Last Wednesday I gave a presentation to the Northeast Ohio Information Security Forum on Maltego which is a fantastic tool for information gathering. The presentation focused on a high level overview of the application and how it can be used for all types of security related work including security assessments, investigations and helping find public information about a company or person.

You can download the presentation here. Like I mentioned at the talk you can get more information on Maltego from the Paterva website. If you are looking for a few good tutorials you can check out part one and part two on Room362.com or Ethicalhacker.net.

Lets say (hypothetically for the sake of this post) that you were able to exploit the system of a Windows domain admin during a pentest. The goal of this attack? Steal the credentials of the domain admin and continue on with owning the domain. Sure, you could use gsecdump, pass-the-hash and do the same thing...however, Incognito (tool to conduct token passing) is nice when you know a system is vulnerable to an exploit and you want to do everything through a nice Metasploit meterpreter shell. The problem with gsecdump is that it would require you to use psexec to run it remotely on the admin's system. Depending on the scope of your assessment and if you are trying to be covert, gsecdump/psexec may not be the best idea as you may get noticed by either an anti-virus, HIDS alert or some other detection system on the host, including the admin (don't get me wrong...gsecdump is a GREAT tool and should be part of any pentest toolkit). So here comes Incognito to help you out in this situation...

How does Incognito work? I won't go into a ton of detail as you can check out CG's posts over at Carnal0wnage. He did an awesome two part write up about the tool...in detail...you should check out. Here are the high level steps:

1. Ensure you have the latest Metasploit snapshot. Not by doing an "svn update" either...you have to use Subversion and do an "svn co http://metasploit.com/svn/framework3/trunk/". Run msfconsole through this trunk. Be warned that Subversion is picky with proxy servers if you have to deal with that.
2. Exploit system with Metasploit and a meterpreter payload.
3. Follow CG's posts (linked above)
4. Once you impersonate the domain admin, use the tool in your meterpreter shell to create a domain user and add your new user to the domain admins group (again...follow CG's posts).
5. Continue on with your domain compromise...rinse and repeat with your next client and/or pentest! :-)

I saw this post on Hexesec the other day that made me think about all the skill's that when you put them together could make one kick ass penetration testing team. Note that this is a pretty large list of skills that would be difficult if not impossible for one person to master. However, it gives you an idea of the various skill sets that should be required for a robust, high caliber team.

As a pentester you should be familiar with most of these areas, meaning, you should have working knowledge at a minimum. Of course, reverse engineering and vulnerability development may not be everyone's forte...but take for example the web application pentester. Reverse engineering and vulnerability development is a skill that can be learned (especially if you have a deep programming and development background). Same goes for wireless penetration testing as someone with a networking background can easily pick this up. Everyone will still have their own specialty but you can still expand on your existing skills to learn new ones.

What's the point? The more you and your team learn the more valuable you become to your organization, clients and your own career.

Last week GNUCITIZEN posted an article entitled "Tiger Team Operations vs. Penetration Testing". I personally feel this is a spot on article and is a must read for anyone involved in either tiger team operations or penetration testing. The article focused on three areas in regards to these two types of assessments: quality, pricing and time frames. While these three areas are quite different when comparing a tiger team operation vs. a penetration test I see something more when it comes to penetration testing. I see the penetration test as we know it eventually evolving into tiger team operations.

While we will always need to conduct traditional network and web application penetration tests, clients and employers are asking us to conduct more "unique" assessments. These unique types of assessments include things like social engineering, client-side phishing, physical security reviews, user security awareness, or testing the overall security of a specific facility or business unit. These unique individual assessments are addressing the changing threat landscape and new ways information systems and people are being exploited.

A tiger team can address many of these different types into one unique assessment of it's own (including network and web application penetration when appropriate). Keep in mind, a tiger team operation is very different then a penetration test in terms of quality and quantity as GNUCITIZEN mentions. A tiger team requires multiple unique skill sets (for example a physical security specialist) and always requires multiple high performance team members. Let's also not forget about timing and preparation. A tiger team operation and a penetration test should always be conducted unannounced and to conduct the operation properly the team must be held to strict confidentiality. In regards to preparation, a tiger team operation may take many weeks and/or months to prepare. Why so long? The longer preparation time (meaning the reconnaissance phase) the closer you will get to simulating an actual attack on the targets selected. The real bad guys that want to do harm to your organization have the advantage of time...a tiger team must try to replicate this as close as possible. There may also be variations of a tiger team operation as well. Some methods may or may not need to be used depending on the scope and the target(s).

I am currently putting together a presentation for a conference later this year on how tiger team assessments work in a large corporate environment and how you can take these same concepts and use them either with an internal penetration testing program or for clients. More on this in the coming weeks. In the meantime, if you want to know what a tiger team operation/assessment is like...I recommend you check out the Tiger Team series that was on TruTV last year. You can find torrents and also view one of the episodes on the TruTV web site.

