Security Basics mailing list archives
RE: NASA Security Audit
From: "Simons, Rick" <RSIMONS () alldata net>
Date: Thu, 9 Oct 2003 07:12:08 -0500
I am fairly green to the security field, but I will offer what I can. I will watch this thread with interest. 8) If my reply is in no way related to your actual question, please feel free to delete, heh. I tend to answer questions I know, even if the question I answered wasn't quite the question posed. If you have been in the field for 2 years, I doubt any of this will be beneficial; but I will offer it anyway. If I were trying to get in, I would start by footprinting your organization. IP range, phone number range, browse the 'official' website for valuable info about your setup and a personnel listing. Then I would look at the doors in (ftp, term, x phone numbers with modems on them (from the phone number scan), y contacts at the location to social engineer with (from the website), google the personnel I could find on the website to see, like in this case, if I could find a very descriptive list of what hardware the target was running or perhaps some personal pages created by employees that might help my attacks. If one of the posts was, like this one being very descriptive about the firewalling solutions, I would start banging on the known vulnerabilities for those devices. You would be surprised how many attacks start out by reading news groups or mailing lists and someone posts saying the security guru just left and they were handed the job, have little experience in the field, etc. so hackers who monitor said newsgroups and mailing lists open up the flood gates. With FTP obviously you have a clear text password issue, so I would start moving out from your server and try to take control of a periphral router or gateway so I could sniff user/pass for the service. Chances are, perhaps this isn't the case, but chances are that the ftp user/pass combos work for the term service as well. That is all I can think of, with possible ftp server vulnerabilities, term service vulns, misc services that may be running, a known hardware device list and associated old (possibly not patched) vulns, social engineering and wardialing I'd say those will be hit first. If those can garner no entry, more head first tactics would be used. Try to dos the hardware devices with malformed packets or dos the services to prevent valid users from connecting. There is more than one way to skin a cat, and if I can't get in - I would make sure nobody else could either. Those types of attacks will most likely NOT be employed by your penetration tester, as they are more last resort tactics, but something to always keep in mind and adjust rules/timeout values/etc. appropriately. Unfortunately, at this point this is where my knowledge/experience fails me, so I will leave this to the more experienced people on this list to reply. Rick. -----Original Message----- From: Gregory M. Brown [mailto:gbrown () alvalearning com] Sent: Wednesday, October 08, 2003 12:49 PM To: SECURITY-BASICS () SECURITYFOCUS COM Subject: NASA Security Audit Well it looks as though I am finally going to be tested by the Feds. According to my CTO, a guy named Jay Diceman will be the point man. Anyone ever hear of him? I hear he is a well known security expert (ex-hacker?)for the federal government. I have downloaded the Evaluated Security Configuration document created for Microsoft by Science Applications International Corporation. There are actually 2 of these. I think those .pdf's cover the Microsoft component. I don't even want him to get as far as any MS box. I am fairly new to security (2years) and my final exam is going to be a "Black Box" test and a "Crystal" test from some heinously gifted hacker from NASA... 1. What exactly will these 2 forms of intrusion concentrate on? 2. Is my hardware up to the task? I currently have a Fortigate Fortinet 50 configured for intrusion detection and prevention. I am currently blocking 1300+ known attacks. My FW is a CheckPoint Celestix with a physical DMZ path. The only questionable services allowed through are FTP (requirement) and Terminal Services (requirement). 3. What can I expect? Any input is GREATLY appreciated. Thanks. Man I hope I still have a job in 2 weeks! gb --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- NASA Security Audit Gregory M. Brown (Oct 08)
- Re: NASA Security Audit Roger A. Grimes (Oct 09)
- PIX introduction Daniel Cid (Oct 09)
- RE: NASA Security Audit Byron Copeland (Oct 09)
- Re: NASA Security Audit Eric (Oct 09)
- Re: NASA Security Audit Steve (Oct 09)
- Re: NASA Security Audit Marcos E. Rodriguez (Oct 10)
- <Possible follow-ups>
- Re: NASA Security Audit KoRe MeLtDoWn (Oct 09)
- Re: NASA Security Audit Anders Reed-Mohn (Oct 10)
- RE: NASA Security Audit Simons, Rick (Oct 09)
- RE: NASA Security Audit Raymer, Dan (Oct 09)
- RE: NASA Security Audit Johnson, Kevin (Oct 09)
- RE: NASA Security Audit Mike (Oct 10)
- Re: NASA Security Audit Cl Clay (Oct 09)
- Re: NASA Security Audit Meritt James (Oct 10)
- RE: NASA Security Audit Morgado Alain (Oct 10)
- Re: NASA Security Audit Marcos E. Rodriguez (Oct 10)
- Re: NASA Security Audit Roger A. Grimes (Oct 09)