Jump to content

How does pen-testing work in practice?


michael_kent123
 Share

Recommended Posts

It seems to me from reading various pen-testing guides that there is a 'standard' approach to hacking a system which goes something like this:

Identify the target IP range (from WHOIS).
Scan all IPs (nmap, etc).
Use a vulnerability scanner (maybe).
Use Metasploit / Medusa (to target a specific port on a specific IP).

This approach targets the network layer rather than the web.

However, I wonder whether this approach works in practice.

Let's imagine that there is an academic institution with the IP range (I am making this up) 120.120.1.0 to 120.120.255.255. I use academia as an example as universities have many outward-facing IP addresses. Let's call it University X (original I know).

What you (the pen-tester) wants to achieve is to gain access to users' e-mail. You want to be able to read people's e-mail. This could occur via valid username / password credentials (and login via the web interface e.g. Outlook / Windows Live) or it could happen through some kind of access to the mail server (IMAP / POP) itself.

Assume that all you have is the IP range. What would you do? Would you follow the 'standard' model? Anything technical (no social engineering) is permitted. I am wondering whether what the guides say is truly how it would be done.

Thanks!

Link to comment
Share on other sites

Social Engineering is (in my opinion) the best way to establish business. CEOs are usually the best S.E's.

Also, the point of emails is somewhat obvious. Remember, an email is for nonrepudiation for a lot of websites.

Edited by Pwnd2Pwnr
Link to comment
Share on other sites

If you want to know how to properly perform a pen test then I recommend you read the Pen Test Standard

http://www.pentest-standard.org/index.php/Main_Page

It is a guide that a group of us have put together and we are trying to get it included in various standards such as ISO27000. If you want to hear more about it then check out the videos from the first DerbyCon, we had a panel discussion about why we are doing it and what we hope to achieve with it.

Link to comment
Share on other sites

If you want to know how to properly perform a pen test then I recommend you read the Pen Test Standard

http://www.pentest-standard.org/index.php/Main_Page

It is a guide that a group of us have put together and we are trying to get it included in various standards such as ISO27000. If you want to hear more about it then check out the videos from the first DerbyCon, we had a panel discussion about why we are doing it and what we hope to achieve with it.

QFE
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...