Penetration Testing mailing list archives
Re: [PEN-TEST] Evaluating Auditors Abilities
From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
Date: Fri, 8 Sep 2000 10:14:28 -0500
Not to toot our own horn or anything... :) However, this is what most people are doing out there right now. Many of our clients asked us for a demonstration of what we could do. This is what we gave the last customer: Our "hacker" for this demonstration, wanted a job with the mock-up company, as a SysAdmin. He got a nice rejection letter (we've all seen one too many of these), and decides to try to blackmail the company by stealing some data. Keep in mind that this demo was made to demonstrate "System Profiling" rather than "Script kiddies going after low-hanging fruit". This guy had a target, and he knew he wanted sensitive information that could be used against the company. He researched their systems, and instead of moving on to something easier, his mentality was "I will get into this network". systems used: A Windows NT Server (as a standalone file server with fully patched IIS4. NT file sharing and FTP were the only things running) This is a file server for general employee use, and contains apps, and home directories, with profiles. A Linux box, Specifically Red Hat 6.1, with samba. It is a DNS server (Upgraded BIND to fix the NXT, etc BoF's). It is running Telnet, FTP, Sendmail and Samba as well. Anon FTP is disabled, and Samba has no public shares or printers. The hostname is HR, but all employees have accounts on the system, but samba is used only by Human-Resources employees (must be a member of the "hr" group in /etc/group.) We used a whole host of tricks to get data out of the NT box, and ended up finding a copy of sam in winnt/repair, and cracking passwords, trying about 10 account/password pairs against the linux box before getting in, and then tried to get into the samba directories through our shell account (which didn't work). We used a local suid /tmp race that had been posted to bugtraq about 3 days before the demo, which gave us root, and we grabbed all payroll and termination info, opened it in excel, and freaked out the audience. Nothing was really rigged at all. The NT machine was one of our own test-lab boxes that had just been re-installed 3 weeks earlier, and had nothing more than an OLD version of IIS on it. Winnt/repair was there because someone had obviousely made a repair set after the installation. We did not knowingly set the machine up that way. The accounts were set up by our engineers. The passwords were all 7 chars or longer, with at least 1 uppercase and 2 digits. L0phtcrack was used to crack the sam file. Obviousely, a few accounts had the same passwords in both places, but most did not. There was a chance that this wasn't going to work. we'd profiled our setup the day before, and planned a few attacks, for instance, the /tmp race was going to be used if our user-level account couldn't access the samba files... We pretty much refuse to give freebies using someone else's existing systems, though. They can tell us what they'd like to see us do, and we usually honor it. And as for references. We *ALWAYS* ask every customer if they would have a problem volunteering information that they used our company, and ask if they would be willing to be a reference for us. A surprising amount of them will readily agree to talk to any future customers out there... so don't go saying "Our customers don't want to tell anyone who they used for their pen-testing". Noah Dunker Network Security Engineer FishNet Security -----Original Message----- From: David Hopkins [mailto:David () COMPUSA COM] Sent: Thursday, September 07, 2000 2:58 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: Evaluating Auditors Abilities I'd be alittle leary using Auditors for Penetrations anyway, I'd opt more for a Security Consulting firm that specializes in Penetrations and who will gladly offer references since it's their livelihood. They may even do a limited scope "freebie" to show what they can offer and they should be able to thoroughly explain their results, if they can't you don't have to go any further and you're not out any $. David Hopkins, CISSP CompUSA IT Security Manager 972-982-5414 (office) 972-333-5636 (cell) -----Original Message----- From: Emeigh, Mike [mailto:piratefan1 () MINDSPRING COM] Sent: Thursday, September 07, 2000 12:53 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: Evaluating Auditors Abilities Derrick wrote: (snip)
How can companies decide which auditors really do a decent job and are worth their value ?
I'd first ask the auditors to provide references, and then contact those companies. If the auditors aren't willing to provide references, I'd be suspicious. Mike Emeigh piratefan1 () mindspring com
Current thread:
- Re: [PEN-TEST] Evaluating Auditors Abilities Emeigh, Mike (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities topher hughes (Sep 08)
- <Possible follow-ups>
- Re: [PEN-TEST] Evaluating Auditors Abilities Tansey, Don (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities Benjamin P. Grubin (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities Kuss, Kenneth (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities Edward Slusarski (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities David Hopkins (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities Khan, Mansoor (Sep 08)
- Re: [PEN-TEST] Evaluating Auditors Abilities Meritt, Jim (Sep 08)
- Re: [PEN-TEST] Evaluating Auditors Abilities Dunker, Noah (Sep 08)
- Re: [PEN-TEST] Evaluating Auditors Abilities Gallicchio, Florindo (2282) (Sep 08)
- Re: [PEN-TEST] Evaluating Auditors Abilities Hill, Mark (Sep 08)