Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes)

From: Nicolas RUFF <nruff () security-labs org>
Date: Tue, 14 Nov 2006 09:18:14 +0100
When I was a consultant my shtick was that a "pen-test" is a complete
waste of time if you don't have 
your other ducks in line.  This was based on the un-scientific research
conducted by myself that 
basically concluded that 99/100 pen-tests are almost always successful.

[...]

That's a misleading way to frame the conversation, don't you think?  A
pen-test isn't supposed to answer the yes/no question, "Can you be hacked?"
It's supposed to ask the open-ended questions, "How can you be hacked?" and
"How can you fix it?"   


In my experience, "99/100 internal pen-tests are successful during the
first 10 minutes, without using any 0day attack".

(I don't even own a CANVAS licence :)

This means:
- Domain admin account created with a trivial password, for someone who
never logged in.
- "Password.xls" file found on a public share.
- Variations: the share is hidden ('$' sign), the Excel file is
password-protected.
- Local admin password is the same on every workstation - once you get
yours, you can connect to any admin workstation.
- Service accounts can be used to log in anywhere, and passwords are
stored on every workstation (=> LSADUMP).
- VNC/PCAnywhere/... using the same password on all mission-critical
legacy NT4 servers.
- Blank "SA" password, especially in case of 3rd party applications that
silently installed a MSDE database.
- ...

How can you fix it ? Certainly not by fuzzing and flaw-finding :)

Regards,
- Nicolas RUFF
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: