Hello Manoj,

Let me clear a point. Penetration test is not just about using tools.
Do visit this site
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html

I would like to add to Mr. Vivek's great reply. Before conducting a PT
for your organization you need to clearly understand the Business
objectives of your organization along with your organization's
Security appetite.

1) Study the Information Security policy document and other related
documents of your organization

2) Clearly list what is the scope/exclusions for your PT and what is
expected result from the exercise

2) Try and gather as much as information possible

3) Identify the possible loopholes

4) Once you have identified the weaknesses try and exploit them

5) Gather evidence at each and every stage of you PT (Snapshots, tools
report, policy and documents, etc.)

6) Draft a clear & comprehensive report presenting the findings and
recommendations if any

You can exploit the loopholes using tools. But this is just one way to
do it. You can try various other testing methods. You can do Social
engg., dumpster diving, etc. For this you don't even need to know
scripting. You need to have sound Interpersonal skills.

Eg: You want to escalate your priveledges to get your hands on your
organization's confidential information. You can use tools, SQL
queries, brute force methods, etc. But the simplest way is get your
Admins/Information owner's password :)

So wish you all the best with your PT exercise :)

Regards,

Meenal A. Mukadam

On Wed, Mar 4, 2009 at 10:45 AM, Vivek P <iamherevivek (at) gmail (dot) com [email concealed]> wrote:
>
> Hi Manoj,
>
> I really appreciate your effort to do an internal penetration testing
> for your organization ;). I am sharing some method I suggest to my
> team of penetration testers (when they are under training).
>
> 1. Assume that you do not know any thing about the system that you are
> attacking / pen testing (this will help you do justice to what you do,
> you being I.T. Engineer could have alot of information about the apps
> being used at your organisation)
>
> 2. Make sure that you just have the basic information like domain
> names / ip addresses and applications that are running on them..
>
> 3. Use the list of approaches & tools listed at
> www.vulnerabilityassessment.co.uk (Thanks to Kevin Orrey) as a sample
> list of tools / methods that you can use to explore holes /
> vulnerability
>
> 4. Once you short list the holes and vulnerabilities, sit with your
> production team, CTO / CISO / CIO to choose which vulnerabilities need
> to be exploited to prove your point that these holes are serious and
> could affect business.
>
> 5. With the list of exploits to be executed, as our friends explained
> before, go with metasploit framework and search exploits from the
> milw0rm or similar websites.
>
> 6. Also i would advise you to go through securityfocus.com and other
> sites where these vulnerabilities, its exploits and their tracks are
> maintained.
>
> wishing an interesting pen test exercise.
> --
> Regards
>
> Vivek P Nair
> VP Technology | Head Special Services Group
> Appin Software Security Private Limited
>
> | vivekp (at) appinonline (dot) com [email concealed] | vivek.p (at) appinlabs (dot) com [email concealed] | 09999668010  |
> d3adbra1n.wordpress.com |
>
> Three ways to gain Success
>
> 1. know more than others
> 2. work more than others
> 3. expect less than others
>
>
>
>
> On Tue, Feb 24, 2009 at 8:25 PM, manoj karkhanis <mkarkhanis (at) gmail (dot) com [email concealed]> wrote:
> >
> > Hi All,
> >
> >
> > i am doing pt for our organisation internally but as per as my
> > experience i am not able to any expoit usig tools
> >
> > so i want to what is next step after  tools. as i know that we can use
> > scripting tools for this. i am I.T. Engineeer. and i understand syntax
> > of java , c++.
> >
> >
> > but i came to know that perl, python are most useful languages.
> > please someone help me .
> >
> >
> >
> > Regards,
> > Manoj

--
Meenal A. Mukadam

-----------------------------------------------------------------
http://www.linkedin.com/in/meenalmukadam
-----------------------------------------------------------------
Far away there in the sunshine
are my highest aspirations.
I may/maynot reach them,
but I can look up and see their beauty,
believe in them and try to follow
where they lead
-------------------------------------------------------------

[ reply ]