now you're just showing off......

Dean,

I agree with you that social engineering is a valid attack vector (and often the most effective).

However, I think the initial comments (at the very least my own, but I thought others felt the same way) was that SE was something that wasn't enjoyed. For myself this is largely a confidence issue, I'm not a 'people person' therefore trying to convince someone I'm something I'm not is something I don't relish.

I do enjoy the non-interactive, techinical social engineering techniques however and have used dummy sites and spear-phising as an alternative. Following this thread I'm looking forward to testing what happens when I 'lose' a USB stick, thanks for the advice you gave njemjy regarding msfpayload as this should come in useful in this regard.

From those that are skilled at/enjoy social engineering, do you have any advice on how to best introduce yourself into a client's environment? I can't imagine anyone believing my cover stories, would you trust a nervous sweating bloke with your server room?

eth3real,

pretty similar to my kit, only additions I have are:

• Selection of tested Cat5 cables of varying lengths (Straight, cross- and roll-over)
• Cable tester
• RJ45 ends & crimping set
• Plane ticket to Brazil for when the .... REALLY hits the fan

I haven't passed the C|EH yet, is the BBC LNX any more useful than other pentest/audit distros?

but quite evil

Cheers Manu,

guess I've got a lot of late nights ahead of me...

will people please stop mentioning Uplink?

I've got work to do god damn it!

(And judging from _Marshel_'s screendump some catching up to do)

I'll second that, if I was that good at lying to people I would have gone into management

w00t!

Hows the site holding up under the legendary /. effect Don?

ChrisG,

I've actually just got back from a shopping trip where I saw this for the first time and considered a purchase. From reading your review I think you've just saved me from making a mistake, not much point in owning a book detailing a tool that I'll possibly never use.

I'll try to keep an eye out for it in the future bargain bins for the analysis of the samy worm though.

Thanks for the review.

ChrisG,

don't know about anyone else, but I just got the sense that I still have a loonnngggg way to go here. Still, it's always good to have something bring you back to earth to help refocus, thanks.

Brian,

nice video, I've had Cain&Abel on my 'Must look at' list for a while. Think you've just jumped it to the top of the queue.

Thanks

Sorry for replying to my own post, I managed to do a quick comparison sooner than expected. (Don't you love quite Fridays? ).

I've just ran the CIS Router Audit Tool (RAT) using the same configuration I initially used with Nipper. Mostly both tools came back with the same set of potential weaknesses. So unless they both missed the same issue the coverage appears to be similar with each tool.

The report created by RAT is shorter and more concise than Nipper's although part of that is achieved by hiding some information on hyperlinked pages. (Config file your testing needs to be in the same directory as the rat binary or the links won't work).

As well as listing weaknesses RAT assigns each issue a priority and determines a % score based on which tests you pass or fail. I'm not sure I like having metrics like this as anything that isn't 100% secure is vulnerable to something, and despite what the value says nothing is 100% secure.

As I touch on the SNMP aspects of the report with Nipper I'll do the same for RAT. As with Nipper, RAT complained that I didn't have snmp disabled, and failed me on failed me on 4 tests because I had multiple lines with the string 'snmp-server' (snmp-server community foo; snmp-server location bar etc.).

A feature that RAT implements that isn't fully available with Nipper is that it generates a Cisco command file to run against the device that will 'fix' every security issue with the device. Whilst I'm sure this could be a time saver in many scenarios, if I had blindly run this file against my device I would have lost a lot of functionality that I actually need. Again using SNMP for an example, it is utilised for statistic gathering and most importantly monitoring the state of the device.

As I said with my review of Nipper, don't just follow the advice and fixes without understanding the impact they will have on your network, unless you fancy a world of hurt

Overall, I quite like both tools and each has advantages over the other. Mostly it will come down to personal preference, which tool you know better and can better interpret the findings. Personally, I think I'll hang on to both for some cross checking.

Agreed, assuming nothing comes up in the meantime I intend to try CIS RAT at the weekend. I'll run through with the same config for each tool and try to get a comparison.

I'll update my findings as I get more

zr0crsh,

from using Nipper the report is fairly self explanatory. For each potential issue that it finds it provides:

• Observation(Reason why X is an issue)
• Impact of issue
• Ease of which issue could be exploited
• Basic recommendations for a fix

The key part is 'potential' issues, whilst the tool has provided me with a number of avenues to look at increasing the security of my setup there are several issues that are flagged that can be ignored if you know and understand your environment. For example, an issue that appears in the report is that the SNMP password is not complex enough. However, as the SNMP access is tightly controlled via ACLs this isn't as much of an issue in my environment as it might be elsewhere.
As with most tools, don't just go blindly following the advice of the report without first understanding the issues fully.

I haven't come across the CIS RAT tool before, I've just had a quick look at their website and there appears to be a lot of legalise that you'r required to read/accept before getting access to the tool, along with the benchmarking information documents.

Do you know if there is anyway (I could have missed the relevant section on the site) to access the documentation without giving away my life story first?

Pseudo,

Nipper works offline on a configuration file. In my case I've been playing with Cisco devices, all I've done is supply a text file holding the configuration (usually generated using the show running-config command) on the commandline, for example:

nipper.exe --iso-switch --input=someDevice.conf --output=someDevice-report.html

This way the routine doesn't interact with the device in any way, so can't cause it to fall over or reduce network performance. From reading the documentation it is possible to pull the config from Cisco devices using SNMP strings or TFTP servers, but I won't go down this route as the alternative is fairly simple and cannot effect the clients equipment in anyway.

Avoids the 'everythings dead! What have you done?' questions