0x0e.org | pentesting perspective

braindump on pentesting, QA, metasploit, constant learning

Archive for July 2008

Pentesting Timelines

with 2 comments

I’ve often run into the case of the network that simply can’t be satisfactorily tested in the time allotted to it. There are a couple reasons for this: tight budgets, sales processes that lead to “cookie-cutter” penetest sales, poor scoping, etc.

The typical solution to this is to document what could not be completed or tested fully and present this to the client. This is frustrating to both the pentester (who scoped the work) and the client (who likely expected the work to fully be completed on time).

I’m wondering if there’s a better way to do such work.

What if a pentest could be scheduled to happen over a two/three month period in which the client would be aware the the pentest could happen at any time, but wouldn’t be expecting malicious traffic at any given moment.

There are obvious benefits to such a situation:

  • The pentester has a more relaxed schedule to execute an attack.
  • The attacks can be more complex, as there is more time to plan.
  • The client’s defense can be more accurately tested (as they won’t be fully expecting the attack when it happens).

And obvious drawbacks:

  • The client needs to trust the pentester / pentester’s firm that they’re getting a fair share of time / work (A project plan and an unabridged log of work completed would help in this situation).
  • Project management would be more difficult. How do you ensure that you, as a tester, are giving adequate attention to a project?
  • The client couldn’t be under any time crunch (This happens more often than you would expect).

This could even be taken to the next level by putting a pentester on retainer, and ensuring that the network is fully examined every ~month. This seems the natural way to ensure complete and continuing coverage.

What are your thoughts? Is this a good / bad idea? How would you respond as a network manager? As a pentester?

Advertisements

Written by jcran

July 7, 2008 at 2:33 AM

Posted in Uncategorized

Tagged with ,

Pentesting Skillset

with 8 comments

I’ve been fumbling together a list of skills necessary to succeed as a pentester. This was prompted by mapping out my own short-term education and by gathering a list of necessary skills for potential hires.

These are the skills i find necessary and want to promote in my own team. I’m curious if the list is what you would expect a penetration tester to know?

This list doesn’t focus on important things like the security mindset and other high-level skills like communication, organization, and discipline. It also stays away from specific technical (attack) tools and techniques.  Its main goal is to establish a minimum understanding and capability baseline for a pentesting team.

  • General / Overall
    • Project Management – Start, maintain and complete a project
    • Toolkit and Exploit Management – Maintain a useful set of tools
    • Education – Stay up to date, learn new concepts (books, people, training)
    • Teaching – Explain new concepts, publish information
    • Research – Own a topic or research area
    • Bullshit Management – Ability to work in close quarters
  • Auditing
    • Law / Regulation Knowledge
      • HIPAA,FISMA,GLBA (High level regulations)
      • ISO17799,ISO27002 (IT standards)
      • PCI, COBIT (Lower-level guidelines)
    • CISSP Domains
  • Writing
    • Technical writing ability
    • Ability to analyze & correlate information
    • Ability to reconstruct a narrative from technical information
  • Social / People Skills
    • Common Sense – Finding the quickest, easiest solution to a problem at hand
    • Social Engineering
  • Searching / Information Gathering
    • Research Skills
    • Google Hacking
    • Recon Techniques
    • Information Correlation
  • Attack Modeling
    • Risk and Threat Modeling
    • Attack Modeling
    • Security Mindset
    • System Decomposition
  • Web Application Skills
    • General Development and Testing
    • AJAX
    • Design Patterns (MVC) – Ruby
    • Javascript Debugging – Venkman, Firebug
    • Web Services – Rest, XML-RPC, SOAP, json
    • Web Specific Languages – ASP, PHP, JSP, Coldfusion
    • Web Frameworks and Platforms – ASP.NET, J2EE
    • Database Administration
    • SQL / Data Query
  • OS-Specific Skills
    • System Administration
    • OS Theory
      • System Architecture
      • System Security Models
      • Filesystems, Networking, I/O
      • Startup / Shutdown
      • Analysis (dump, debugging, memory, forensic)
      • Management + Maintenance
    • Windows
      • Active Directory
      • Exchange / OWA
      • SQL Server
    • Linux / BSD
      • Apache
      • MySQL
      • Sendmail / Postfix
    • Package Managers
    • OS X
    • AIX / Solaris / Unix
    • Kernel / Posix
    • System Programming
  • Networking
    • Networking Theory
    • Protocol Theory
    • Routing and Switching
      • Cisco & Juniper
    • Firewalls
    • Embedded Devices
  • VOIP / Voice Skills
    • PSTN experience
    • Routing + Signaling Protocols
  • Scripting Skills
    • Bash,etc
    • Perl, Python, Ruby
    • PHP, ASP
    • Batch, VBScript, Powershell
  • Hardware Hacking
    • Embedded Devices
    • Electronics Theory
    • Secure Design of a System
  • Wireless
    • WEP / WPA / WPA2
    • Packet Injection
    • Hardware / Driver knowledge
    • Basic Encryption
      • Symmetric ciphers
      • Asymmetric ciphers
    • 802.11
    • Antenna Theory
    • Mobile Networking
      • CDMA, GSM, Mesh Theory
  • Development
    • Coding
    • Regular Expressions
    • Development
      • Design Patterns
      • Development Methodology
    • Version Control
    • Database Design
    • Language
      • C / C++, Java
      • C# / dotNet Framework
  • Vulnerability Development
    • Reverse Engineering
    • Buffer / Heap Overflows (explain + code + find)
    • Creative Thinking
    • Analytic Thinking
    • Coding / Debugging
    • Fuzzing
      • Testing Theory
      • File Fuzzing
      • Protocol Fuzzing
      • SPIKE, Peach, etc
  • Attack Analysis / Forensics
    • IDS / IPS experience
      • Snort / Commercial IDS
      • Honeypots
    • Forensics experience
    • Packet capture and analysis
      • packet dumps, bpf, flows, wireshark

Written by jcran

July 5, 2008 at 9:04 PM

Posted in Uncategorized

Sublime says…

leave a comment »

what happened?

You may notice the new blog (or not). I’ve recently switched everything over to hosted wordpress. Why? because i’m lazy. Looks like this will make it easier to focus on content.

Written by jcran

July 5, 2008 at 6:42 PM

Posted in Uncategorized

Tagged with ,

Disclosure

leave a comment »

About Me:
A pentester for a growing vulnerability assessment (product) firm.  My background is in computer science and i have no strict formal education in security. I’ve only recently gotten into the field, though i’ve been fascinated by computers and networks as long as i can remember.

My goals for hexESec are fairly straightforward:
– Keep track of interesting ideas, thoughts, and information in a public forum.
– Promote current work and projects.
– Build and maintain some semblance of a (good) reputation.
– Encourage others to share their ideas.

Written by jcran

July 5, 2008 at 6:33 PM

Posted in Uncategorized

Tagged with , ,

Hello world!

leave a comment »

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!

Written by jcran

July 5, 2008 at 6:07 PM

Posted in Uncategorized