Friday 22 October 2010

Offensive security Pentesting with backtrack

I'm currently doing the Offensive security online training "Pentesting with Backtrack"

I chose this for my first course for certification due to the good things I had heard and that is a much more practical course than theory. It does, of course give a lot of theory along the way, but it teaches you how to really do them in a real life situation.
I'm currently nearly a week in and really enjoying the course (even though it has involved a few late nights as it is coinciding with a project at university. The thing I am liking most about the course so far is that it really encourages you to try extra things by making them count for something at the end.
I've learnt a lot more python already in just a week and I feel I will be using it to automate things a lot more often in the future.

I particularly liked this script I just created which scans a subnet for smtp servers (port 25 only),
but even this could easily be adapted for other things, and a more generic version could be accomplished just by using another argument that accepts a port number.

But here is the code for '' -

#!/usr/bin/python2.5 -tt

import socket, sys

if len(sys.argv) != 2:
  print "Usage    :", sys.argv[0], " "
  print "example  :", sys.argv[0], " 192.168.13."

subnet = sys.argv[1]
if not subnet.endswith('.'):
for i in range(254):
  ip = i + 1
  ip = subnet+str(ip)
    #create a socket
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    #set timeout in seconds
    #connect to a server
    connect = sock.connect((ip, 25))
    #close socket
  #if error occurs
  except socket.error:
  #carry on to the next IP
  #print the IP if you didn't catch an error
  #as this means that it connected i.e. smtp server running on machine
    print ip

and if you want to learn more about python in general (as I will be using it in my university project, I thought it would be handy to learn anyway), I've found for starters, a good source is the Google's Python class videos by Nick Parlante, which can be found here:

Sunday 3 October 2010

How to destroy a company and be a better pentester for it

Chris Nickerson’s recent talk at BruCON was probably the one that made my way of thinking change the most.

He pointed out the fact that the way things are currently being done, just DOES NOT WORK.
Just because you do a pentest, get root and go “look, I got root, I just p0wn3d you b14tch!!!111” – this doesn’t really mean anything to them. Whereas to a lot of security professionals, this means a hell of a lot and it is a major problem. But to the head of a company, we could be talking an alien language.
Unless we show them what somebody could do with these exploits, then we are doing a bad job, as they won’t think it is that important, and they won’t fix the problems.

I don’t necessarily think we need to go as far as some of the suggestions made in the talk, (for example taking pictures of the CEO’s children and saying you could kidnap them may not be the best idea) but we are able to show some of the things that could be possible. So if you have root on the payroll system, you could show how you could print everybody’s payment details, showing their bank details and telling each person how much they earn compared to the person sitting next to them, and how this could affect the company.
As in the end, this is all these people will care about. We aren’t the ones who need to make the decisions on what would be best for the company, as however much it may annoy us, it could be economically better for the business not to fix certain faults, they will only pay out money that really needs the investment. So if you show that they really need to fix this vulnerability in their network, or there could be some real consequences to their business.

I want to thank Chris for such a great presentation and for pointing out how much we suck, so that hopefully we can all eventually be better at our jobs.