Remotesh Posted April 30, 2011 Posted April 30, 2011 (edited) Hey guys, Mind giving me some advice/tips? (References and such.) My school is getting full wifi next year. (As in all the students are going to be allowed to connect to it with their machines, along with the teachers.) And as the Network Admin assistant, my job is to pentest it. (Its more of an assignment than a job) Since most of our machines are windows xp sp3 boxes hooked via lan, and laptops teachers/students will bring in. I was thinking of using armitage for a quick and dirty pentest (On a controlled environment!!!), to get access, etc Basically find common exploits. (So I can put together a report so that we may inform the teachers/staff) I ask you what you guys would do. Note* Im on a backtrack 4 / Windows 7 64bit Asus Eee 1201n netbook as my pentesting machine. At home I've set up some VM's but I have only really worked on single windows xp computers not a windows vista/7 and mac's. All help is appreciated -Remotesh Edited April 30, 2011 by Remotesh Quote
Infiltrator Posted April 30, 2011 Posted April 30, 2011 I really hope you have authorization to perform this pen-testing. Secondly, I would suggest watching some of security videos from securitytube.net, lately there have been lots of good videos uploaded, especially tutorials on how to secure your wireless connection. Furthermore, you will find the videos very informative and educational. Quote
Mr-Protocol Posted April 30, 2011 Posted April 30, 2011 (edited) Pen testing is not for the network admin assistant... It's for the job of a professional pen tester or someone in-house who is knowledgeable to do so. But it's typically done externally. Not only that, sounds kind of sketchy to me. And if you want to learn something... play with it. You aren't going to get a "Walk through guide to pen testing" It takes more than "10 minute pen test walk through" to understand and be able to be an effective pen tester... Not only that but the job of a pen tester really isn't much on getting access to systems or servers. It's explaining in a report, after the pen test, to the user/company about the possibilities of the vulnerabilities found. Edited April 30, 2011 by Mr-Protocol Quote
Remotesh Posted April 30, 2011 Author Posted April 30, 2011 (edited) I know it takes a while to learn some pen testing techniques thats why I want to start now so I have till next year to expand my "utility belt" per say. I should have stated that I am not going to pen test the real environment. And its not my job as much as it is my assignment. We are going to have a small setup of 5-10 windows boxes, and a few laptops from the laptop carts. This is all so that we can put together a powerpoint/report so that we may inform the teachers/staff on what can happen, and how to tell if you're system is compromised and not to leave your computer logged in and such (You wouldn't believe how many times some of the students mess with the teacher by taking picture of their desktop and putting all the files in a folder and such.) Sorry for the confusion. Thanks, -Remotesh Edited April 30, 2011 by Remotesh Quote
joeypesci Posted April 30, 2011 Posted April 30, 2011 I'm far from an expert but advising people "Are you authorised to pen test this" isn't answering the question. I feel if someone asks a question we assume they know the legal issues involved. And seeing as it's a school I can see, it really doesn't surprise me they've asked the Admin assistant to do the pen test. Anything to save money in schools normally. But as above, I'd suggest looking at some security vids. If the network already has AD setup, then you could look up radius server. So sticking the WIFI on WPA 2 and with radius authentication, from what I remember, would give you to factor authentication. Crazy to know the NHS place I worked at, for years still used WEP. I told the network guys of it's insecurity and they shockingly said "But it's 128bit WEP" as if to suggest that would make it harder to crack. We were located opposite flats. Anyone living in those flats would of had a field day for years. Their excuse was always that no confidently info was being transmitted over our network. Bullshit, I knew there was. Amount of people that could of been Middling that network is shocking. Eventually they brought in a radius server. But didn't for years because of cost and lack of knowledge. So doesn't surprise me here that the OP is saying the school has asked the admin assistant to pen test. Quote
Remotesh Posted April 30, 2011 Author Posted April 30, 2011 I really hope you have authorization to perform this pen-testing. Secondly, I would suggest watching some of security videos from securitytube.net, lately there have been lots of good videos uploaded, especially tutorials on how to secure your wireless connection. Furthermore, you will find the videos very informative and educational. Pen testing is not for the network admin assistant...It's for the job of a professional pen tester or someone in-house who is knowledgeable to do so. But it's typically done externally.Not only that, sounds kind of sketchy to me. And if you want to learn something... play with it. You aren't going to get a "Walk through guide to pen testing"It takes more than "10 minute pen test walk through" to understand and be able to be an effective pen tester...Not only that but the job of a pen tester really isn't much on getting access to systems or servers. It's explaining in a report, after the pen test, to the user/company about the possibilities of the vulnerabilities found. I'm far from an expert but advising people "Are you authorised to pen test this" isn't answering the question. I feel if someone asks a question we assume they know the legal issues involved. And seeing as it's a school I can see, it really doesn't surprise me they've asked the Admin assistant to do the pen test. Anything to save money in schools normally.But as above, I'd suggest looking at some security vids. If the network already has AD setup, then you could look up radius server. So sticking the WIFI on WPA 2 and with radius authentication, from what I remember, would give you to factor authentication.Crazy to know the NHS place I worked at, for years still used WEP. I told the network guys of it's insecurity and they shockingly said "But it's 128bit WEP" as if to suggest that would make it harder to crack. We were located opposite flats. Anyone living in those flats would of had a field day for years. Their excuse was always that no confidently info was being transmitted over our network. Bullshit, I knew there was. Amount of people that could of been Middling that network is shocking. Eventually they brought in a radius server. But didn't for years because of cost and lack of knowledge. So doesn't surprise me here that the OP is saying the school has asked the admin assistant to pen test. Sorry for the confusion, I've edited my post a bit to give you guys more info, Thank you Infiltrator and Joeypesci for the advice/reference. And Mr. Protocol I do have authorization but thank you for caring all the same. Looks like I have a lot of securitytube to watch. Thanks guys -Remotesh Quote
Netshroud Posted May 2, 2011 Posted May 2, 2011 and laptops teachers/students will bring in. Jasager? Quote
Infiltrator Posted May 2, 2011 Posted May 2, 2011 Sorry for the confusion, I've edited my post a bit to give you guys more info, Thank you Infiltrator and Joeypesci for the advice/reference. Looks like I have a lot of securitytube to watch. Thanks guys -Remotesh Youtube, Irongeek and Google (no offense) has lots of information on pen-testing and network security, they will be a good place to research and learn more. On the other hand, if you feel like you struggling with something, just create a thread in here and I will be more than willing to assist you. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.