Penetration Testing mailing list archives
Re: [PEN-TEST] 2 quick questions
From: Joe Shaw <jshaw () INSYNC NET>
Date: Mon, 18 Dec 2000 09:44:59 -0600
On Fri, 15 Dec 2000, Leon Rosenstein wrote:
First is I was curious about routers: If a network has a router (a hardware one, not a computer running Linux or NT). Is there anything to be gained from breaking into the router through one of the remote administration points? Is this thus a fruitless exercise or is there something to show the customer or gain yourself if you are auditing your network's security?
If the router is improperly secured, or not at all, it's definitely worth it to gain access. Depending on the type of router, a lot of information can be gained from from debuging traffic. Also, you might be able to get passwords for the routers which might also be used on servers on the network as well. I've found poorly configured SNMP to be the biggest problem in my own personal experience. My team is usually able get access by just walking the IP space and trying R/W community strings.
Second I was curious about social engineering. Is this considered "fair play?" Is it discussed in advance?
Anything you're planning on doing should be discussed in advance, with a high-level overview of all areas of the penetration test before the test begins. Both parties should be clear on what the penetration tester is planning on doing and what the customer expects. If the customer wants social engineering, then you should certainly provide it as a service unless you're unprepared to do so. It's relarively easy to do, but I've met people who just can't do it even with a script. Most clients who are hiring you will be doing so for one of two purposes. They either have no real security posture or a specific group inside the organization that is responsible primarily for security, or they may have an IT security group but someone feels that their work needs to be double checked. In both of those cases, the customer probably isn't even thinking about people problems. They're worried more about strictly technological issues. However, the smaller an organization is, the less vulnerable it generally is to social engineering. With large organizations, it's easy to pretend to be someone that the person knows about but has never met. With a small organization, trying to impersonate someone that the person on the phone may know fairly well is tough, and will usually end up raising red flags. Generally, if there are less than two dozen employees, I don't waste time on social engineering.
If you're allowed to do it how far do you take it? Do you take it the point where you do a mass mailing of BO or Sub 7 to show the owners of the network how vulnerable they are to this flaw (because isn't social engineering kind of a flaw even though it is a human one?)
As far as it can be taken without causing irreperable damage to the client. If I can get a system password out of someone then I'm already ahead. If that password leads to an eventual greater escalation of privileges to the Administrator or root level, then I've done what I needed to do and it ends there. I certainly wouldn't rm their backups or vandalize their web page. Actually, I don't do anything during a penetration test that I haven't already had the customer agree to. Too many things can go wrong, and a simple misunderstanding can lead to severe consequences to your business and your freedom. The Intel vs. Randal Schwartz case is a prime example. Social engineering is indeed a people problem, but it is also a policy, or lack thereof, problem. Generally, most places I've worked at have stressed the importance of choosing a strong password. But only 1/3 have actually implemented password aging and a method of checking that passwords conform to the acceptable standards poliy. And only one has actually mentioned things like social engineering in their training materials in relation to passwords. People in business are supposed to help people, especially if their job is to answer a phone. This is easily exploitable.
Or do you just stop with tricking them into revealing user names and passwords?
I generally stop when I can no longer get any useful information or someone has given me 'the keys to the castle.' -- Joseph W. Shaw Sr. Network Security Specialist for Big Company not to be named. I have public opinions, and they have public relations.
Current thread:
- [PEN-TEST] 2 quick questions Leon Rosenstein (Dec 16)
- Re: [PEN-TEST] 2 quick questions Talisker (Dec 16)
- Re: [PEN-TEST] 2 quick questions Bill Pennington (Dec 16)
- Re: [PEN-TEST] 2 quick questions M Schubert (Dec 16)
- Re: [PEN-TEST] 2 quick questions sporty o'one (Dec 16)
- Re: [PEN-TEST] 2 quick questions Joe Shaw (Dec 19)
- <Possible follow-ups>
- Re: [PEN-TEST] 2 quick questions Bock, John (ISS San Francisco) (Dec 18)
- Re: [PEN-TEST] 2 quick questions Jose Nazario (Dec 18)
- Re: [PEN-TEST] 2 quick questions Skinner, Tim L. (Dec 19)