GuidelinesDraft
|
Size: 3582
Comment:
|
← Revision 9 as of 2008-08-06 16:18:30 ⇥
Size: 1404
Comment: converted to 1.6 markup
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = Brainstorm = '''keescook''': * keep vulns private until fixed * people can be team members if they agree to abide by those guidelines '''nxvl''': *not to use dangerous tests, which tools to use *not to touch anything if you gain access *not to break anything '''mra''': *gpg sign something (guidelines) *register that you agreed to it (guidelines) '''jdstrand''': *gpg signed the contents of an email message *it's important from a mindset point of view, as well as potentially legal '''andrea-bs''': * gpg sign the content of the reports * discuss with other members before doing something dangerous |
Ubuntu White Hat - Modus operandi '''DRAFT''' |
| Line 25: | Line 4: |
| = Ubuntu Pentest Code of Conduct (Draft) = | '''STEP 1''' |
| Line 27: | Line 6: |
| == Introduction == "A white hat hacker, also rendered as ethical hacker, is, in the realm of information technology, a person who is ethically opposed to the abuse of computer systems. Realization that the Internet now represents human voices from around the world has made the defense of its integrity an important pastime for many. A white hat generally focuses on securing IT systems, whereas a black hat (the opposite) would like to break into them." ''http://en.wikipedia.org/wiki/Ethical_hacker'' |
0. portscan IP address (with the help of nmap, nessus, etc..) 1. investigate active services and daemons 2. investigate webapps in use |
| Line 31: | Line 13: |
| == Ground Rules == This Code of Conduct covers your behaviour as a member of the Ubuntu Pentest team, in any forum, mailing list, wiki, web site, IRC channel, install-fest, public meeting or private correspondence. The Ubuntu Community Council will arbitrate in any dispute over the conduct of a member of the team. In this document COMPANY refers to Canonical Ltd and its subsidiaries. COMMUNITY refers to ubuntu.com hosts and subdomains. |
'''STEP 2''' |
| Line 39: | Line 15: |
| '''Do no harm.''' Your actions could affect many people and care must be taken to not adversely affect the COMMUNITY and the COMPANY. Causing a COMMUNITY and/or COMPANY service or machine to crash, perform suboptimally, or do actions outside the intended use of the service or machine is strictly prohibited. If you acquire access to the service or machine outside the scope of its intended use, all further action related to said access should be immediately stopped and reported. |
0. Run a search through CVE Archives with the found services and active daemons running on the computer |
| Line 47: | Line 17: |
| '''Be responsible.''' All communications regarding penetration testing on COMMUNITY and COMPANY computing services must be done on the private ubuntu-pentest mailing list, and all vulnerabilities must be disclosed immediately on Launchpad.net with both the security and the private flags enabled (ie non-public). Under no circumstances should non-public information about the COMMUNITY or the COMPANY be disclosed in a public forum. |
1. Run a search through CVE Archives with the webapps used |
| Line 54: | Line 19: |
| '''Coordinate with others.''' All penetration testing on COMMUNITY and/or COMPANY computing services must be by approved by and coordinated with a COMPANY employee or COMMUNITY member responsible for said service. |
|
| Line 58: | Line 20: |
| '''Be private.''' All communications regarding coordination of penetration testing on COMMUNITY and COMPANY computing services must be done on the private ubuntu-pentest mailing list. All information regarding a vulnerability on COMMUNITY and/or COMPANY computing services must be done in the private bug report on Launchpad.net. Under no circumstances should non-public information about the COMMUNITY, the COMPANY or a vulnerability be disclosed in a public forum. |
'''STEP 3''' |
| Line 65: | Line 22: |
| '''When you are unsure, ask for help.''' Nobody knows everything, and a lot of care, thought and coordination must happen to responsibly conduct penetration testing. If you find yourself in a situation where you are unsure of how to proceed, please ask another Ubuntu Pentest member before proceeding. |
0. Penetration test with active services and daemons found to be vulnerable through CVE, only non-desctructive ones (no Denial-of-Service tests) 1. Penetration test with used webapps found to be vulnerable through CVE, only non-desctructive ones (no Denial-of-Service tests) '''STEP 4''' 0. Auditing of used daemons and webapps '''STEP 5''' 0. In case a 0day will be found, mail the Ubuntu pentest private mailing list to organize and help writing the bugfix and eventual Advisory 1. Write definitive report with "UWHA" (Ubuntu White Hat Anteater) and send it to Launchpad, in case of vulnerability attach screenshot and POC. 2. Automatically subscribe to launchpad bug the team that handles that specific infrastructure and in case the package is in Ubuntu mirrors and it's still not fixed, then subscribe Security Team (main) or MOTU Swat (universe) '''STEP 6''' 0. Get in touch with the team responsible for the infrastructure for eventual DoS tests. |
Ubuntu White Hat - Modus operandi DRAFT
STEP 1
0. portscan IP address (with the help of nmap, nessus, etc..)
1. investigate active services and daemons
2. investigate webapps in use
STEP 2
0. Run a search through CVE Archives with the found services and active daemons running on the computer
1. Run a search through CVE Archives with the webapps used
STEP 3
0. Penetration test with active services and daemons found to be vulnerable through CVE, only non-desctructive ones (no Denial-of-Service tests)
1. Penetration test with used webapps found to be vulnerable through CVE, only non-desctructive ones (no Denial-of-Service tests)
STEP 4
0. Auditing of used daemons and webapps
STEP 5
0. In case a 0day will be found, mail the Ubuntu pentest private mailing list to organize and help writing the bugfix and eventual Advisory
1. Write definitive report with "UWHA" (Ubuntu White Hat Anteater) and send it to Launchpad, in case of vulnerability attach screenshot and POC.
2. Automatically subscribe to launchpad bug the team that handles that specific infrastructure and in case the package is in Ubuntu mirrors and it's still not fixed, then subscribe Security Team (main) or MOTU Swat (universe)
STEP 6
0. Get in touch with the team responsible for the infrastructure for eventual DoS tests.
UbuntuPentest/GuidelinesDraft (last edited 2008-08-06 16:18:30 by localhost)