.

How do you import your tools armoury for external engagements

<<

cb122

Newbie
Newbie

Posts: 20

Joined: Tue Jan 15, 2013 8:54 am

Post Wed Jan 16, 2013 10:00 am

How do you import your tools armoury for external engagements

Can I just ask from a non-tech perspective (please bare this in mind with your responses), when you do network pen testing or vulnerability scanning services for your clients, perhaps simulating an “internal employee” angle, how do you get your set of vulnerability scanning and exploitation tools into your clients network – i.e. if there network admin says something along the lines of…

“you can’t install any vulnerability scanning tools on any of my servers, and you can’t attach your own vulnerability scanning laptop to our network to use that, plus all our devices use full disc encryption so you can’t use boot discs, and you won’t have administrator rights on any corporate device we give you to install whatever you chose”

- where do you store and run your tools from? Are network admins typically like this? Can your tools be run as “portable apps” from a USB device? But then I guess there may also be USB policies restricting those. I don’t even know which tools are current, but I have always wondered how you get your armoury in a position to scan the network if the admin has demanded compliance and restraints.

Second part of the question - If there are ways to run vulnerability scanning tools direct from USB, can you recommend any free ones that will run from USB and produce a management freidnly vulnerability report on say a windows file server, so OS vulns, 3rd party software vulns, server software vulns etc. I am not bothered about exploit just a top level scan with potential issues.

Apologies for the basic level of the question but it is something that has always interested me. I guess from a network admin perspective their priority is keeping services online and at optimum performance, and not facilitating a platform for an ethical hacker. Please keep your answers pretty basic if at all possible and thanks in advance for any responses.

Cheers
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Jan 16, 2013 11:15 am

Re: How do you import your tools armoury for external engagements

We bring our laptops on-site and connect directly to the client's network. We work with the client during the pre-engagement/scoping phase to identify and define any limitations that we must adhere to. We don't typically make an issue out of them as long as they're reasonable (i.e. automated scans kill the mainframe, please don't run automated scans against that server). If they're too extreme, that's usually indicative of a client trying to game the test and get an easy "pass" mark. You see this more when people are required to have regular pen tests performed (i.e. PCI) as opposed to when they go out of their way to get one to legitimately test their defenses.

Slightly off-topic, but someone I know was recently put in a situation where he had to test from a Windows kiosk system that was extremely locked down. You know, for "security" reasons. He just browsed through the shares via Network Neighborhood and found domain admin credentials in a batch file in an open share. It's sad to see more effort being put into cheating through a pen test than basic security.

Regarding portability, I'd just setup something like a BackTrack VM on an external USB or thumb drive. For free vulnerability scanners, you're pretty much stuck with OpenVAS, or a Home Feed for Nessus if you're using it for personal or testing/evaluation reasons.
The day you stop learning is the day you start becoming obsolete.
<<

cb122

Newbie
Newbie

Posts: 20

Joined: Tue Jan 15, 2013 8:54 am

Post Wed Jan 16, 2013 11:26 am

Re: How do you import your tools armoury for external engagements

Many thanks for your response. What is your view of OpenVAS as a vulnerability scanner?
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Wed Jan 16, 2013 3:04 pm

Re: How do you import your tools armoury for external engagements

cb122 wrote:What is your view of OpenVAS as a vulnerability scanner?


I use it all the time. Prefer it over Nessus... community support, open source, active updates, all have pushed it slightly ahead of nessus in my opinion.
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Wed Jan 16, 2013 3:10 pm

Re: How do you import your tools armoury for external engagements

Grendel wrote:I use it all the time. Prefer it over Nessus... community support, open source, active updates, all have pushed it slightly ahead of nessus in my opinion.


I haven't used OpenVAS yet. Is this compared to the home version of Nessus or the paid version with all its bells and whistles? I haven't used the paid version either, but have read a little bit about it.
GSEC, eCPPT, Sec+
<<

Grendel

User avatar

Full Member
Full Member

Posts: 246

Joined: Thu Aug 28, 2008 8:48 am

Location: Colorado Springs, CO

Post Wed Jan 16, 2013 3:22 pm

Re: How do you import your tools armoury for external engagements

lorddicranius wrote:I haven't used OpenVAS yet. Is this compared to the home version of Nessus or the paid version with all its bells and whistles?


There are no limitations with OpenVAS regarding IP ranges you can target, unlike the home version.I'm not sure what other bells and whistles you might be mentioning regarding Nessus, but I'm just after the scan results so I can validate it or other findings using other scanners.
- Thomas Wilhelm, MSCS MSM
ISSMP CISSP SCSECA SCNA IEM

Web Site:
  • http://HackingDojo.com
Author:
  • Professional Penetration Testing
  • Ninja Hacking
  • Penetration Tester's Open Source Toolkit
  • Metasploit Toolkit for Penetration Testing
  • Netcat Power Tools
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Wed Jan 16, 2013 3:25 pm

Re: How do you import your tools armoury for external engagements

cb122 wrote:Many thanks for your response. What is your view of OpenVAS as a vulnerability scanner?


