Ps_107

It all depends on the scope of the project.  There are internal and external tests and both come with their own scope of work.  But lets take a step back for a second.  Penetration tests are not cheap (if you stick with a reputable company).  If you are currently a single person environment with no server at the moment.  Then a penetration test is not really something you need. 

I would suggest brining in an IT consultant in your area who is familiar with the needs of a small business client to assist in your setup.  This also holds a cost but it is much less than a penetration test.  We usually schedule a test when we know we have done all we can to secure our systems and want to see how we do.  It also helps us in deciding where we need to improve more and budget that accordingly.

Don't get too paranoid with securing a network that may or may not exist.  Figure out what you want to do with the network and work on securing it based on that.

Lets say I was building a new network for a small business < 5 workstations and MAYBE a server.  For less than 5 people I would probably not waste money on an inhouse server.  I would probably look to something like Amazon Cloud services or Google Apps depending on what your industry is.  If you are a one man shop, you can keep the costs down by using online resources for email and storage.  Ensure they solution supports SSL based access as well as encryption for storage, or you can simply encrypt the data afterwards. 

Again all this is really based on your industry and your business plan.  If you don't like keeping your stuff up on the internet, then at least utilize it for backups.  Keep in mind the larger the chunk of data you are backing up, the longer it will take to restore.  I like to recommend backing local up on an external drive and copying that to an online backup solution such as Carbonite. 

If you do not keep any resources in house, then you can easily lock down your firewall device so only the necessary ports are allowed out and nothing is allowed in.  Utilize 15+ character passwords using mixed case, numbers and special characters and keep services such as Windows 7's User Access Control (UAC) enabled.  That is the box that pops up when you try to install something even though you are an local admin, it still requires the OK to proceed.

Keep it simple stupid is what I like to say.  You can only lock down so much before it impacts your business.  In this day and age you need to have an internet presence, twitter account and hell even facebook to an extent because that is where you will find the business.  For all that you need to be online in some fashion.  Just practice safe use and you are as protected as you can be.

MBSA can only be used on the internal network and you need rights to the system you are scanning.  It is a Sys Admin tool, not a penetration testing tool.  It requires a number of ports open that are typically opened to local network resources.  WMI is one of the main components it utilizes.

n3r is right.  a good one is an Alfa series.  Well supported on the linux end of things as well as Mac and Windows.  Pretty strong too.

I have a home server running a couple different virtual appliances.  One is a virtual OpenVPN server.  OpenVPN allows you to have a single free VPN (virtual private network) connection.  You can pay for it and get additional connections.  There are some decent documents from them on how to setup both server and client.  There are also a number of services you can subscribe to for a VPN but again you don't have control of the provider so it is not 100% secure.  It probably is more secure than using the straight "Free" wi-fi at whatever coffee shop, airport or bookstore has available.  The reason you don't see VPNs used in a more personal level is sometimes due to the cost of the devices that support them.  Typically small/medium businesses have a higher end firewall that supports VPN and they use an internal server for authentication means.  Those of us in the IT realm tend to have home networks that can support a similar setup and since we are the only users, we are only affected when it is down.

For you I would recommend implementing a server for both your file storage and use of RADIUS authentication for a VPN solution supported through your firewall.  That way when you travel you can VPN into your home office for file access and more secure communications.

Glad I can help!

I highly recommend trying to hit up a Bsides event, they are a wealth of information but don't carry the high cost of the big cons (free registration).  If you haven't seen one in your area, you can always try to host one yourself.  We did here in CT through our local hackerspace.  It was a decent time.  I am making my way down to Delaware next week for the BsidesDE 2 day event.  At most I pay tolls, gas and hotel oh and food.

Next year I may even look at Derbycon if my budget can afford me additional time off. 

I'm glad my information was helpful.  Though I will side with Hayabusa on the attitude adjustment.  I tend to try and help where I can here since these guys are full of awesome information and are always helpful when the need is legitimate.

My rule of thumb is that if you are new to a group such as this, you need to observe a bit.  Understand the group better and who the top players are.  If you jump right in and start off with asking questions for help, usually that is a red flag.  I am sorry that I didn't question your motives sooner but as I said, I tend to be a helpful guy.  When you get overly defensive on something, it leads us to believe your motives may be more on the UN-ethical side of things. 

As you mentioned you are from Turkey and the language barrier may have you coming off a bit more defensive than expected.  And that is fine.  From our standpoint there is at least one post a day that is someone asking for help or looking to hire someone to perform some unsavory tasks.  We tend to probe the individual before answering any questions.  I figured my suggestions were nothing you cannot find on google so I didn't see any threat in answering your questions.  If you truly mean to get educated here and use your powers for good instead of evil, then please continue being part of the community.  If not, well then like Hayabusa said, you will not get any additional help from us.

Good luck.

