.

Is my methodology correct or am I going about Penetration Testing all wrong?

<<

mjones

Newbie
Newbie

Posts: 3

Joined: Thu Mar 24, 2011 3:38 pm

Post Thu Mar 24, 2011 3:46 pm

Is my methodology correct or am I going about Penetration Testing all wrong?

You can ignore the following backstory, but I added it for dramatic effect.

I'm currently wrapping up  Computer Forensics course here at school. Sadly we got stuck with a first year professor who doesnt know half of what she is talking about. She claims to have worked for a Fortune 50 company doing their network security, but her knowledge level is laughable for the job she used to have held. Students will commonly correct her on the basic facts about subjects, its almost offensive to my education. There are very few intelligent people in this class, its considered an easy minor, no wonder with professors like this, and a lot of Criminal Justice students latch onto it as well.

All of this being said,I've learned next to nothing from these Computer Forensics courses with her after a full year. So to cap off my year she decides to announce a live "computer hacking" competition of sorts. The major problem with this competition is the fact that there has never been any sort of lesson on network penetration or computer hacking in the general sense. The closest we got was a card trick that somehow simulated password cracking. All we know about the competition is the class will be split in 2 groups, one on defense and the other on offense.  I have no doubt there are only two people on the opposing team who could be potential threats but I am pretty confident I know more in this area.

This type of work is what I'd like to do for a career so I'm making this assignment into a test of sorts for myself. ONCE AGAIN KEEP IN MIND WE HAVE BEEN TAUGHT ABSOLUTELY NOTHING INVOLVING NETWORK SECURITY OR PENETRATION TESTING. Everything here is stuff that I've either been taught, picked up over the years or have convinced myself to believe is true. Pick it apart, whats good, whats bad, whats flat out wrong.

The Setting:

PC's that barely boot.
Windows XP Service Pack 3
Every machine was built using the same image, they all have very little added aside from some shithead forensic tools we've never used
We're on our own network of about 15 machines

The following are the software I plan on putting to use and my strategy for both defending and attacking.

Defense:

Software:

Firewall - Really have no idea here, havent used anything that was a specific "firewall" since ZoneAlarm back in 2006, would really be interested to hear some recommendations for a firewall.

Anti-Virus - Microsoft Security Essentials, these PC's are pieces of shit and need all the resources they can hold on to and I've always liked this software.

Miscelaneous:

Get all machines patched up to date, uninstall all unnecessary programs, shit like Adobe Reader/Flash, MSOffice, etc. Remove all Administrator accounts, basically try to leave as few things they could attack as possible. Generate a strong Windows password, wont do much for physical security but I assume it'd help network-wise. Lame as it is, BIOS passwords on all our machines, theyre padlocked so the jumpers cant be pulled.


Offense:

I cannot stress enough how little I formally know about this type of stuff, so please help me better myself. I think of it as a simple 4-part attack attempt

1. Port Scan, identify the targets and recognize their open ports
2. Vulnerability Scan, scan the target IP's and discover known vulnerabilities the machines currently have.
3. Attack, use Metasploit to exploit the vulnerability and gain access to the users system.
4. Keep control, installing a backdoor to keep control of the system

Software:

nmap - Read a few books on the tool so I know a decent amount of what I'm doing with it, couldnt think of a better portscanner

Nessus - vulnerability scanner, again the most revered in its category I figured I couldnt go wrong, know little about the software though

Metasploit - I've been looking for a decent introduction to Metasploit for a long time but havent had much luck. I've messed with it a little bit but would definitely like a thorough introduction from the start. I know Metasploit is even considered to be script kiddy-esque but I'm not sure of a better starting point.

BACKUP PLAN:

I will have unmonitored access to this lab for hours at a time, and I highly doubt the other students would consider physical security of their machines or take advantage of us in the same way.  I had considered placing trojans on the PC's and adding them to the "Ignored" section of the Anti-Virus, along with simply adding another Administrator account and giving it remote desktop access. I'd rather have this as a back up plan because of how lame it is, but if times get tough this I will resort to 10th grade tactics.


I'm basically wondering if this is an accurate strategy to be going into this type of thing with? Having you offer constructive criticism are things I'm looking for so please do. Have another place you visit where I could post this story and get some knowledgeable feedback, send that my way too.
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Thu Mar 24, 2011 3:59 pm

Re: Is my methodology correct or am I going about Penetration Testing all wrong?

