GuidelinesDraft
|
Size: 1368
Comment:
|
← Revision 9 as of 2008-08-06 16:18:30 ⇥
Size: 1404
Comment: converted to 1.6 markup
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| Line 4: | Line 5: |
| Line 5: | Line 7: |
| Line 6: | Line 9: |
| Line 8: | Line 12: |
| Line 9: | Line 14: |
| Line 10: | Line 16: |
| Line 12: | Line 19: |
| Line 13: | Line 21: |
| Line 14: | Line 23: |
| Line 16: | Line 26: |
| Line 17: | Line 28: |
| Line 19: | Line 31: |
| Line 20: | Line 33: |
| Line 21: | Line 35: |
| Line 22: | Line 37: |
| Line 24: | Line 40: |
| Line 25: | Line 42: |
Ubuntu White Hat - Modus operandi DRAFT
STEP 1
0. portscan IP address (with the help of nmap, nessus, etc..)
1. investigate active services and daemons
2. investigate webapps in use
STEP 2
0. Run a search through CVE Archives with the found services and active daemons running on the computer
1. Run a search through CVE Archives with the webapps used
STEP 3
0. Penetration test with active services and daemons found to be vulnerable through CVE, only non-desctructive ones (no Denial-of-Service tests)
1. Penetration test with used webapps found to be vulnerable through CVE, only non-desctructive ones (no Denial-of-Service tests)
STEP 4
0. Auditing of used daemons and webapps
STEP 5
0. In case a 0day will be found, mail the Ubuntu pentest private mailing list to organize and help writing the bugfix and eventual Advisory
1. Write definitive report with "UWHA" (Ubuntu White Hat Anteater) and send it to Launchpad, in case of vulnerability attach screenshot and POC.
2. Automatically subscribe to launchpad bug the team that handles that specific infrastructure and in case the package is in Ubuntu mirrors and it's still not fixed, then subscribe Security Team (main) or MOTU Swat (universe)
STEP 6
0. Get in touch with the team responsible for the infrastructure for eventual DoS tests.
UbuntuPentest/GuidelinesDraft (last edited 2008-08-06 16:18:30 by localhost)