I'm sure you have already read this on other blogs...however, if you didn't get the news yet...Backtrack 3 has been officially released last week on the PaulDotCom show. I know myself and others have been using the beta and have been looking forward to this final release. Here are some highlights as posted by Max Moser one of the creators of Backtrack 3:

SAINT
SAINT has provided BackTrack users with a functional version of SAINT, pending a free request for an IP range license through the SAINT website, valid for 1 year.

Maltego
The guys over at Paterva have created a special version of Maltego v2.0 with a community license especially for BackTrack users. We would like to thank Paterva for co-operating with us and allowing us to feature this amazing tool in BackTrack.

Nessus
Tenable would not allow for redistribution of Nessus on BackTrack 3.

Kernel
2.6.21.5. Yes, yes, stop whining....We had serious deliberations concerning the BT3 kernel. We decided not to upgrade to a newer kernel as wireless injection patches were not fully tested and verified. We did not want to jeopardize the awesome wireless capabilities of BT3 for the sake of sexiness or slightly increased hardware compatibilities. All relevant security patches have been applied.

Tools
As usual, updated, sharpened, SVN'ed and armed to the teeth. This release we have some special features such as spoonwep, fastrack and other cool additions.

Availability
For the first time we distribute three different version of Backtrack 3
- CD version
- USB version
- VMWare version

BackTrack 3 final download page is here.

Final Requests
We request the community to not mirror or torrent this release, or otherwise distribute it online without our knowledge. We are trying to gather statistics about bt3 downloads. If you would like to mirror BT3 then please:

1) Think again! Traffic generated by BT3 downloads is CRAZY.
2) Please contact us before doing so.
3) Send us monthly statistics of downloads for the iso.

If you would like to add a link to BackTrack downloads to your website, please use:

http://www.remote-exploit.org/backtrack_download.html as the download link.

Rants
Problems, fixes, bugs, opinions - should all end up in our Remote Exploit community forums, and our wiki.

Awesome that Maltego has been added to Backtrack! Safe to say that Maltego is the best Internet reconnaissance tool out there. Too bad about Nessus but I hear SAINT is a good vulnerability scanner alternative (note that SAINT is a commercial product like Nessus but they don't have a "home user" plugin feed like Nessus provides). Also, be sure to link to the Backtrack 3 download as Max specifies. Please don't torrent the iso as they would like to track overall download statistics.

One final reminder, the Security Justice podcast will be interviewing Dave Kennedy of SecureState on the Fast-track script he developed. Fast-track in included in the Backtrack 3 distribution and is an integral part of using Backtrack 3 to it's fullest potential. Look for this special edition podcast in the next week or so.

Very good interview over at The Ethical Hacker Network with Ed Skoudis of Intelguardians. Ed talks about his career, how Intelguardians came to be, his new SANS 560 Course, and a little about his hacker challenges that he is famous for. I know several of the Intelguardians and I have a huge amount of respect for all of them. If you are just getting into information security or penetration testing, Ed is one person that should be a role model for your career.

From the article's author it looks like part two and three will be with Johnny Long and HD Moore. Awesome stuff...looks to be like a great series of interviews.

I came across this post by Martin McKeay on the Network Security Blog today talking about changes to the Nessus license that Tenable will be starting July 31st. Martin makes some really good points and I recommend you read his post. Basically as a corporate user you will need to pay for the new "ProfessionalFeed". A corporate user is classified as anyone that uses Nessus in a corporate environment, including MSSP's and security consultants (some exceptions apply for non-profit and charities). From the Nessus announcement:

"...Tenable’s “Direct Feed” will be re-named to the “ProfessionalFeed” and the “Registered Feed” will be discontinued. The ProfessionalFeed will entitle subscribers to the latest vulnerability and patch audits, configuration and content audits and commercial support for their Nessus 3 installation. The ProfessionalFeed will serve as Tenable’s commercial subscription and will be required for individuals and organizations that want to use Tenable’s Nessus plugins commercially."

Looks like you are now getting everything that you would have gotten if you were a previous "commercial" user including support for Nessus 3. Home users will still be allowed to download the free "HomeFeed".

My thoughts are that I personally get a ton of value out of Nessus...it's simply the most versatile vulnerability scanner out there (from a pentest and customization perspective especially). Now that it is going to this "pay for plugins" model it doesn't really change much for me..I think the Tenable guys do great work and now that they will have more cash flowing in I would suspect the Nessus product offering will only get stronger.

Oh, and don't forget that Tenable is offering a limited time rebate for corporate users:

"Tenable is offering a 25 percent rebate for the Direct Feed subscription service (normally available at $1200 per year), beginning May 14, 2008 until July 31, 2008 only when purchased through Tenable’s e-commerce site."

The latest versions of fgdump and pwdump have been released by the foofus.net team. Looks like the most important change is that both tools support 64-bit targets. Here is the official announcement:

"The foofus.net team is pleased to announce updates to both fgdump (2.0.0) and pwdump (1.7.1), which incorporate a number of new features, the most significant of which is that both tools now support 64-bit targets.

