Sunday, March 9, 2008

Observations on pen testing not in all those hacking books

I just got back from an assessment and wanted to do a real cool "Day in the life" type post. Unfortunately the customer was a pain in the ass (see #2), so no cool "how I owned" post. Check g0ne's blog for that. But here are a couple observations that aren't in any of those hacking books.

-Even though you were invited by someone in that organization to make security better, there are plenty of people in that organization that DIDN'T invite you and don't want you there. Especially if it requires them doing some work to get you IP space or a place to put all your gear or just requiring them get to get off their ass in general. Not to mention you are there to see how good a job they have been doing, and if they haven't been doing a good job...

-Be prepared to be blamed for any and all network issues that arise while you are there doing your assessment, even if you are out to dinner :-) The customer had a network outage occur while I was at dinner. Now even though DoS was not in the scope...instead of the admin's actually doing some work to determine the cause of the outage I was immediately blamed as doing a Denial of Service attack on the subnet. Apparently from outside the firewall AND through my phone AND while I was at dinner AND was able to make this happen a non-public network. How's that for some kung fu!

-Be prepared for that person that invited you in #1 to not be real thrilled when you succeeded. In fact, be prepared for them to be really pissed when you do your low tech hacking into their secure building or if you totally own their network.

**The rest of this probably is in some hacking book

-If you share IP space with people, building, and computers you have no control over, you may want to treat all those things as hostile into your network. Blindly trusting data and traffic coming from computers based on IP has never been a good thing and still isnt.

-Other things in the do not do list
* Do not broadcast your virtual meetings via VNC without authentication especially if you blindly trust IPs in your range that you don't control, watching briefings and meetings is always fun through unauthenticated VNC sessions.
* LM Hashes are just bad in so many ways I cant even start, especially if your patch policy is bad
* A password policy of no complexity, length or age requirements isnt much of a password policy



Anonymous said...

Good post. I would say that 100% of the time there are "those" people in the organization that do not want you there and don't understand the reason you are actually there. We are not here to make people look bad, although it is fun to do, we are here to help people make their shit better. When we encounter people that act like jack asses we want to do the former.

Anonymous said...

Vince, you make a good point -- it can be fun to make people look bad but it's not what we do. Most people in organizations don't get that. Most of our work is done to ensure that those people actually look better when they come to find that another company with a similar setup got hacked and they were already protected from it.

People should always try to fight the battle upfront instead of trying to put out the fire after the fact.

Anonymous said...

Great post. I can relate to this in many ways as I have taken "heat" for outages during a pentest...not that I haven't taken anything down but I have been blamed for more that I didn't do.

When I worked for a company that never had a network pentest before I contracted a third-party to do the work, the very management that hired these guys got crazy pissed when the third-party pwnd the entire Windows domain...then yelled at me for hiring them. I left the company shortly after. :)