2

I have been assigned to pen test some servers and have been provided the IPs of the same. In my past I have worked on application security testing projects and am aware of OWASP 10, SANS 25 etc. but from the server perspective I am still new. I have scanned the IPs with Nessus & Nmap (for open ports). From here how should I proceed?

Should I use any more scanners and then try to create a manual POC of the findings I have found few Network adapters, internet webcams in the IPs provided? Is there any standard guideline document/guide/reference specifically for server penetration testing which I could refer or even any other ideas will be helpful.

schroeder
  • 123,438
  • 55
  • 284
  • 319
user1299086
  • 29
  • 1
  • This is an extremely broad question and a full answer is potentially very long. I'd start before the scan, look at DNS - what can you find in there, you may find associated machines, zone transfer possibility.(Look at the Fierce tool) Nmap can show you O/S guesses as well as open ports - you can use that. Find exploits for those open ports. is netbios open? try a null session exploit. Other tools to try include Nikto, dmitry, openVAS. Can you find wafs - try wafw00f tool. Metsasploit is also an essential tool. As for defined approaches - look at PTES - Pen Test Execution Standard. – iainpb Mar 16 '17 at 10:30
  • A search for the term "pentesting framework" offers a lot of rich results. – schroeder Mar 16 '17 at 10:31

2 Answers2

2

I am not sure of any doctrine. General principals dictate recon, exploit, gain access, maintain access and clear tracks with continued access.

You may refer to: https://technet.microsoft.com/en-us/library/2005.01.anatomyofahack.aspx?f=255&MSPPError=-2147217396 (Very old)

Or book

https://www.elsevier.com/books/penetration-testers-open-source-toolkit/faircloth/978-0-12-802149-1?start_rank=1&sortby=sortByDateDesc&imprintname=Syngress

Which gives you the tools (you should be able to grasp their sequence of usage).

Metapoilt / Kali or any other similar linux distribution will help you acquire more information about the targets. Find the vulnerabilities on the target using vulnerability databases. Exploit them to gain access and move laterally or vertically to increase your rights (from normal user to administrator). If the targets are fully patched and you find no documented software or firmware vulnerabilities (highly unlikely) You will have to look at exploiting their custom code - web-services for in-house use.

I love this document but again it doesn't directly answer your question. This is anatomy of a hack by the person who hacked in to http://hackingteam.com/

http://pastebin.com/raw/0SNSvyjJ

Also be extremely careful with your active actions.

Parth Maniar
  • 349
  • 1
  • 10
1

Assuming that you're doing this black-box (without credentials for the hosts you're reviewing), then your next step is to assess the security of the open services.

That could include a range of activities, depending on the depth and scope of your assessment. For example looking for default or crackable credentials, looking for known vulnerablities in the versions of the software in use etc.

As to things to refer to, there's a range of materials you could look at. Although it's a bit outdated these days PTES has some information you might find useful.

You could also look at some books on the topic like Network Security Assessment , the Red Team Field Manual or the Hacker Playbook

Rory McCune
  • 60,923
  • 14
  • 136
  • 217