Vmware pen-testing lab. problem (BT5 ain't connect to XP)

[Schiz0id]

Hi,

I have a virtual pen-testing lab. My host is win7. I installed BT5 and WinXP in Vmware. Host has 192.168.2.1, BT5: 192.168.2.2 and XP:192.168.2.3
When i ping from host machine and BT5 to WinXP, all packets are lost. But when a send ping packets from WinXP to Bt5 and Host machine, there is not any problem.
So what's the possible problem for you?

Thanks in advance.

[UNIX]

Is the firewall in XP enabled? If so, disable it and try it again.

[Schiz0id]

How come. When i disabled windows firewall then ping packets transmitted without any lose. Does it means; there is a winxp machine in our LAN with activated windows firewall, we can't hack it?

I really confused now.

[MrTuxracer]

As per default the windows firewall is activated and blocks any incoming traffic on all 3 profiles. If you want to exploit a machine you always need an open port for your targeted service.

Regards.

[hayabusa]

It means that firewall was blocking ICMP (ping) inbound.

Does that mean you can't hack the XP box(es)?  Absolutely not.  It just means that THAT service / port (ICMP) is not being allowed in for said host.  

Your next steps in learning on the XP lab box should be:

Use NMAP and other scanning methods, and see what other ports / services are available (if any) from the outside.

If some are found, enumerate versions of the services that are running, and look for exploits and / or fuzz any applications you find.

If none are found, start lookig at social engineering and / or client-side attacks and exploits.

(Not every host with a 'vulnerable OS' will always be left in a vulnerable state.  You'll need to do reconaissance, and learn how to find 'other' ways to pWn the host.)

[Schiz0id]

Thanks for replies.

I know that if there is not any open port then you can't hack a system via it's ip address but i didn't know that ping packets get lose because of stealth ports and windows firewall blocks ping packets.

Obviously i have to spend a lot time here to learn something.

Regards.

[hayabusa]

There's ALWAYS more to learn, in infosec.  It never ends.  So we're always happy to help / explain, where we can.

Keep pressing forward and learning, Schiz0id.   

[Shock]

It means that firewall was blocking ICMP (ping) inbound.

Does that mean you can't hack the XP box(es)?  Absolutely not.  It just means that THAT service / port (ICMP) is not being allowed in for said host.  

Your next steps in learning on the XP lab box should be:

Use NMAP and other scanning methods, and see what other ports / services are available (if any) from the outside.

If some are found, enumerate versions of the services that are running, and look for exploits and / or fuzz any applications you find.

If none are found, start lookig at social engineering and / or client-side attacks and exploits.

(Not every host with a 'vulnerable OS' will always be left in a vulnerable state.  You'll need to do reconaissance, and learn how to find 'other' ways to pWn the host.)

Dear god, My mind just spend 5 mins trying to translate your statement into useable python code. 

I need to work on my python more.

[MaXe]

It means that firewall was blocking ICMP (ping) inbound.

Does that mean you can't hack the XP box(es)?  Absolutely not.  It just means that THAT service / port (ICMP) is not being allowed in for said host.  

Your next steps in learning on the XP lab box should be:

Use NMAP and other scanning methods, and see what other ports / services are available (if any) from the outside.

If some are found, enumerate versions of the services that are running, and look for exploits and / or fuzz any applications you find.

If none are found, start lookig at social engineering and / or client-side attacks and exploits.

(Not every host with a 'vulnerable OS' will always be left in a vulnerable state.  You'll need to do reconaissance, and learn how to find 'other' ways to pWn the host.)

Dear god, My mind just spend 5 mins trying to translate your statement into useable python code. 

I need to work on my python more.

I would rather call his statement, his methodology  A good way to start pentesting your own boxes locally, is to obtain a methodology if you don't have any, as most pentesting companies doesn't just fire all canons and hope they find something, well, some do, but most (should) be following either a recognized methodology or an internal one.

