michael_kent123 Posted June 10, 2013 Share Posted June 10, 2013 It seems to me from reading various pen-testing guides that there is a 'standard' approach to hacking a system which goes something like this:Identify the target IP range (from WHOIS).Scan all IPs (nmap, etc).Use a vulnerability scanner (maybe).Use Metasploit / Medusa (to target a specific port on a specific IP).This approach targets the network layer rather than the web.However, I wonder whether this approach works in practice.Let's imagine that there is an academic institution with the IP range (I am making this up) 120.120.1.0 to 120.120.255.255. I use academia as an example as universities have many outward-facing IP addresses. Let's call it University X (original I know). What you (the pen-tester) wants to achieve is to gain access to users' e-mail. You want to be able to read people's e-mail. This could occur via valid username / password credentials (and login via the web interface e.g. Outlook / Windows Live) or it could happen through some kind of access to the mail server (IMAP / POP) itself.Assume that all you have is the IP range. What would you do? Would you follow the 'standard' model? Anything technical (no social engineering) is permitted. I am wondering whether what the guides say is truly how it would be done.Thanks! Quote Link to comment Share on other sites More sharing options...
Pwnd2Pwnr Posted June 10, 2013 Share Posted June 10, 2013 (edited) Social Engineering is (in my opinion) the best way to establish business. CEOs are usually the best S.E's. Also, the point of emails is somewhat obvious. Remember, an email is for nonrepudiation for a lot of websites. Edited June 10, 2013 by Pwnd2Pwnr Quote Link to comment Share on other sites More sharing options...
digininja Posted June 11, 2013 Share Posted June 11, 2013 If you want to know how to properly perform a pen test then I recommend you read the Pen Test Standard http://www.pentest-standard.org/index.php/Main_Page It is a guide that a group of us have put together and we are trying to get it included in various standards such as ISO27000. If you want to hear more about it then check out the videos from the first DerbyCon, we had a panel discussion about why we are doing it and what we hope to achieve with it. Quote Link to comment Share on other sites More sharing options...
digip Posted June 11, 2013 Share Posted June 11, 2013 If you want to know how to properly perform a pen test then I recommend you read the Pen Test Standard http://www.pentest-standard.org/index.php/Main_Page It is a guide that a group of us have put together and we are trying to get it included in various standards such as ISO27000. If you want to hear more about it then check out the videos from the first DerbyCon, we had a panel discussion about why we are doing it and what we hope to achieve with it. QFE Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.