Re: A little Help with Pen Testing My systems!

"mike Hughes" <mikehughes013@hotmail.com> 11/03/2003 04:27  

        To:     pen-test@securityfocus.com
        cc: 
        Subject:        A little Help with Pen Testing My systems!

Hi Mike

>I have set up a little network at home, for "my own Penetration Testing
its
>own network running windows XP default install and (Zonealarm, Sygate)

Cool. Good for practice ;-)

>My question:

First: the right order is vulnerabilities, then xploits (if they're available).
I think that perhaps you don't have very clear the concept of a xploit. The xploit is the mechanism you use to... well, EXPLOIT a vulnerability you found. It can be a command with certain parameters, a wicked URL, a C program, etc etc etc.
If you browse throu differed BIDs in SecurityFocus, you will see that different vulnerabilities have different TYPES of xploits, and some of them didn't have a xploit so far.

>installed SYGATE with default settings on Windows XP machine, Went over
to

Just a comment. Never used SYGATE myself.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

>Linux and ran a NMAP scan:
with
>an ALERT-just logged it!

That seems to be good.

>So then tryed NESSUS against this machine and got back:
to
>determine a lot of information about the remote host \nby querying th$
server
>is running on the remote host. Make sure that\nyou are running the lat$
look
>for documents on this service and see what i can do with it?

USUALLY 123 is NTP (Network Time Protocol), dunno if XP has this open for different purposes (you can never trust Micro$oft ;-)

>But if it is behind a firewall can it still be exploited???and would
disable
>the firewall first? or...<-------

Let me explain. In the nmap scan above you did a SYN scan, that's TCP. Nessus detected 123/udp open, not TCP.
Your firewall seems not to be blocking UDP.

>Than i installed zonealarm and searched for exploits on it and found this

>nmap exploit and ran an NMAP scan like this:

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Sorry, this is not a xploit. This is just a way to use nmap (source port scanning). Has NOTHING to do with a xploit.

>nmap -g67 -P0 -sS 111.11.111.111

>and run that against the Firewalled machine too see what happens.

No, just try to use nmap's 'UDP scan'.

>I also remember Windows XP installs MSN Messenger by default. Soo i
searched

Sorry again, this is Windows Messenger, and has nothing to do with MSN Messenger...

>around more and found this:

Didn't know this link, thanks!

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

>And i ran the test with SYGATE firewall enabled, and a POP-WINDOW POPPED
UP
>Soo that means it can be accesiable right??
How
>come?

Could be that you'r firewall isn't protecting you in the right way? Or perhaps is "stealthing" your ports, but they still answer a proper request.
I've no experience with SYGATE, but I recommend that you read the documentation that come with the product.

>Soo can anyone tell me i DONT mean step by step "but(SUGGESTIONS, IDEAS)"
on
>how do people exploit things or "how they do there own assesments" like

Get as much information as possible about the target, that include proper port scans, service identification, banner grabbing, etc. Do some search about the services available, to detect those with vulnerabilities (Nesuss can help, but beware of false positives). Check if those with vulnerabilities have xploits available. Got information about the xploits, and the xploits themselves if they're programs. Create a situation similar to your target in your lab. TEST all the xploits and techniques in your lab, until both you're confident, and you what works and what won't work. USE the working xploits on the target.

>ENOUGH.. I want to test HPING against it too but there are just soo many
How

I think that you're trying to get all the information at once, and are getting confused. Go slowly, step by step. I'm here right now, but I started with computerized systems in 1982, and with IT security around 1997.
You've to UNDERSTAND how tools like hping2 works, not to use a recipe.

>would some of you approach something like this: im really trying to get
into
>more secuirty now by reading and playing but am sort of "stumped right
now!"
>Any ideas (tips) i should try or should do differently that would help me
on
>my testings.Again this is all against my own machines... and im not
asking
>steps but maybe a little push..just to learn more about the secuiry
issues
>with them and learn how hackers would approach ISSUES like this. Ohh ya i

>found this code also for bypassing firewalls but dont understand it, i
wanna
>learn about it beofore i try it and play with it from here:

Can't find what you're looking for?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I'll try to visit this link later.

>Thanks Mike

I'll suggest that you put your hands on the excellent book "Hacking Exposed, 4th edition".
Cheers,

Nekromancer

Are your vulnerability scans producing just another report? Manage the entire remediation process with StillSecure VAM's Vulnerability Repair Workflow.
Download a free 15-day trial:
http://www2.stillsecure.com/download/sf_vuln_list.html Received on Wed Mar 12 09:36:40 2003