There's a few methodologies out there such as NIST SP800-42 (it is somewhat outdated but easy to read), OSSTMM (very generic), and PTES (pentest-standard.org, not sure how far this project is in becoming final or first draft), but I recommend you (Schiz0id) check out pentest methodologies / frameworks and learn a bit more about networking and firewalls 

[hayabusa]

Note - that methodology is for learning.  I wouldn't necessarily 'fire all cannons', as MaXe pointed out, in a full, REAL pentest (I might, but it depends on the cirumstance.)

But for your purposes of learning, and based on your simply trying to learn to exploit the box in you lab, in general, I'd be following what I told you.

PS - @Shock - just curious...  How did Python get brought into that mix?  I never said, "I'd do it all in Python"  Yes, I'd use Python to script some of my processes, etc, or even to write some testing-specific tools, but for just the general stuff, the original poster was asking, I didn't see Python slipping in there (at least not YET   )  Or are you just learning to write your own stuff, so that came to mind?

[MaXe]

Note - that methodology is for learning.  I wouldn't necessarily 'fire all cannons', as MaXe pointed out, in a full, REAL pentest (I might, but it depends on the cirumstance.)

I agree that I shouldn't limit myself to a single methodology, but I do use an internal methodology to avoid missing items / attack vectors when I have 100 or more items to test for.

It may sound extreme, but we (the company I work for) try to cover all possible attack vectors, so we don't go as deep as it could otherwise be possible, but the attack surface is limited quite a lot (if the customer remediates all the flaws identified), when all of the services are up to date and configured in line with security best practice. Well, it's just my point of view from a "corporate point of view". (It is after all, much more fun to study a service, fuzz it locally and try to develop an exploit for it.)

I don't use a methodology as the only option though, I usually poke around manually while running the scanners (that must be run anyway, which usually finds all the low hanging fruit), and after that (the automated scans and manually poking around), I go through the methodology (i.e. checklists) to see if I missed anything as I sometimes encounter technology I haven't been exposed to yet, which there usually is a (internal) methodology for.

When it comes to web applications I don't use a methodology though, as even though some attacks can be quite advanced, it's a lot easier to keep the entire methodology of web application pentesting in the mind than with network pentesting, where everything from routing to exploitation of services must be done.

Of course, it depends on how "deep" the client permits you to go, as I am often not allowed to use Social Engineering attacks (meaning all client-side attacks are not allowed, unfortunately  ), plus intentional DoS attacks too (which doesn't add any value to the business if you do it on their production equipment during business hours, even though it shouldn't be possible to DoS them with a single computer).

tl;dr
I just try to cover as much as possible by using methodologies when I am unsure whether I tested everything humanly possible  (I should begin to script some of the work I do though, as a lot of the items from the methodology I use could be scripted and save a lot of time.  ) And yeah I still agree with hayabusa of course 

[3xban]

Thanks for replies.

I know that if there is not any open port then you can't hack a system via it's ip address but i didn't know that ping packets get lose because of stealth ports and windows firewall blocks ping packets.

Obviously i have to spend a lot time here to learn something.

Regards.

Its always good to get a decent understanding of the systems you are working on.  If you float through many of the "How do I become a pen tester..." type threads, you will see many pointing beginners toward books on networking and such.  After all, your first steps in getting ready to do a test will be centered around recon.  The first chunk should be checking out the internet presence of the target.  Most of this will be passive activity like google searching, DNS Records, web sites, and social network activity.  Then you move in for some network enumeration.  In a strongly defended environment you will have to try and work past client based firewalls and other security measures.  Just because something isn't pingable by normal methods, doesn't mean it isn't online.

[Shock]

PS - @Shock - just curious...  How did Python get brought into that mix?  I never said, "I'd do it all in Python"  Yes, I'd use Python to script some of my processes, etc, or even to write some testing-specific tools, but for just the general stuff, the original poster was asking, I didn't see Python slipping in there (at least not YET   )  Or are you just learning to write your own stuff, so that came to mind?

Mostly learning from classwork (just the basics though so nothing sexy) and seeing the If statements in your post tripped my mind back into python programming mode.

[hayabusa]

 @Shock - understood, and that's the feeling I got from it

@MaXe - agreed on all points.  I've been on both sides of the equation, too.  The big corp stuff really required being as 'all-inclusive' as possible