Re: [PEN-TEST] Evaluating Auditors Abilities

["Dunker, Noah" <NDunker () FISHNETSECURITY COM>]

Not to toot our own horn or anything... :)

However, this is what most people are doing out there right now.

Many of our clients asked us for a demonstration of what we could
do.  This is what we gave the last customer:

Our "hacker" for this demonstration, wanted a job with the mock-up
company, as a SysAdmin.  He got a nice rejection letter (we've all
seen one too many of these), and decides to try to blackmail the
company by stealing some data.  Keep in mind that this demo was
made to demonstrate "System Profiling" rather than "Script kiddies
going after low-hanging fruit".  This guy had a target, and he knew
he wanted sensitive information that could be used against the
company.  He researched their systems, and instead of moving on to
something easier, his mentality was "I will get into this network".

systems used:

A Windows NT Server (as a standalone file server with fully patched
IIS4.  NT file sharing and FTP were the only things running)
This is a file server for general employee use, and contains apps,
and home directories, with profiles.

A Linux box, Specifically Red Hat 6.1, with samba.  It is a DNS
server (Upgraded BIND to fix the NXT, etc BoF's).  It is running
Telnet, FTP, Sendmail and Samba as well.  Anon FTP is disabled,
and Samba has no public shares or printers.  The hostname is HR,
but all employees have accounts on the system, but samba is used
only by Human-Resources employees (must be a member of the "hr"
group in /etc/group.)

We used a whole host of tricks to get data out of the NT box, and
ended up finding a copy of sam in winnt/repair, and cracking passwords,
trying about 10 account/password pairs against the linux box before
getting in, and then tried to get into the samba directories through
our shell account (which didn't work).  We used a local suid /tmp race
that had been posted to bugtraq about 3 days before the demo, which
gave us root, and we grabbed all payroll and termination info, opened
it in excel, and freaked out the audience.

Nothing was really rigged at all.  The NT machine was one of our own
test-lab boxes that had just been re-installed 3 weeks earlier, and
had nothing more than an OLD version of IIS on it.  Winnt/repair was
there because someone had obviousely made a repair set after the
installation.  We did not knowingly set the machine up that way.

The accounts were set up by our engineers.  The passwords were all
7 chars or longer, with at least 1 uppercase and 2 digits.  L0phtcrack
was used to crack the sam file.  Obviousely, a few accounts had the same
passwords in both places, but most did not.

There was a chance that this wasn't going to work.  we'd profiled our
setup the day before, and planned a few attacks, for instance, the
/tmp race was going to be used if our user-level account couldn't
access the samba files...


We pretty much refuse to give freebies using someone else's existing
systems, though.  They can tell us what they'd like to see us do, and
we usually honor it.

And as for references.  We *ALWAYS* ask every customer if they would
have a problem volunteering information that they used our company,
and ask if they would be willing to be a reference for us.  A
surprising amount of them will readily agree to talk to any future
customers out there... so don't go saying "Our customers don't want
to tell anyone who they used for their pen-testing".

Noah Dunker
Network Security Engineer
FishNet Security



-----Original Message-----
From: David Hopkins [mailto:David () COMPUSA COM]
Sent: Thursday, September 07, 2000 2:58 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: Evaluating Auditors Abilities


I'd be alittle leary using Auditors for Penetrations anyway, I'd opt
more for a Security Consulting firm that specializes in Penetrations and
who will gladly offer references since it's their livelihood.  They may
even do a limited scope "freebie" to show what they can offer and they
should be able to thoroughly explain their results, if they can't you
don't have to go any further and you're not out any $.

David Hopkins, CISSP
CompUSA IT Security Manager
972-982-5414 (office)
972-333-5636 (cell)



-----Original Message-----
From: Emeigh, Mike [mailto:piratefan1 () MINDSPRING COM]
Sent: Thursday, September 07, 2000 12:53 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: Evaluating Auditors Abilities


Derrick wrote:

(snip)

> How can companies decide which auditors really do a decent job
> and are worth their value ?

I'd first ask the auditors to provide references, and then
contact those companies. If the auditors aren't willing to
provide references, I'd be suspicious.

Mike Emeigh
piratefan1 () mindspring com