How do you import your tools armoury for external engagements

Viewing 13 reply threads
  • Author
    Posts
    • #8149
      cb122
      Participant

      Can I just ask from a non-tech perspective (please bare this in mind with your responses), when you do network pen testing or vulnerability scanning services for your clients, perhaps simulating an “internal employee” angle, how do you get your set of vulnerability scanning and exploitation tools into your clients network – i.e. if there network admin says something along the lines of…

      “you can’t install any vulnerability scanning tools on any of my servers, and you can’t attach your own vulnerability scanning laptop to our network to use that, plus all our devices use full disc encryption so you can’t use boot discs, and you won’t have administrator rights on any corporate device we give you to install whatever you chose”

      – where do you store and run your tools from? Are network admins typically like this? Can your tools be run as “portable apps” from a USB device? But then I guess there may also be USB policies restricting those. I don’t even know which tools are current, but I have always wondered how you get your armoury in a position to scan the network if the admin has demanded compliance and restraints.

      Second part of the question – If there are ways to run vulnerability scanning tools direct from USB, can you recommend any free ones that will run from USB and produce a management freidnly vulnerability report on say a windows file server, so OS vulns, 3rd party software vulns, server software vulns etc. I am not bothered about exploit just a top level scan with potential issues.

      Apologies for the basic level of the question but it is something that has always interested me. I guess from a network admin perspective their priority is keeping services online and at optimum performance, and not facilitating a platform for an ethical hacker. Please keep your answers pretty basic if at all possible and thanks in advance for any responses.

      Cheers

    • #51561
      dynamik
      Participant

      We bring our laptops on-site and connect directly to the client’s network. We work with the client during the pre-engagement/scoping phase to identify and define any limitations that we must adhere to. We don’t typically make an issue out of them as long as they’re reasonable (i.e. automated scans kill the mainframe, please don’t run automated scans against that server). If they’re too extreme, that’s usually indicative of a client trying to game the test and get an easy “pass” mark. You see this more when people are required to have regular pen tests performed (i.e. PCI) as opposed to when they go out of their way to get one to legitimately test their defenses.

      Slightly off-topic, but someone I know was recently put in a situation where he had to test from a Windows kiosk system that was extremely locked down. You know, for “security” reasons. He just browsed through the shares via Network Neighborhood and found domain admin credentials in a batch file in an open share. It’s sad to see more effort being put into cheating through a pen test than basic security.

      Regarding portability, I’d just setup something like a BackTrack VM on an external USB or thumb drive. For free vulnerability scanners, you’re pretty much stuck with OpenVAS, or a Home Feed for Nessus if you’re using it for personal or testing/evaluation reasons.

    • #51562
      cb122
      Participant

      Many thanks for your response. What is your view of OpenVAS as a vulnerability scanner?

    • #51563
      Grendel
      Participant

      @cb122 wrote:

      What is your view of OpenVAS as a vulnerability scanner?

      I use it all the time. Prefer it over Nessus… community support, open source, active updates, all have pushed it slightly ahead of nessus in my opinion.

    • #51564
      lorddicranius
      Participant

      @Grendel wrote:

      I use it all the time. Prefer it over Nessus… community support, open source, active updates, all have pushed it slightly ahead of nessus in my opinion.

      I haven’t used OpenVAS yet. Is this compared to the home version of Nessus or the paid version with all its bells and whistles? I haven’t used the paid version either, but have read a little bit about it.

    • #51565
      Grendel
      Participant

      @lorddicranius wrote:

      I haven’t used OpenVAS yet. Is this compared to the home version of Nessus or the paid version with all its bells and whistles?

      There are no limitations with OpenVAS regarding IP ranges you can target, unlike the home version.I’m not sure what other bells and whistles you might be mentioning regarding Nessus, but I’m just after the scan results so I can validate it or other findings using other scanners.

    • #51566
      m0wgli
      Participant

      @cb122 wrote:

      Many thanks for your response. What is your view of OpenVAS as a vulnerability scanner?

