Penetration Testing mailing list archives
Re: [PEN-TEST] Firewall identification and penetration
From: Ben Lull <blull () VALLEYLOCAL COM>
Date: Fri, 25 Aug 2000 15:18:04 -0700
Mike Ireton wrote:
On Sun, 13 Aug 2000, Aurobindo (Robin) Sundaram wrote:What do people think of auditors or penetration testers having privileged access to start with? Does it save time? Or is it an unfair advantage to start with? Something to note is that since most breakins are from the inside, having anon-privileged user account on the system is probably appropriate.The advantage in starting with privilidged access, is that you have the opportunity to inspect more closely for 'obscurity' issues that may not be readilly detectable from the outside, and which may be concealing problems that are potentially the most dangerous problems a site has. Going about it from a non-privilidged account wouln't let you see things like, bad grants of sudo powers to users (because sudoers isn't world readable, for example).
I don't directly do professional penetration testing (job offers welcome =)) but I am deeply involved with it (legally) and have been for the past six years. Every penetration, and securing of systems which I have participated in, I've found that it greatly depends on the penetrator's personal preferences (the way which they proceed to audit and penetrate a target) and past experiences. As stated above, I agree, having a non privileged user account on the system isn't a bad idea, nor is having super user access as well. The problems that arise though, are due to the process of which penetration takes place and the experiences of the individual performing the penetration. For example, if you give two individuals super user access and non privileged access, these two individuals are most likely going to go about penetration it in two different ways. In the end, its most likely that one user will have found more issues then the other. Seeing a system from a super user's standpoint may allow you to see things which you won't see as a normal user, but it may also cause you to over look other things which only a normal user would notice. To use the sudo reference above, a super user sees a poorly configured sudoers file. A normal user sees the account he has, allows sudo access. Even if you were to create a very well configured sudeors file, the normal user will not know this, thus spinning off into subsets of tests to determine what can and can't be done with sudo. The sudoers file may be secured, but because the normal user does not know this, he may inadvertently find another security hole which was over looked. In a nutshell, having access to the target host as a privileged and non privileged user can be both good and bad depending on the individual(s) preferences and experiences. Giving the individual(s) who will be performing the tests the choice is most likely the best idea. On a side note, if your having your systems security tested, trusting the company/individual you choose should be one of the first things you take into thought. If you don't trust someone, why on gods earth would you want them to even attempt to gain access to your system, let alone give them super user access up front? Thanks, Ben Lull *** * Ben Lull * Valley Local Internet, Inc. * Systems Administrator ***
Attachment:
blull.vcf
Description: Card for Ben Lull
Current thread:
- Re: [PEN-TEST] Firewall identification and penetration Mike Ireton (Aug 24)
- Re: [PEN-TEST] Firewall identification and penetration Ben Lull (Aug 26)