If they allow it, I'd boot up a Live CD of BT w/ Armitage. There's some good videos on youtube and elsewhere that someone with little experience should be able to follow to point-click-root(!). Hope that helps.
ISC2 Associate, WCNA, CWNA, OSCP, Network+
<<

AndyB67

User avatar

Full Member
Full Member

Posts: 100

Joined: Fri Jan 14, 2011 7:13 am

Location: UK

Post Thu Mar 24, 2011 4:24 pm

Re: Is my methodology correct or am I going about Penetration Testing all wrong?

Will you be able to bring in a laptop/netboot in and plug it into the network?  If so you could pre-build it with backtrack and get everything updated to give you the best chance.

Ref the av software, the microsoft security essentials is poor to say the least.  How long is the lab to run for as you could get one of the better Internet Security packages and run it on a trial version for about 10-20 days.  Would give you better AV and firewall?  Try steer clear of McAfee, Nortons and BitDefender as they can all be a bit resource hungry.

Re the metasploit, check some of the videos on security tube and see if you can get hold of any of the hacking books that get a good review on here.
Last edited by AndyB67 on Thu Mar 24, 2011 4:27 pm, edited 1 time in total.
Net+ Sec+ More to come
<<

kriscamaro68

User avatar

Jr. Member
Jr. Member

Posts: 61

Joined: Thu Mar 11, 2010 2:48 pm

Post Thu Mar 24, 2011 5:46 pm

Re: Is my methodology correct or am I going about Penetration Testing all wrong?

You can try this for av/firewall: http://personalfirewall.comodo.com/free-download.html

As for the computers themselves I would use secpol.msc and gpedit.msc to lock down the services on the computer. If there are no rules you can pretty much shut everything usable down with those. If you dont know what those are type them in a run bar and hit enter and go through each one.

As for attacking... If you have physical access to them during the contest then this would be a 3 minute win on your part by booting any sam cracking tool. You can even use Microsoft Dart to reset admin passwords.

If no physical access to it then like others have said bring a laptop with backtrack on it. Or bring a backtrack live dvd and boot from it then attack from there.

If possible check the bios for boot password setups. If there is one and physical access is allowed tot he computers this will atleast require them to know the boot password to boot to a live cd or usb stick. Also set the boot order to only allow the local drive and nothing else.

If you want to get crazy you can always encrypt the entire drive with truecrypt as well. If I remember correctly you need to know the password to even boot up the drive which means unless they know the password for the drive then they cant crack the password too any accounts.

I know there are ways around some of these recommendations but they dont sound to bright from what you have said so they should work.

Hope that helps.
A+, Net+, Server+, Security+, MCP/XP
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Thu Mar 24, 2011 10:16 pm

Re: Is my methodology correct or am I going about Penetration Testing all wrong?

Maybe I missed it, but what books were you using in your class?
OSWP, Sec+
<<

mjones

Newbie
Newbie

Posts: 3

Joined: Thu Mar 24, 2011 3:38 pm

Post Thu Mar 24, 2011 10:50 pm

Re: Is my methodology correct or am I going about Penetration Testing all wrong?

I'd like to say thanks for all the information, I've spent a long time on the Internet trying to find a decent forum on this subject and I think I just found a great one. 

chrisj wrote:Maybe I missed it, but what books were you using in your class?


http://www.amazon.com/Guide-Computer-Fo ... 720&sr=8-1

We have yet to crack this book yet, with 4 weeks left in the semester.

http://www.amazon.com/Guide-Network-Def ... d_sim_b_24
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Fri Mar 25, 2011 10:25 am

Re: Is my methodology correct or am I going about Penetration Testing all wrong?

kriscamaro68 wrote:I know there are ways around some of these recommendations but they dont sound to bright from what you have said so they should work.


Not the feeling I'm left with. First year teacher. She's still learning how to teach.

I had more than one class in college, where I was the guy that showed up to class, sat in the back of the class and slept during lecture, get up during break get coffee and then surf the web during lab time. Some of the easiest A's I ever got.

So don't underestimate your opponents. Some of them may be "sleepers" there for the easy A.


mjones wrote:We have yet to crack this book yet, with 4 weeks left in the semester.

http://www.amazon.com/Guide-Network-Def ... d_sim_b_24


I think you might want to open that one up and scan through it. See if there is anything in it you can use.
OSWP, Sec+
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Mar 25, 2011 1:54 pm

Re: Is my methodology correct or am I going about Penetration Testing all wrong?

chrisj wrote:
I had more than one class in college, where I was the guy that showed up to class, sat in the back of the class and slept during lecture, get up during break get coffee and then surf the web during lab time. Some of the easiest A's I ever got.