There' a fairly recent post on here discussing OpenVAS vs Nessus which may be of interest: http://www.ethicalhacker.net/component/ ... ic,9379.0/
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Wed Jan 16, 2013 5:39 pm

Re: How do you import your tools armoury for external engagements

Grendel wrote:
lorddicranius wrote:I haven't used OpenVAS yet. Is this compared to the home version of Nessus or the paid version with all its bells and whistles?


There are no limitations with OpenVAS regarding IP ranges you can target, unlike the home version.I'm not sure what other bells and whistles you might be mentioning regarding Nessus, but I'm just after the scan results so I can validate it or other findings using other scanners.


I was under the impression that the Professional version gave you access to some scripts that weren't included in the free one..? And is there a delay in plugin updates on the free one as well?
GSEC, eCPPT, Sec+
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Wed Jan 16, 2013 5:53 pm

Re: How do you import your tools armoury for external engagements

lorddicranius wrote:I was under the impression that the Professional version gave you access to some scripts that weren't included in the free one..? And is there a delay in plugin updates on the free one as well?


The professional feed does have additional features: http://www.tenable.com/plugins/

Historically the home feed did have a delayed feed, but this is no longer the case. AFAIK it's been that way for a few years now.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

lorddicranius

User avatar

Sr. Member
Sr. Member

Posts: 448

Joined: Thu Mar 03, 2011 3:54 am

Post Wed Jan 16, 2013 7:45 pm

Re: How do you import your tools armoury for external engagements

m0wgli wrote:Historically the home feed did have a delayed feed, but this is no longer the case. AFAIK it's been that way for a few years now.


That's good to know, thanks!

m0wgli wrote:The professional feed does have additional features: http://www.tenable.com/plugins/


And I think I can see where Tom's coming from.  The features in Professional, just going off that link, looks to be more geared toward enterprises setting it up for internal use?  As far as using for a pentesting situation, all you're really looking for is the scanning vulns aspect.
GSEC, eCPPT, Sec+
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Jan 18, 2013 9:25 am

Re: How do you import your tools armoury for external engagements

It's quite common to bring our laptops on-site, and sometimes even scanner appliances as well, which can be quite huge and bulky. Sometimes when we do a host security assessment, remotely via a VPN connection or via another encrypted channel, we are told that we should save all our files in /tmp, and that any tools we install must in some cases be installed by them, or in other cases, be removed immediately after we have used them.
That's pretty much how we perform those kinds of tests. When we do wireless penetration tests, we bring our own laptops and alpha cards with good antennas as well. Otherwise, how would we be able to perform a test adequately and to e.g. high standards?  :)
I'm an InterN0T'er
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Fri Jan 18, 2013 9:39 am

Re: How do you import your tools armoury for external engagements

Typically when I run across situations like this where the customer is trying to put restrictions on how we conduct the test, I try to explain that without the restrictions the client will get a more valuable report. If they continue to insist, I work within the Rules of Engagement and caveat the report where necessary.

Our normal setup for internal-type assessments is a laptop with pre-installed VMs with all our attack/assessment tools installed.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Jan 18, 2013 11:03 am

Re: How do you import your tools armoury for external engagements

Just to add an obvious point, I have never seen once a client that would allow me to install backdoors, rootkits or other malware. And I can understand them!

That being said, I tell them in my report that once I have got a system shell, I could have install them.

Also, bringing my own laptop also implies bringing my personal notes, scripts, etc. I don't know about you guys, but if I have, let's say, performed a VA on an Oracle database a year ago and haven't touched it since then, I would be a bit rusty...

Anyways, obvious but worth mentioning.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Fri Jan 18, 2013 5:38 pm

Re: How do you import your tools armoury for external engagements

I think you need to be careful how you define a backdoor. The MSF psexec module uploads a malicious exe to System32 (by default) and runs it via a service? Is that a backdoor? Perhaps.

I've strangely enough found this in back-to-back engagements, so I did a short write-up about it: https://www.infosiege.net/2013/01/wbemm ... -freeftpd/

I'd certainly consider that to be a backdoor, but it was necessary to compromise the system.

At the same time, I've never instead a RAT that gives me access from anywhere in the world. When in doubt, consult your client contact before proceeding.

Regarding notes, check out Evernote. That'll sync your notes between pretty much any device. Even if I couldn't use my laptop for whatever reason, I'd still have access to my notes on my iPhone and iPad.
The day you stop learning is the day you start becoming obsolete.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 4 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software