Dailydave mailing list archives
Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes)
From: Nicolas RUFF <nruff () security-labs org>
Date: Tue, 14 Nov 2006 09:18:14 +0100
When I was a consultant my shtick was that a "pen-test" is a complete waste of time if you don't have your other ducks in line. This was based on the un-scientific research conducted by myself that basically concluded that 99/100 pen-tests are almost always successful.
[...]
That's a misleading way to frame the conversation, don't you think? A pen-test isn't supposed to answer the yes/no question, "Can you be hacked?" It's supposed to ask the open-ended questions, "How can you be hacked?" and "How can you fix it?"
In my experience, "99/100 internal pen-tests are successful during the first 10 minutes, without using any 0day attack". (I don't even own a CANVAS licence :) This means: - Domain admin account created with a trivial password, for someone who never logged in. - "Password.xls" file found on a public share. - Variations: the share is hidden ('$' sign), the Excel file is password-protected. - Local admin password is the same on every workstation - once you get yours, you can connect to any admin workstation. - Service accounts can be used to log in anywhere, and passwords are stored on every workstation (=> LSADUMP). - VNC/PCAnywhere/... using the same password on all mission-critical legacy NT4 servers. - Blank "SA" password, especially in case of 3rd party applications that silently installed a MSDE database. - ... How can you fix it ? Certainly not by fuzzing and flaw-finding :) Regards, - Nicolas RUFF _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- "The organization I belong to doesn't have initals" (that evil dude in Heroes) Dave Aitel (Nov 12)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Tito Villalobos (Nov 13)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Pete Herzog (Nov 13)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Steve Manzuik (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Paul Melson (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Steve Manzuik (Nov 13)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Olef Anderson (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Nicolas RUFF (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) David Maynor (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Daniel (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Siim Põder (Nov 14)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Matt Richard (Nov 15)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) dan (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Rhys Kidd (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Matt Richard (Nov 16)
- Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes) Dave Aitel (Nov 16)
- Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes) Tito Villalobos (Nov 13)