Wednesday, December 22, 2010

Pentest Cycle Quick Reference

Reconnaisance: Normally no active tests are performed on targets. At this phase google is your friend. You try to learn all you can about potential organizations/targets from available public sources
Scanning: This phase involves identifying live targets and their open ports on a network.
  • unicornscan 10.0.0.1
  • nmap -sS 192.168.1.1-255; nmap -sn -Pr 192.168.1.0/24
  • netdiscover -r 10.0.0.0/24 -i eth0
Enumeration/OS fingerprinting: Learn more about the potential applications listening behind discovered open ports. This involves sending packets to open ports and analyzing the responses sent back by the services. By analyzing these responses the OS might be determined here as well.
  • nmap with the -sV and or -O option
  • amap -Abqv 10.0.0.1 80; amap -B 10.0.0.1 80
  • xprobe2 -p tcp:445:open
  • httprint for webserver enumeration
  • metasploit and smb_version module if port 445 or 139 is open
  • nmap --script smb-os-discovery

Research: After identifying the OS and it's applications (and in some cases their versions), you will want to research that app for potential vulnerabilities and security bypasses. Some resources that you can use to research vulnerabilities are
  • www.securityfocus.com
  • www.exploit-db.com
  • www.secunia.com
  • www.google.ca
Exploitation: After finding potential vulnerabilites and exploits in your research phase, you will want to attempt to try these exploits against the vulnerable apps. In some cases you will be required to compile and or modify the exploit code to get things working or to simply suit your need. Some tools that aid in the exploitation phase are:
  • metasploit
  • www.exploit-db.com or a local copy of their archive as found in backtrack 4
  • local copy of milworm exploits archive
  • fasttrack
  • milw0rm
  • SET, i.e, social engineering toolkit
Maintaining Access: After you have successfully exploited a target, you will want tEo ensure that access to the remote vulnerable host will be quick and easy. You may be required to open a port in the firewall or just turn that darn thing off. Some tools that can be used here are;
  • netcat
  • cryptcat
  • mirkov
  • guptachar (see blogpost)
  • metsvc (meterpreter)
  • rootkits
Clearing Tracks: This step basically involves clearing traces of your activity on the vulnerable machine, including uploaded files and any events that may have been logged to the event viewer that may idicate that the machine has been compromised. Rootkits can also help hide your upload files, your open ports, running services, etc. These are very difficult to detect and mitigate.

These are just guidelines that i've learnt from various resources. The majority of pentesters out there tend to follow similar guidelines to those that i've outlined. There are many more tools that can be utilized in each phase but that was not the purpose of this blog. It is important to have an idea of the overal phases that one may encouter in real life and why each is important. I did not go into much depth but each phase has their value. It is very important to know your tools, to practice using them and when to use them, as your experience can be the deciding factor in whether you get in or whether you serve yourself a serving of fail.