have VPN set up, does RDC have a lot of lag? is my screen going to be glitchy when i try to do stuff?

Does any one have a youtube video showing how well RDC works over vpn for a online lab set up?

Oh yeah, one other question, With RDC, does it give me a different desktop than what my current one is? if so, how do i make sure that VM or VB is on the correct screen so when i log in, i can see it all?

thanks. sorry for all the questions. I just have never set up a vpn or RDC.

So sorry for late reply. Work has been very busy. I have had no time to set up this lab. haha. However i did get a chance to try out teamviewer and htat seems pretty cool. However, i do not know how well and how fast that will be.

Not to sound stupid but please educate me on why a VPN is needed? Is it the only way RDC will work? I know that a VPN connects me to my dads network space and what ever is shared on his network or pc, i have access to. So if im thinking correctly, does RDC only work from a private machine to another private machine and in order to do that i have to be conneted to the private network via VPN?

My host system will only be win xp pro haha. I do not have access to new software through my MSDNAA student account anymore.

ok so i think the first thing i should  do is set up my VMware free server or VBOX and at least get a lab built. then worry about remote access? what say you guys bout VMware server(free) vs vbox?

thanks guys. ill try to respond faster. power just went out in our building from to much ac! hahahahahaha

Thanks for the reply my good friend.

I have used untangle and smoothwall in the past, but those were the firewall options that you installed onto a low end system and used that as your firewall and your somewhat routing solution. haha. Here is what im concerned with, since the lab is gonna be at my fathers place, i need to be respectful of his concerns. If it is at all possible to keep the centrylink DSL modem/router in place with out adding another box to firewall or route, that would be ideal.

Maybe i miss understood your post. i may have to re read. I have been having to re read alot lately. to much going on at once. haha

Is RDC the default that is on win xp or is it another software package that allows RDC?

Last question regarding VPN. never ever in my life have i ever set it up. I find that kind of sad that i have a ccna and have done my ccnp but have never ever set up vpn ever.. I have even done my RHCT stuff. oh well. no sense crying over spilt milk... oh yeah my question is, since i will be on the road sometimes when i want to use the lab, i know most hotspots or hotels use the 192.168.0.0 network space so i assume in order to not confuse the router, i should configure my home network to something different, maybe even the 10.10.x.x?

thanks

Thanks.

Ello all. I am curious to how to build an online lab? i have built a virtual lab using vbox and some iso's in the past. However, i know what to go a step further and be able to log into the virtual machines from the internet so i can be at school or on a trip and be able to practice pen testing against a safe environment.

How does one accomplish this task?

How do i allow the user(me) to see the GUI desktop of my  session so i can see what is going on? I basically want to be able to have a back track desktop GUI and then be able to attack the de-ice and other ISO's i have set up in the virtual machines

Well SSH give a GUI session? wait.. its just a shell. doh..

Since i need to be able to admin this and reset machines when i break them, i need a second account sorta speak to accomplish that. My goal is to have my friends and i practice some testing while we are not always at the same house.

Im just not entirely sure where to start with this project. VNC?

My host OS is win xp with 4GB of ddr 400 ram. AMDx2 4500+

I would want it to be as smooth as possible looking. Not to laggy.

thanks in advance guys.