Penetration Testing mailing list archives
Re: Security Audit
From: H Carvey <keydet89 () yahoo com>
Date: 10 Sep 2001 11:01:35 -0000
Within 15 minutes of manual testing we found the web server to be
vulnerable to both the UTF-8
and double decode vulnerabilities. The reason
for this was simply that the
tools (which I will not name) presumed that
Windows NT is always installed
in a directory called winnt, when in this case
it was installed in a
directory called winnt40. This was enough to
throw the automated tools way
off of the scent.
Which is a great argument for vulnerability assessments. Yes, many tools are scriptable, but even Nessus doesn't go as far in Win32 environments as you _can_ go with the right tools. Generally (and in order to set the playing field here) a pen test is done in the blind, or with very little information. The more prior knowledge a pen tester has, the less 'fair' the test is going to be. However, the lack of prior knowledge can extend the time of the pen test, depending on what was contracted. Vulnerability assessments are done internally, with the full cooperation of the admins. This means interviews of key personnel, and consultants have admin accounts in the domain in order to run their tools (NOTE: Observing closely how the admin account is set up and then taken down will tell the consultant quite a bit about the organization). Given that, information such as which directory NT or 2K is installed in will be available on a per-machine basis. I've written tools like this, it's not all that difficult.
Also, what about custom CGIs, ASPs etc, they may
be vulnerable to /../
attacks, SQL injection etc etc, but there isn't
(to my knowledge) any 100%
sure fire reliable way to test for these
automatically in this scenario. To
do the test properly you need to apply the
methodology to the custom
environment.
Or do a code review. Doing a code review in a test environment allows the consultant to test and verify his findings before presentation. Very few systems are set up identically, so a vulnerability in a script may mean one thing to one infrastructure, quite another to someone else.
I think a more suitable question is why would
you pay a 'Consultant' good
money to hit a big green go button and print the
results? You don't. A drunken monkey can do this (I've seen it! Just kidding...sorry, KoKo). But that is what many organizations do. It's not up to the consultants to meet an arbitrary standard based on someone else's moral code...they're in it for the money, and have a business model to follow. It's up to the company who hires and ultimately pays for the consultant to vet these organizations and find one that is suitable. One way of doing it is to ask the consulting firm for references...but they'd be fools to give you negative references, wouldn't they? So when you're talking to them, find out what their model is, how they go about doing things. In the end, it's a crap shoot, really. That's b/c whatever the sales guy tells you in your meetings, there is no legal requirement that the deliverable be anything but an ISS report printed on company letterhead. The key differentiator is analysis...how does one measure that before hand? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: Security Audit, (continued)
- Re: Security Audit Erik Tayler (Sep 06)
- Re: Security Audit Renaud Deraison (Sep 07)
- Re: Security Audit Justin Stanford (Sep 07)
- Re: Security Audit bacano (Sep 10)
- RE: Security Audit Roberts, Kevin S (Sep 06)
- RE: Security Audit Ogle Ron (Rennes) (Sep 06)
- Re: Security Audit bluefur0r bluefur0r (Sep 06)
- Re: Security Audit Rob J Meijer (Sep 07)
- RE: Security Audit Aleksander Czarnowski (Sep 07)
- RE: Security Audit Ogle Ron (Rennes) (Sep 10)
- Re: Security Audit H Carvey (Sep 10)
- Re: Security Audit bacano (Sep 10)
- How to discover FW-1 management module or GUI? Carmelo Floridia (Sep 12)
- Re: How to discover FW-1 management module or GUI? Sheik Abdulla (Sep 13)
- Re: How to discover FW-1 management module or GUI? Alex Butcher (Sep 13)
- Re: How to discover FW-1 management module or GUI? Michael Batchelder (Sep 14)
- Re: How to discover FW-1 management module or GUI? Gareth Bromley (Sep 23)
- Re: How to discover FW-1 management module or GUI? The Crocodile (Sep 16)
- Re: How to discover FW-1 management module or GUI? Penetration Testing (Sep 16)
- Re: Security Audit bacano (Sep 10)
- Re: Security Audit R. DuFresne (Sep 12)