We are also pleased to announce the creation of a mailing list for the purposes of tool support, bug reports, feature requests and new revision announcements. This mailing list currently covers fgdump, pwdump and medusa. Feel free to sign up at http://lists.foofus.net/listinfo.cgi/foofus-tools-foofus.net.
For all the details on the latest fgdump and pwdump releases, please visit their home pages:

http://www.foofus.net/fizzgig/fgdump
http://www.foofus.net/fizzgig/pwdump"

If you don't know what fgdump is and how it differs from pwdump...basically, fgdump attempts to shutdown local anti-virus before attempting to dump the password hashes and it also pulls cached credentials. Fgdump is a great tool if you still need to dump the hashes of a system (which in a pentest I always like to conduct a password strength test for clients by running hashes through John (large wordlist and incremental mode). Once you have the hash, you can also use a "pass-the-hash" utility like the one created by the foofus.net team (for Linux) or the one released by Core Security Technologies (for Windows).

John Sawyer over at Dark Reading put out a post about the importance of documentation as it relates to your pen test's. I couldn't agree more as documenting your methodology, testing it, and even having it reviewed by your peers are very important. I wrote a post a few months back about the importance of documentation and what some of the best practices are around how a team documents a pen test in progress. Even more important is having your basic methodology for testing well documented.

Your testing methodology should be the cornerstone of any pen test. Without a sound, repeatable methodology it would be very difficult to provide your client or organization with the systematic approach you used to conduct your testing and how you achieved your results. Most penetration testers follow some form of the ISSAF or OSSTMM methodologies and it's ok to deviate slightly since every company and organization does things differently.

The hard part, as John points out, is that no one wants to do documentation! It's time consuming and boring. Sure, we would all rather be out exploiting systems but you really need to think of the bigger picture here. Here are some basic suggestions:

- Talk about your methodology after each and every pen test with your team (make this part of the last phase of the pen test even). What went wrong? What went well? You can always make on-the-fly adjustments to your documentation if you need to and it will foster better communication between your team members.

- Rotate the documentation review process from one team member to another. That way not one person is stuck updating and maintaining your documentation. Also, if you have a system where one person does all the reports for your pen tests...make sure this isn't the same person! That can lead to serious burn out (writing the reports can cause burn out as well but that's another post entirely!).

- Schedule "documentation and tool review" sessions several times a year with your team. This is a great way for everyone on the team to provide feedback on the current testing process and methodology and make changes if necessary. Also because tools are always being updated and new ones are being released, you should talk about adding/removing these tools from your team's toolkit based on the needs of team.

Some good discussions posted on the SecLists.org penetration testing mailing list today. The following is an email from a apparently novice penetration tester regarding the use of CORE IMPACT in a penetration test:

"Hello, I am new to pen testing and am currently involved in doing an external pen test for one of our clients.We are doing it through Core Impact.Reconnaisance showed only port 80 as open and the web server running IIS 6.0.Core Impact did not find any vulnerabilities in the server and hence was unable to penetrate.The web application was also tested for SQL Injection and PHP remote file inclusion and did not find any vulnerabilities there either.

My question is what else can we do besides relying on Core Impact for this pen test.And what impression can a client get if we say to them that there are no vulnerabilites in your network or web app.Its dificult to digest something like that for a security specialist that everythings alright. "

I know, I know...where do you possibly begin with this one right? :)

Some points to consider from this (as others on the list have pointed out). Never rely on one tool to conduct a penetration test. Sure, CORE IMPACT is an awesome tool and does provide a ton of value in a penetration test, however, CORE won't tell you all the vulnerabilities on a network nor will it give you a comprehensive overview of the security posture of an organization. You have to use a diverse toolkit. Your toolkit should include a mix of commercial, open source, and proprietary tools. Most proprietary tools come in the flavor or custom built scripts to make a penetration testers job easier. Don't forget that the biggest asset to your toolkit is your brain! Sometimes you don't need any tools at all...think like a hacker, think of even the obscure ways to compromise a host. That is why there are penetration testing methodology's...each phase of a penetration test (from reconnaissance to exploitation) can reveal information to help you compromise a host/network/application and reveal vulnerabilities. Put your brain to work...it can be better then any tool out there.

CORE works extremely well to find "the easiest way" to get root or administrator access on a host. I did a few talks on automated penetration testing with CORE IMPACT and the Metasploit Framework over the last few months and I always mention that you can't fully automate a penetration test...there is a time and place for automated penetration testing but you still need manual, detailed testing.

Finally, you should provide your clients and/or organization with a comprehensive report of all the possible ways you found to compromise the network (within the scope of course). Yes, there are differences between a "vulnerability assessment" and a "penetration test", however, you still need to provide your client/organization of a report of all vulnerabilities found rated by risk even in a penetration test. Don't forget about the human element as well. Client side phishing (which CORE does a great job of), calling users via telephone posing as a help desk employee, or coming up with other social engineering scenarios all can assist with determining the current security posture and also to get you access hosts on the network.