How to perform a network security, penetration and vulnerability test?

I need to perform a network intrussion and penetration testing.  I need some ideas on what "tools" such as software that would work.  I am the network administrator and just recently under went and IT audit and this was one issue that always gets me.  No Testing.  

Since I am the network admin, and I know all the hardware & passwords, it is a little hard for me to just sit down and do this type of testing.  First, I can not find anyone in my local area who does this type of work.  Second, the people I would get - Do I really trust their testing ??

Let's say I'm Joe the Hacker and I gain access to my network.  I take my laptop and plug into a network jack.  What do I do?  Being the hacker, I do not know anything about this network.  (network doe's have static IP's).  The hacker does not have physical access to any network equipment, such as the Servers, Cisco Router, PIX and or switches.  All the hacker has would be his laptop and maybe a local Windows XP Pro workstation.

So what do we do to get started to find anything?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Hutch_77Connect With a Mentor Commented:
Sam spade is a good tool to test form the outside... but if you really want to test google PCI compliance testing.  There are loads of companies that do it and can do it form anywhere.  They are trustworthy as their business are relying on trust, as is their freedom.  REQUIRE a non disclosure agreement and have a lawyer look it over.
rahowell2Author Commented:
That local workstation is locked down, either by the user logging out or it could be just sitting there at the log-in screen.
m_walkerConnect With a Mentor Commented:
While not the answer about what tools, keep in mind that part of an audit is also to test that things work they way the are configured.  So some of your testing should around the config.

eg: If you have a public wifi network that you allow to surf, but must go via your proxy server and must not be able to connect to your admin network..... how are you going to test it.  Hacking is one way, but you can also check your rules and acls work.

In my exampe, Connect a computer the the wifi network and dont set any proxy settings, can you surf, can you ping can you hit an admin server.... ie: does it stop what you think it should stop.

If data is meant to be encrypted, run wireshark and check it.

My key point is form a plan to test your rules and document the results.  List all the areas that failed your test and put an action agenst each to correct it, then check it of when corrected.   This does not rule out other hacking type testing, but will go a long way for your next audit.

I have seen a lot of systems were outside people set it up.  There job is to make it work, not make it safe as such, even though the design said "setup such that..." it was not done.  So we test what should happen to ensure it works as it should.

If you are trying to hack into something you look for weak points.  Seach the net for default password for you systems and services and see if they work.... there could be back door password you dont know of.  I had a wifi device that no one new the password.  I run a port scan and it showed snmp port as open.  So I connected via snmp with public and bingo got data out.  I connected with private and again got data out.  I did an snmp walk and scanned the log and found a few things that look like passwords in the clear and the 2nd one tried worked.  So while the device had a password on it, the snmp provided the back door.  Some/most devices wont store the password in the clear, nor allow you to get it via snmp now, but can allow you to change it via snmp if you have read/write.

use a tool link nmap (windows zenmap  give a windows gui version) to learn about the hosts.

eg: From one of my boxs, it tells me a bit about the box... did I know squid was running, did I know ssh was running  is this correct....

I am sure others will have lots of good tools and ideas.

sample nmap output

Initiating NSE at 14:05

Completed NSE at 14:05, 0.44s elapsed

Host appears to be up ... good.

Interesting ports on

Not shown: 995 closed ports


22/tcp    open  ssh        OpenSSH 3.6.1p2 (protocol 1.99)

|_ sshv1: Server supports SSHv1

|  ssh-hostkey: 1024 b5:e4:d8:b2:f6:5f:5f:3d:31:41:d9:79:a5:98:a7:77 (RSA1)

|  1024 5b:13:82:47:e5:9e:fd:ee:d1:a9:8e:56:57:0e:e4:24 (DSA)

|_ 1024 ce:b8:fc:47:38:3b:f8:b5:54:fc:b3:88:81:64:88:f2 (RSA)

53/tcp    open  domain     ISC BIND 9.2.3

80/tcp    open  http-proxy Squid webproxy 2.5.STABLE5

111/tcp   open  rpcbind

|  rpcinfo:  

|  100000  2    111/udp  rpcbind  

|  100024  1  32768/udp  status  

|  100000  2    111/tcp  rpcbind  

|  100024  1  32769/tcp  status  

|_ 391002  2  32770/tcp  sgi_fam  

32769/tcp open  rpcbind

MAC Address: 00:0B:DB:94:A1:8C (Dell ESG Pcba Test)

Device type: general purpose

Running: Linux 2.6.X

OS details: Linux 2.6.5 - 2.6.12, Linux 2.6.5 - 2.6.19, Linux 2.6.5 - 2.6.9

Uptime guess: 24.343 days (since Mon Feb 28 05:51:30 2011)

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=205 (Good luck!)

IP ID Sequence Generation: All zeros

Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at .

Nmap done: 1 IP address (1 host up) scanned in 10.08 seconds

           Raw packets sent: 1020 (45.640KB) | Rcvd: 1016 (41.372KB)

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

andrewglendeanConnect With a Mentor Commented:
My humble opinion is that your cant do your own Pen Testing. This needs to be an Independent assessment / test.

What your terminology needs to reflect is what is really required of your position, and that is vulnerability management.

There are plenty of solutions to help an admin gauge security their environments , NESSUS, GFI LANGUARD to name but a few. You need to show on a more regular basis in reporting to management your security posture. This will help drive the need for resourcing to remediate issues as they are found, and not up skilling to to a Pen test.

This is probably the best pragmatic way to gets results and quickly reduce the number of attack vectors in your environment.
rahowell2Author Commented:
To all so far:

Thanks for you input.  I'm still trying to put piece of this puzzle together.

I'm contracted by a bank for this fore mentioned issue.  Of the various agancies that do the IT evaluations, audits, examinations and reviews, I can never get a straight forward answer.  That is, yes the auditors are doing there jobs, but the questions they pose are so vague.  And when I inquire of just exactly what they are looking for or want.  I still cannot get a sensible answer.  Even the bank's officers have posed these questions for me and they still get the same thing.  The run around.

I guess that I looking for a sytematic way to document and prove that things are working, or not working correctly and the system/network is as secure as it can or should be, short of removing all computers from the bank and locking everyone in a window less room.

Keep the ideas coming !!!        Thanks

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.