I seldomly go to the big ones since I have hardly been at a company that would pay for them (cheap bastards).    Maybe I'll get lucky. 

No problem.  As for IIS 6 well sometimes you just need to realize that it may not be exploitable based on what is in use.  Not to say that IIS 6 is not vulnerable to other attacks, but if the network is configured properly it is very difficult to use things like reverse TCP shells.  So you need to say "Well this particular server does not make a viable attack vector because..." and state that it is possible that proper firewall rules are in place as well as IDS/IPS systems preventing the attack from happening. 

IIS 6 is still currently supported by MS so there are regular updates available and there are hardening processes available.  So if the person who configured the server originally new his stuff, then that server might be locked down tight.  If you review the last few big breaches you will see that it wasn't necessarily the version of software that was a problem but the configuration in the particular application.  So it wasn't necessarily because IIS had ASP configured but an application configured with ASP.NET may have not been properly coded and XSS was allowed or the code to the SQL backend wasn't secured and SQLi was allowed.

Now if your MBSA report of that server came back green then there may not be any easily exploitable vulnerabilities on the Microsoft end of town.  You then have to look at the specific web apps and try there.  If it is custom written code then there very well could be some user created vulnerabilities.  If there are no apps and its just a regular old web server well you might not have too many options. 

Well there is nothing wrong with IIS.  The other option is to run a vulnerability scan against it using  a tool like NESSUS or run Microsoft Baseline Security Analyzer (MBSA) against it to see if there are any issues that need resolving.  If the NESSUS scan and MBSA scans come back clean, then there isn't much else to report.  If there is any specific Web Application running (other than IIS) then you can utilize a number of Web App security testing packages to report if there are any vulnerabilities there. 

So why can't you review the box at the office?

You may have to consider another way to pop the box.  IIS may not be a viable attack vector if it has been properly hardened and the outter defenses are also hardened.  Just because something is present, doesn't always mean it is exploitable.

hmmm, wonder if I can recall that large shipment of V masks I sent to Fox news then.... :p

There is always risk involved when connecting your computer to any network.  I keep shields up at all times (firewall active and AV actively running).  When I am traveling I tend to VPN into my home network before I do anything.  I have more control of that network than hotels, Panera's or Starbucks.  You Web application tester will probably have some skills with helping you secure your personal laptop but honestly, keeping AV updated, local firewall running and updating ALL software regularly will keep you about as secure as you can get. 

If you are worried about data, you can always utilize software like Truecrypt and create encrypted containers on your local/network storage drives.  Windows 7 also utilizes Bitlocker in the Business/Ultimate editions. 

Also if you are using something other than Windows (Mac or Linux) do not assume you are immune to attacks.  Mac OS exploits and viruses have been coming out much more frequently than in the past and Linux is also vulnerable to attacks.  Granted they are much less than Windows and even Mac but they are still out there.  Besides what you have that a blackhat might want is not necessarily on your local systems.  They may want access to your email, your web hosting information and credentials, bank information and all that is out on the web.

Education is your best friend and common sense goes a long way.  Don't hinder your business by being too paranoid, but use the paranoia to better secure your business.

Also as far as securing your home office, I would recommend investing in a SOHO style firewall (Small Office Home Office) such as a Sonicwall or Watchguard device.  They are fairly easy to manage once they are setup and they have a low reoccuring cost for service and support.  The bonus to these devices is that they will include other services besides simple port forwarding.  The Sonicwalls (I am most familiar with) provide IDS/IPS as well as gateway antivirus.  So that ends up filtering much of the garbage before it hits your internal network.  Something to think about.

Also as you are building this business, don't get frustrated if some new security software/hardware makes something not work.  Rather than turning off the security feature, make sure it is properly configured with the correct exceptions to keep your apps running properly.

Good luck!

What is the error you receive?  Are you attacking from internal or external?  A number of factors may come into play.  Firewall may be using egress filtering and not allowing the traffic to go out over your reverse_tcp session.  IPS may be blocking the attack or the admins may have implemented the workaround from http://osvdb.org/397. 

Careful WhiteGhost, we had another user come in and look for someone to hack a site for them that wasn't the OP. 

But to the OP, what you may want to prove is that the FTP site is seceptible to a Man-in-the-middle attack since FTP uses cleartext credentials.  Explain to them that SFTP is the prefered method of transfering files to customers and partners.  It is run over a Secure Shell (SSH) session which utilizes an encrypted tunnel.  The cost is low for implmenting a SFTP solution.

And yes the best way to show them is the use of a sniffer and a tool lilke Cain.    Ha! you can get elaborate and utlize the SET to clone the FTP site and show them how someone can socially engineer users to gain access to their credentials

It is possible that the webDAV service may have been patched or a workaround has been configured to prevent such attack.  What exploit are you trying to use?  CVE?