I have been reading thomas wilhelms book pro pen testing and i have been reading some other resoirces from his site as well. Here is a question i have. I have noticed that every lab scenero from countless tutorials have you always preform a nmap scan to see what hosts are on the network that could be potentual placers for hackers. Such as open ports i assume. Thats fine but i noticed its all private side scanning. What if a hacker is from a remote location and has to go through public ip. He or they would have to gain inside private access first then do scans. So it seems pointless to me to do pen testing from private side cuz that assumes the hacker has gotten in apready. Can you scan a public ip for open ports? Thanks guys

If you want an authorized target to test against, try nmap's own scanme.nmap.org.

Provides a good opportunity to get used to nmap's options different results you can get from different parameters and scripts.

When working in a lab, try to ignore that your machines (and the publicly provided targets like De-ICE) are using rfc1918 address space. This is merely for convenience, if you needed public hosting and IP space for a test environment the costs would skyrocket. And it's obviously not sensible to host vulnerable systems on public facing networks.

Using De-ICE as an example, the server is built as a (poorly protected) public facing system. It's not uncommon for public systems to have the same ports and services exposed to the wider world, rather than locking down administrative ports for example.

think of the book as a proof of concept.  It gives you the ability to learn some of the tools to perform a pen test as well as the reporting process involved.

Seph makes a valid point.  Even when it comes to advanced attacks, most of them have been done using a phishing email that gets them access to the victim's machine.  From there they attept lateral movement through the network until they can gain access to an elevated account which can be used to lay in some backdoors for future use.  Now if the victim network has proper controls in place (egress filtering, network ACLs, a monitored SIEM etc...) then this may make internal movement/compromise more difficult.  Its tough to create an outbound reverse TCP shell if all ports are being filtered/blocked.  Unfortunately not all orgs do this and even filtered ports can be used if you can compromise the external host they are going to.

If you wanted to setup a lab to simulate attacking from outside, you can always aquire a low end firewall and put that in front of the victim hosts.  Attempt to attack directly or create some SET or metasploit payloads you can apply to the internals.

I'm surprised nobody has actually mentioned this. Not to be snide, but if you're having those kinds of questions about IP address classes and you're on step number nmap in your learning, I'd say you need to stop now, and go read a good networking fundamentals book. You are going to be totally lost as you work through the technical details of pen testing, if you don't know the fundies, you'll never be good at it.

I have a degree in net engineering along with a CCNA and the routing part of my CCNP. I also have my RHCT. BUT that was 5 years ago and i have never had a job that uses it. I have had IT jobs and was department head BUT our network was sourced out before i got there. Prez said no touchy so i handled the lower end stuff. But i did work for IBM and i installed the back bone for the EBAY HQ in my area. But after that i switched to Mechanical Engineering because that had the career options i wanted. Hard to explain. haha.

 The IP addressing is not hard for me to do. I can supernet and subnet address space for route propagation and ACLS in cisco routers just fine. Supernetting is my favorite especially when you used wild card masks for the Control lists haha What was confusing me was why all the attacks were private side. I was getting the impression from the material that access had already been gained and know you were just trying to enumerate more info. It was confusing me because i thought the material was supposed to teach how to gain access in order to know how to protect. I was not under the impression that such a unsecure server could exist, but then again, this is levle one material and they have to present it somehow for the basics. haha.

lol. BUT it has been 4 or 5 years since i have used my CCNP knowledge.  My friend is Todd Lammle and his ghost writer and editor was my professor(the book was not the professor, haha. It was a real person:)). It was kind of cool.

Now, i will say this. Just because i was excellent at supernetting and configuring routers, does not mean i am good at security. I know how ICMP,TCP and other protocols work pretty well, but that does not mean i know how to manipulate them. I could never figure that part out. haha. Understanding things how they worked normally was easy for me, but to understand how to manipulate them or troubleshoot because they are not working so well, that was the hard part.

This is why i am wanting to complete the heorot courses. I feel that as an mechanical engineer, this can and will help my problem solving skills and a sense of accomplishment. haha.  I never know if in the future, i will be called to the office because the IT team needs some help. So i do like to review concepts every so often. BUT security is something i have never done. I mean its easy to follow a firewall tutorial to protect your house or company, but if you dont know why its doing what it is doing, well then. haha and thats why i am here. to learn security. haha.

That was a LONG winded reply but i wanted to make sure i expressed my unawareness of security but also let you know that i have some excellent exp in networking.

you guys are awesome and i trust you all. thanks much.

Thanks for the awesome reply my friend. I didnt meant ot make the post soooo long winded, but i had to defend my honor of having a bachelors in network engineering that i NEVER use. I can totally see why you guys asked though.

Ok first things frist, you all are gonna laugh at me. So about 2 or 3 years ago i purchased thomas willhelms book " professional penetration testing" didnt read much and didnt check out the dvd. It was during a rough time in school and life so things got put on back burner. So last night i finally got a chance to watch the Heorot Penetration Testing Fundimentals course videos. The dvd comes with the full course for the issaf including lecture notes, videos and live cd's. except hackerdemia must be out of date because all the lessons on it go to a page under construction... so the tutorial on hydra is not there. oh well.

Here where i need to look at things backwards and i may need some help. I watched the video on the dvd where he scans using differnt techniques. He shows that port 80 is open and then goes to the webpage. What is so important about port scanning besides the fact that it shows what types of services are running?

To tell you the truth, sarcastically i thought to my self" yeah so whats the big deal that port 80 is open or 21. So they have a web server up. who doesnt" ok thats what i need some correction on. the importance of open ports. You cant do much if you do not have a password.. which i assume is part of the challange BUT the tutorial on the live cd of hackerdemia does not exist so im stuck at the moment. haha. maybe the vids show me what to do in a sense.

Ok, i also noticed on the webpage that it says pictures comming soon of the picnic and to send flowers and cards to a specific place. are finding the pictures and finding where the cards are going any part of the challange?

ok thanks guys.  i know i have alot to say but im practicing to document everything so i can get a cert and also use the technical report for my engineering writing class.

you guys are fantastic