      There’ a fairly recent post on here discussing OpenVAS vs Nessus which may be of interest: http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,9379.0/

    • #51567
      lorddicranius
      Participant

      @Grendel wrote:

      @lorddicranius wrote:

      I haven’t used OpenVAS yet. Is this compared to the home version of Nessus or the paid version with all its bells and whistles?

      There are no limitations with OpenVAS regarding IP ranges you can target, unlike the home version.I’m not sure what other bells and whistles you might be mentioning regarding Nessus, but I’m just after the scan results so I can validate it or other findings using other scanners.

      I was under the impression that the Professional version gave you access to some scripts that weren’t included in the free one..? And is there a delay in plugin updates on the free one as well?

    • #51568
      m0wgli
      Participant

      @lorddicranius wrote:

      I was under the impression that the Professional version gave you access to some scripts that weren’t included in the free one..? And is there a delay in plugin updates on the free one as well?

      The professional feed does have additional features: http://www.tenable.com/plugins/

      Historically the home feed did have a delayed feed, but this is no longer the case. AFAIK it’s been that way for a few years now.

    • #51569
      lorddicranius
      Participant

      @m0wgli wrote:

      Historically the home feed did have a delayed feed, but this is no longer the case. AFAIK it’s been that way for a few years now.

      That’s good to know, thanks!

      @m0wgli wrote:

      The professional feed does have additional features: http://www.tenable.com/plugins/

      And I think I can see where Tom’s coming from.  The features in Professional, just going off that link, looks to be more geared toward enterprises setting it up for internal use?  As far as using for a pentesting situation, all you’re really looking for is the scanning vulns aspect.

    • #51570
      MaXe
      Participant

      It’s quite common to bring our laptops on-site, and sometimes even scanner appliances as well, which can be quite huge and bulky. Sometimes when we do a host security assessment, remotely via a VPN connection or via another encrypted channel, we are told that we should save all our files in /tmp, and that any tools we install must in some cases be installed by them, or in other cases, be removed immediately after we have used them.
      That’s pretty much how we perform those kinds of tests. When we do wireless penetration tests, we bring our own laptops and alpha cards with good antennas as well. Otherwise, how would we be able to perform a test adequately and to e.g. high standards?  🙂

    • #51571
      ziggy_567
      Participant

      Typically when I run across situations like this where the customer is trying to put restrictions on how we conduct the test, I try to explain that without the restrictions the client will get a more valuable report. If they continue to insist, I work within the Rules of Engagement and caveat the report where necessary.

      Our normal setup for internal-type assessments is a laptop with pre-installed VMs with all our attack/assessment tools installed.

    • #51572
      caissyd
      Participant

      Just to add an obvious point, I have never seen once a client that would allow me to install backdoors, rootkits or other malware. And I can understand them!

      That being said, I tell them in my report that once I have got a system shell, I could have install them.

      Also, bringing my own laptop also implies bringing my personal notes, scripts, etc. I don’t know about you guys, but if I have, let’s say, performed a VA on an Oracle database a year ago and haven’t touched it since then, I would be a bit rusty…

      Anyways, obvious but worth mentioning.

    • #51573
      dynamik
      Participant

      I think you need to be careful how you define a backdoor. The MSF psexec module uploads a malicious exe to System32 (by default) and runs it via a service? Is that a backdoor? Perhaps.

      I’ve strangely enough found this in back-to-back engagements, so I did a short write-up about it: https://www.infosiege.net/2013/01/wbemmof-based-exploitation-via-freeftpd/

      I’d certainly consider that to be a backdoor, but it was necessary to compromise the system.

      At the same time, I’ve never instead a RAT that gives me access from anywhere in the world. When in doubt, consult your client contact before proceeding.

      Regarding notes, check out Evernote. That’ll sync your notes between pretty much any device. Even if I couldn’t use my laptop for whatever reason, I’d still have access to my notes on my iPhone and iPad.

Viewing 13 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?