We're deploying a new website, hosted ourselves. Short of getting in white hats how would you go about penetration testing from outside the network?
McAfee Secure offers a pretty decent scanning service that will look at the web server, network, and the web site itself in an automated, on-demand way. Their scanner is certified for PCI scans, so it's pretty comprehensive.
From Justin Scott -
Another option is Qualys. Keep in mind that Qualys and the mcAfee Secure solution are vulnerability scanners. Pen-testing can be automated with respect to scans, and some of it can be automated for XSS and SQL injection attacks, but ultimately, you'd want a reputable pentester checking the system.
Marko Carter : I *do* want a white hat in, the problem I have is that the company is reluctant to spend the money. In order to get the funding I need to expose any vulnerability first (chicken and egg, I know) therefore I ideally need a *free* solution in the first instance. Any ideas?K. Brian Kelley : Free? Start with the basics you can do yourself: nmap (http://nmap.org/) to do a port and service scan and nikto (http://www.cirt.net/nikto2) to do a vulnerability scan.From K. Brian Kelley -
The first thing would be a network scan. Since you're on the windows stack, use zenmap and scan the webserver and both sql servers. This will tell you about open ports and services running. Run zenmap on the comprehensive test. I would use this info to tweak your firewall to block ports that are exposed.
Another thing you would want to do is look for SQL Injection vulnerabilities.
Scrawlr is a free software for scanning SQL injection vulnerabilities on your web applications.
It is developed by HP Web Security Research Group in coordination with Microsoft Security Response Center.
Check out this ScreenToaster video that I created. It demonstrates a simple network scan for sql server, port 1433, and a basic SQL Injection.
From jinsungy -
the whitehat consultants i've seen come in & use this tool then send you a massive bill.
Take a look at OWASP (Open Web Application Security Project) they're very informative & free! they have a very detailed pen-testing guide that you must look at.
jinsungy : that's pretty expensive.From Nick Kavadias -
Tools that I would use
and Nessus
also quick scanning for XSS and HTML Injection http://www.seoegghead.com/tools/scan-for-html-injection.seo also http://www.cirt.net/nikto2
Make sure you have looked at this during your development OWASP
You need to also check the Security Guidence from MS Windows Server 2008 Security Guide
K. Brian Kelley : The problem with Nessus is that the feed is no longer free unless you're a home user. http://nessus.org/plugins/index.php?view=feed -
Top l0 list of Vulnerability scanners: http:// sectools.org/vuln-scanners.html
There's also Microsoft's Baseline Security Analyzer which should be part of your base setup if its not already before you deploy a server to prod: http:// www.microsoft.com/downloads/details.aspx?familyid=F32921AF-9DBE-4DCE-889E-ECF997EB18E9&displaylang=en
From SQLChicken -
Nikto is a nice start to look for well known vulnerabilities. Works on Windows and Linux, etc. Simple enough even for noobs like me :)
From DougN -
Regardless of the technology you need to know the threats. You need to know what is the data that you are trying to protect? You need to know how your website works. Do a threat model first forgetting about these magical security bullet technology methods. You need to figure out where you are at before you spend wasteless money on a penetration test.
Matt Parsons CISSP mparsons1980 [at] gmail.com
Actually i'm the main creator of a new pentest LiveCD Distro, which is a fork of Backtrack 4. The Distro embbeds everything needed to make good penetration tests ( OpenVAS, Metasploit, fasttrack, milw0rm exploits...). Its name is shadowcircle, and you can check it out @
Hope you'll like it ;)
There is a variety of public license tools out there at your disposal, however, where I operate, we use Firefox and Paros Proxy to manipulate posts and gets, WebInspect for application vulnerablity reporting, and QualysGuard Enterprise for a good old fashioned hosts scan. Depending on what the results are, we make adjustments to the configuration and security posture of the box, create risk acceptance forms for things we cannot change, or engage other tools to decide whether or not a finding is actually something to be worried about.
Free Nikto, Nmap, OpenVas vulnerability scans available online from this website
Post a Comment