Why pen testers need training similar to criminal investigation

In a real-world black box type pen test you never know what you are going to come up against as every one of these tests may present different challenges. Conventional training cannot really adequately prepare for really any type of pen testing because unknown examples cannot be taught. The successful pen tester needs to develop the mindset of the criminal investigator.

Lets take a look at some conventional training examples: www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi‎.   This Windows XP exploit appears in virtually every pen testing training available.
So you are OK if your black box pen test is testing an old XP system that has not been patched for this vulnerability.  What if this is not the case?  Other training examples:  given a URL and given two usernames, and given that the password consists of all lower case letters abc but the correct password contains 5 alpha characters of the abc combination such as aaabc, abbbc, cccca, etc.  The challenge is to find the correct username and password to be able to login to the challenge website.  The training shows how to use the tools, "crunch" and Burpsuite and perhaps some other tools to solve the challenge.  But, how many times in a pen test are you given this much information not to mention such weak passwords?  I think you get the drift of training available and the challenges actually representing what you will face in the "real world."

So what does criminal investigation have to do with pen testing?   Training in criminal investigation procedures would help to develop the investigator mindset that every criminal case and therefore every pen test is unique and you start from ground zero. You begin by assuming nothing and everything is suspect.  Then you start eliminating avenues to pursue.  You gather facts, not assumptions.  You use the facts to arrive at the most reasonable and probable conclusions that the facts point to.  Despite the ease of hacking passwords and the ease of getting a "shell" in pen test training demos, this is not the case in the real world.  That is why it is necessary to approach each pen test like you are, in fact, investigating a criminal case. And, training in criminal investigative techniques can surely help a pen tester be successful.

Some things about the US Government that are really, really pissing me off

Article about NSA at the following URL: http://news.yahoo.com/nsa-never-takes-no-answer-220344825.html  and at:   http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations-020838711--sector.html

                                                                and 

Lack of hard physical evidence that Assad used chemical weapons.

The US has no hard physical evidence.  I have called my Senator and voiced my opinions.  Please do the same.

Using Nmap and Metasploit to query for possible vulnerable verb methods in HTTP protocol:

NMAP:  The http-methods script in Nmap can be used to determine

the http verbs allowed in a website. The Nmap syntax is “nmap –script

http-methods URL/domain name/IP address –n –p 80”.

METASPLOIT:  The syntax for Metasploit is: “msfconsole> use auxiliary/scanner/http/options; set RHOST IP address ;run.” Metasploit's auxiliary/scanner/http/options can accomplish about the same thing as Nmap.

METASPLOIT AUXILIARY SCAN:  The following shows the Metasploit script "auxiliary/scanner/http/options" script run against a website that allows

revealing the http verbs that the website http is allowed

to use. The text shows that my website www.butleritsec.com

allows GET, POST, OPTIONS, and HEAD.

The Metasploit scan against scanme.nmap.org

(74.207.244.221) also shows that the website allows the use of the following http verbs:  GET, POST, OPTIONS, HEAD

Next we ran a scan against www.google.com and the scan

shows that the methods are not revealed. The administrator

has chosen not to reveal the http verb methods the website

uses.  So we may conclude that only GET and POST methods

are allowed.

NMAP SCAN: Next we run the Nmap script http-methods against the same

websites and get the same results as Metasploit

*********************************************

snip....snip..........snip.........snip........

START OF METASPLOIT SCANS:

root@kali:~# msfconsole

msf > use auxiliary/scanner/http/options

msf auxiliary(options) > show options

Module options (auxiliary/scanner/http/options):

   Name     Current Setting  Required  Description

   ----     ---------------  --------  -----------

   Proxies                   no        Use a proxy chain

   RHOSTS                    yes       The target address range or CIDR identifier

   RPORT    80               yes       The target port

   THREADS  1                yes       The number of concurrent threads

   VHOST                     no        HTTP server virtual host

msf auxiliary(options) > set rhosts 72.167.131.10

rhosts => 72.167.131.10 (butleritsec.com)

msf auxiliary(options) > run

[*] 72.167.131.10 allows GET,HEAD,POST,OPTIONS methods

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

*************************************************

snip....snip...........snip.........snip......

msf auxiliary(options) > set rhosts 74.207.244.221

rhosts => 74.207.244.221 (scanme.nmap.org)

msf auxiliary(options) > run

[*] 74.207.244.221 allows GET,HEAD,POST,OPTIONS methods

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(options) >

********************************

snip.......snip..........snip...

root@kali:~# nmap --script http-methods google.com -n -p 80

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-06 11:07 CDT

Nmap scan report for google.com (74.125.227.136)

Host is up (0.0034s latency).

Other addresses for google.com (not scanned): 74.125.227.130 74.125.227.142 74.125.227.134 74.125.227.129 74.125.227.133 74.125.227.137 74.125.227.135 74.125.227.131 74.125.227.132 74.125.227.128

PORT   STATE SERVICE

80/tcp open  http

|_http-methods: No Allow or Public header in OPTIONS response (status code 405)

Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds

root@kali:~#

***************************

snip............snip..............snip.........

root@kali:~# nmap --script http-methods scanme.nmap.org -n -p 80

Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-06 11:10 CDT

Nmap scan report for scanme.nmap.org (74.207.244.221)

Host is up (0.0085s latency).

