Dailydave mailing list archives

Re: Immunity Certified Network Offense Professional

From: Joanna Rutkowska <joanna () invisiblethings org>
Date: Wed, 16 Jul 2008 14:36:27 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maybe the problem is in agreeing to do the pentesing/security consulting
work of an app in just 6 hours? Maybe people should realize that security
consulting is a bit different then working in a factory?

I know, I know, now I'm gonna hear all the complains of how the market
demands the above and how we all can't do anything about it. The usual
excuse, which I personally don't buy.

Ok, gonna take my afternoon nap now :)

joanna.

ps. anybody has any experience with using cscout?

val smith wrote:
| I'm going to have to award the point to Thomas here. The scenarios he
| presented are very often what I get myself. Super compressed time
| frame, unlikely to achieve goal so any time I spend developing tools
| or exploits is time I lose achieving the goal.
|
| I've also recently had an app test where I had something like 6 hours.
| There was no way (for me cause I suck) to come up with working exploit
| in that time, but I was able to find half a dozen bugs and report
| them. In this case knowing how to write an exploit wouldn't do me much
| good.
|
| However I'll have to say i've run into maybe 1 place in the world
| where getting access to 1 host didn't get me much. (mac locking on
| ports, 1 time passwords everywhere, no shared admin accounts, or admin
| from console only, lots of vlanning, etc.)
|
| Cheating is what its all about. I have this think I call the cooking
| show hack. You know in a cooking show how they make the food and put
| it in the oven then pull one out already cooked and try it. Same thing
| but with rootshell :)
|
| Fuzzy kiddies just sounds wrong man, just wrong.
|
| V.
|
| On Mon, Jul 14, 2008 at 6:18 AM, Thomas Ptacek <tqbf () matasano com> wrote:
|>>  Anyone can fire a fuzer, find a bug and tell their client about how
|>>  exploitable it is.
|>>  People then will talk about ret-to-libc and malloc tricks that really
|>>  don't work anymore in modern systems.
|> This is NO DOUBT true. It is obviously much HARDER to exploit modern
|> memory corruption flaws than it is to find them. Respect, yo. S'all
|> love in here.
|>
|> The problem is, it is not MORE VALUABLE to exploit memory corruption
|> flaws than it is to find them. Consider two scenarios:
|>
|> (1) A shrink-wrap software pen test, for a vendor or a customer ---
|> the target is one application. You have 5 days. Unless you think you
|> can sweep 500,000 lines of C code clean of vulnerabilities in 40
|> hours, an hour spent on exploit dev is an hour not spent finding
|> vulnerabilities.
|>
|> (2) A network penetration test. You have 5 days. Unless you have found
|> the zero enterprises in the world where access to their network
|> doesn't immediately offer up 30 different mass casualty scenarios, an
|> hour spent on exploit dev is an hour not spent breaking into systems.
|>
|> We could go back and forth on (2) --- no doubt there are NPT's where
|> being able to bust CreateProcess in some sleazy Windows backup
|> software is going to win the game for you (there are also NPTs where
|> the client says, "tell me about the zero-day mass casualty exploits
|> you could have run, but don't stop testing until you get in without
|> cheating").
|>
|> And another thing: we all know about the "fuzz kiddies", but that
|> doesn't make all vulnerability research a matter of aiming /dev/random
|> at a socket and writing an advisory on the xor ebx,ebx; mov eax, [ebx]
|> findings. Plenty of people cheat at writing exploits too.
|> _______________________________________________
|> Dailydave mailing list
|> Dailydave () lists immunitysec com
|> http://lists.immunitysec.com/mailman/listinfo/dailydave
|>
|
|
|

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkh96zsACgkQORdkotfEW84uawCg5wy798Bypm4lEHe9s5MNbOGJ
Qh4AoJmi6ZkT1CT3DtKC6Kq6L4j1S5fk
=pxlp
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Immunity Certified Network Offense Professional, (continued)
- - - Re: Immunity Certified Network Offense Professional drraid (Jul 13)
    - Re: Immunity Certified Network Offense Professional Thomas Ptacek (Jul 13)
    - Re: Immunity Certified Network Offense Professional root (Jul 14)
    - Re: Immunity Certified Network Offense Professional Thomas Ptacek (Jul 14)
    - Re: Immunity Certified Network Offense Professional Paul Melson (Jul 14)
    - Re: Immunity Certified Network Offense Professional val smith (Jul 15)
    - Re: Immunity Certified Network Offense Professional Dino A. Dai Zovi (Jul 16)
    - Re: Immunity Certified Network Offense Professional val smith (Jul 16)
    - Re: Immunity Certified Network Offense Professional Pete Herzog (Jul 16)
    - Re: Immunity Certified Network Offense Professional Adam Shostack (Jul 16)
    - Re: Immunity Certified Network Offense Professional Joanna Rutkowska (Jul 17)