Re: [PEN-TEST] Firewall identification and penetration

[Ben Lull <blull () VALLEYLOCAL COM>]

Mike Ireton wrote:

> On Sun, 13 Aug 2000, Aurobindo (Robin) Sundaram wrote:
> > > What do people think of auditors or penetration testers having privileged
> > > access to start with? Does it save time? Or is it an unfair advantage to
> > > start with?
> > >
> > > Something to note is that since most breakins are from the inside, having a
>
> > > non-privileged user account on the system is probably appropriate.
> >        The advantage in starting with privilidged access, is that you
> > have the opportunity to inspect more closely for 'obscurity' issues that
> > may not be readilly detectable from the outside, and which may be
> > concealing problems that are potentially the most dangerous problems a
> > site has. Going about it from a non-privilidged account wouln't let you
> > see things like, bad grants of sudo powers to users (because sudoers isn't
> > world readable, for example).

    I don't directly do professional penetration testing (job offers welcome =))
but I am deeply involved with it (legally) and have been for the past six
years.  Every penetration, and securing of systems which I have participated in,
I've found that it greatly depends on the penetrator's personal preferences (the
way which they proceed to audit and penetrate a target) and past experiences.

    As stated above, I agree, having a non privileged user account on the system
isn't a bad idea, nor is having super user access as well.  The problems that
arise though, are due to the process of which penetration takes place and the
experiences of the individual performing the penetration.  For example, if you
give two individuals super user access and non privileged access, these two
individuals are most likely going to go about penetration it in two different
ways.  In the end, its most likely that one user will have found more issues
then the other.

    Seeing a system from a super user's standpoint may allow you to see things
which you won't see as a normal user, but it may also cause you to over look
other things which only a normal user would notice.  To use the sudo reference
above, a super user sees a poorly configured sudoers file.  A normal user sees
the account he has, allows sudo access.  Even if you were to create a very well
configured sudeors file, the normal user will not know this, thus spinning off
into subsets of tests to determine what can and can't be done with sudo.  The
sudoers file may be secured, but because the normal user does not know this, he
may inadvertently find another security hole which was over looked.

    In a nutshell, having access to the target host as a privileged and non
privileged user can be both good and bad depending on the individual(s)
preferences and experiences.  Giving the individual(s) who will be performing
the tests the choice is most likely the best idea.

    On a side note, if your having your systems security tested, trusting the
company/individual you choose should be one of the first things you take into
thought.  If you don't trust someone, why on gods earth would you want them to
even attempt to gain access to your system, let alone give them super user
access up front?


Thanks,
Ben Lull

***
* Ben Lull
* Valley Local Internet, Inc.
* Systems Administrator
***

Attachment: blull.vcf
Description: Card for Ben Lull