PORT   STATE SERVICE

80/tcp open  http

|_http-methods: GET HEAD POST OPTIONS

Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds

root@kali:~#

***************

END OF SCANS:

 FINGERPRINTING A WEB SERVER USING CURL AND NETCAT

Use Kali-Linux and the tools "curl" and "netcat" that are installed by default in Kali-Linux
This will show whether port 80 is open on the web server.  It will show the server brand, ie. Apache, IIS, etc.  I will also show the IP address.  The only thing you need is Kali-Linux open to the command shell and you need to know the target's hostname URL or domain name.  The queries below show first the use of curl and below that is the use of netcat (nc).    I ran curl against my own website, butleritsec.com.  The query shows port 80 is open and connects with curl and netcat.  My website IP is shown as 72.167.131.10 and both curl and netcat show my server to be Apache.  This gives you some useful fingerprinting information.

QUERY USING CURL:
root@kali:~# curl -v www.butleritsec.com

Response:
* About to connect() to www.butleritsec.com port 80 (#0)
*   Trying 72.167.131.10...
* connected
* Connected to www.butleritsec.com (72.167.131.10) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.26.0
> Host: www.butleritsec.com
> Accept: */*
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
< Date: Thu, 05 Sep 2013 19:58:14 GMT
< Server: Apache
< Accept-Ranges: bytes
< Content-Length: 31820
< Content-Type: text/html
<
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

    ********snip-snip-snip***************

QUERY USING NETCAT (nc)

root@kali:~# nc butleritsec.com 80
get / http/1.0
host: butleritsec.com

Response:
HTTP/1.1 301 Moved Permanently
Date: Thu, 05 Sep 2013 20:12:29 GMT
Server: Apache
Location: http://www.butleritsec.com/
Content-Length: 304
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://www.butleritsec.com/">here</a>.</p>
<hr>
<address>Apache Server at www.butleritsec.com Port 80</address>
</body></html>
root@kali:~#

PENTESTING JOB-USDA FEDERAL GOVT-US CITIZENS ONLY

Senior Web Application Penetration Tester/Certified Ethical Hacker
Chameleon Integrated Services – St. Louis, MO

Position Description: Federal Government Contractor Job at USDA The successful candidate will perform application-based security vulnerability assessments and penetration tests in accordance with industry-accepted methods and protocols. Projects may include: Performing vulnerability scanning and assessments Performing application penetration tests across public and private networks Performing assessments of security awareness training using social engineering Developing testing scripts and procedures Other security-related projects that may be assigned according to skill Requirements: The successful candidate MUST meet the following requirements: Minimum of 5 years work experience performing security penetration tests or internal technical security audits.  (Past experience testing in support of the Federal Government highly desired) Minimum of 5-7 years of IT experience Strong ethics and understanding of ethics in business and information security Proficient English language written and oral communication skills Investigative skills Experience with exploitation frameworks (e.g., MetaSploit, Core Impact, Canvas) Understanding and familiarity with common penetration testing methods and standards Understanding of security issues on both Microsoft and *NIX operating systems Ability to complete tasks and deliver professionally written reports for clients Ability to present and articulate findings to technical staff and executives Possess current security certifications (e.g., CISSP, CEH) Must be able to pass a background check Must be qualified to work in the U.S. Optional Requirements: The successful candidate SHOULD meet these additional requirements as a plus: Degree in either Computer Engineering, Computer Science, or Information Systems Management Experience with vulnerability scanning tools (e.g., Qualys, Nessus, Nexpose, Saint) Experience with web application vulnerability scanning tools (e.g., IBM AppScan, HP Webinspect, Accunetix, NTO Spider, Burpsuite Pro) Experience with static analysis tools (e.g., IBM Appscan Source, HP Fortify Experience with high level programming languages (e.g., Java, C, C++, .NET (C#, VB)) Experience with web application development (e.g., ASP.NET, ASP, PHP, J2EE, JSP) $57/hour - 25 days PTO and full benefits $58.50/hour – 20 days PTO and full benefits $66.00/hour – no benefits; employee can participate in our 401(k) plan The staff is currently allowed to work one day per week remotely. A few people work 10 hour days as well. This position is located at 4300 Goodfellow. The candidate would need to be able to pass the background investigation including fingerprinting for USDA.

An interesting little trick: Google the following: "How to enable or disable Vista task manager manually in Vista registry" Task Manager - Enable or Disable - Vista Forums www.vistax64.com/.../103275-task-manager-enable-disable.htm...‎ by Shawn Brink - in 78 Google+ circles Nov 1, 2007 - How to Enable or Disable Task Manager in Vista and Windows 7 Information If you find that the Task Manager option is grayed out (disabled) ...