Reminds me of a pentesting class I took in the Beltway... Man was I so tired from studying other stuff during class off hours (was a 10 week course). I would stroll into the class often off of two-three hours of sleep, doing my own security exploitaition research, not giving an iota of thought to what was going on... 3 days into the class, I started answering the questions students were asking, explaining to the class and often correcting the proctor, I ended up teaching like 4 days of the class, sleeping through the rest of it.
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Fri Mar 25, 2011 2:14 pm

Re: Is my methodology correct or am I going about Penetration Testing all wrong?

I may be teaching a 2000 level ethical hacking course at a community college this fall and my biggest fear is that I get a Sil. :)
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Fri Mar 25, 2011 2:46 pm

Re: Is my methodology correct or am I going about Penetration Testing all wrong?

tturner wrote:I may be teaching a 2000 level ethical hacking course at a community college this fall and my biggest fear is that I get a Sil. :)



If you do, leverage them. Pick their brain, and have them help with the labs. Kind of like a TA. :)
OSWP, Sec+
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Mar 25, 2011 2:49 pm

Re: Is my methodology correct or am I going about Penetration Testing all wrong?

tturner wrote:I may be teaching a 2000 level ethical hacking course at a community college this fall and my biggest fear is that I get a Sil. :)




bwahahahahaha!  <evil grin>  :P
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Mar 25, 2011 3:10 pm

Re: Is my methodology correct or am I going about Penetration Testing all wrong?

tturner wrote:I may be teaching a 2000 level ethical hacking course at a community college this fall and my biggest fear is that I get a Sil. :)


Nah no way, I try to be as humble as all hell. Everyone can know something another can't and I enjoy learning as well as sharing. The comment though reminded me of one my wife made: "damnit he's just like you" (will explain now)...

One of my sons just turned 10 years old (other is a Marine :)). I have XBox family settings enabled and an allocated amount of time set for him on school days of 1.5 hours play time... So my ten year old calls me up and this is what transpired in the convo:

Son: "Hi... How is your day?"
Me: "Fine, almost over ready to go home"
Son: "Mom is cooking I told her to make your favorite food"
Me: "Really... Cool" (mind you the password reset for XBox question is: What is your favorite food)
Son: "What is your favorite food anyway?"
Me: "Chicken" (threw it out there not the answer...)
Son: "ok well I'll see you when you come home, love you"
Me: "love you too bye"

2 minutes later, phone rings...

Son: "you lied, chicken is not your favorite food!"
Me: "Of course it is how would you know its not"
Son: "well its not working!!"
Me: "what's not working?"
Son: "forget it bye!"

Same happened with the remote, I have ratings enabled to watch shows...

Son: "I love you so much... What's your favorite number?" (programming for cable is a 4 digit number, you have no idea how many times the TV is pseudo-mysteriously locked out)
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Fri Mar 25, 2011 3:17 pm

Re: Is my methodology correct or am I going about Penetration Testing all wrong?

Sil, some how I expect your social engineering attempts to work better than his. :)
OSWP, Sec+
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Mar 25, 2011 3:54 pm

Re: Is my methodology correct or am I going about Penetration Testing all wrong?

chrisj wrote:Sil, some how I expect your social engineering attempts to work better than his. :)


I think in this game (security) perception, intuition go a long way. Another example... While I was in a pissy mood I threw my wedding ring at my wife (I like to pretend I'm the boss)... For days I didn't have it on... In fact, I hadn't stopped to look for it because I knew she would... Anyhow, days passed by, I was no longer in a pissy mood lying down and my wife walks away from her night stand asking... "Did you find your ring..." to which I responded... "Nope haven't even looked." Next morning before I went to work, I went straight to the drawer she had closed the night before. I didn't need to search, knew it was there. Her response: "how did you find it" to which I responded: "I didn't have to bother looking you told me where it was at the moment you walked away from the drawer...

Social engineering though, I think I do well, but I tend to hybrid this (social engineering + technology)... Caller ID goes a long way. ;)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Mar 28, 2011 3:38 pm

Re: Is my methodology correct or am I going about Penetration Testing all wrong?

<grin>  Funny, I did ALMOST the same thing, a few years ago, ring and all.  But in my case, wife didn't try to hide it. 

BTW, if sil's wife is anything like mine, he got eyes rolled at him, as soon as he tipped his hand to her, though.  It's amazing how our wives put up with so much from us, but more amazing how much they're willing to dish out, in return, sometimes...  I can only imagine the following day or two...

And I agree with the kids thing, too.  While mine hasn't, yet, been the Xbox live password, they try, hard, to get other passwords from me, all the time, through careful 'manipulation.'  Fortunately, they just never figure out how mom and dad KNOW what they're up to.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 3 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software