I really appreciate your effort to do an internal penetration testing
for your organization ;). I am sharing some method I suggest to my
team of penetration testers (when they are under training).
1. Assume that you do not know any thing about the system that you are
attacking / pen testing (this will help you do justice to what you do,
you being I.T. Engineer could have alot of information about the apps
being used at your organisation)
2. Make sure that you just have the basic information like domain
names / ip addresses and applications that are running on them..
3. Use the list of approaches & tools listed at
www.vulnerabilityassessment.co.uk (Thanks to Kevin Orrey) as a sample
list of tools / methods that you can use to explore holes /
vulnerability
4. Once you short list the holes and vulnerabilities, sit with your
production team, CTO / CISO / CIO to choose which vulnerabilities need
to be exploited to prove your point that these holes are serious and
could affect business.
5. With the list of exploits to be executed, as our friends explained
before, go with metasploit framework and search exploits from the
milw0rm or similar websites.
6. Also i would advise you to go through securityfocus.com and other
sites where these vulnerabilities, its exploits and their tracks are
maintained.
wishing an interesting pen test exercise.
--
Regards
Vivek P Nair
VP Technology | Head Special Services Group
Appin Software Security Private Limited
1. know more than others
2. work more than others
3. expect less than others
On Tue, Feb 24, 2009 at 8:25 PM, manoj karkhanis <mkarkhanis (at) gmail (dot) com [email concealed]> wrote:
>
> Hi All,
>
>
> i am doing pt for our organisation internally but as per as my
> experience i am not able to any expoit usig tools
>
> so i want to what is next step after tools. as i know that we can use
> scripting tools for this. i am I.T. Engineeer. and i understand syntax
> of java , c++.
>
>
> but i came to know that perl, python are most useful languages.
> please someone help me .
>
>
>
> Regards,
> Manoj
I really appreciate your effort to do an internal penetration testing
for your organization ;). I am sharing some method I suggest to my
team of penetration testers (when they are under training).
1. Assume that you do not know any thing about the system that you are
attacking / pen testing (this will help you do justice to what you do,
you being I.T. Engineer could have alot of information about the apps
being used at your organisation)
2. Make sure that you just have the basic information like domain
names / ip addresses and applications that are running on them..
3. Use the list of approaches & tools listed at
www.vulnerabilityassessment.co.uk (Thanks to Kevin Orrey) as a sample
list of tools / methods that you can use to explore holes /
vulnerability
4. Once you short list the holes and vulnerabilities, sit with your
production team, CTO / CISO / CIO to choose which vulnerabilities need
to be exploited to prove your point that these holes are serious and
could affect business.
5. With the list of exploits to be executed, as our friends explained
before, go with metasploit framework and search exploits from the
milw0rm or similar websites.
6. Also i would advise you to go through securityfocus.com and other
sites where these vulnerabilities, its exploits and their tracks are
maintained.
wishing an interesting pen test exercise.
--
Regards
Vivek P Nair
VP Technology | Head Special Services Group
Appin Software Security Private Limited
| vivekp (at) appinonline (dot) com [email concealed] | vivek.p (at) appinlabs (dot) com [email concealed] | 09999668010 |
d3adbra1n.wordpress.com |
Three ways to gain Success
1. know more than others
2. work more than others
3. expect less than others
On Tue, Feb 24, 2009 at 8:25 PM, manoj karkhanis <mkarkhanis (at) gmail (dot) com [email concealed]> wrote:
>
> Hi All,
>
>
> i am doing pt for our organisation internally but as per as my
> experience i am not able to any expoit usig tools
>
> so i want to what is next step after tools. as i know that we can use
> scripting tools for this. i am I.T. Engineeer. and i understand syntax
> of java , c++.
>
>
> but i came to know that perl, python are most useful languages.
> please someone help me .
>
>
>
> Regards,
> Manoj
[ reply ]