Penetration Testing mailing list archives

Re: root kit detection/penetration

From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Thu, 15 Sep 2005 11:41:11 +0200

cdewitt () indepthsec com wrote:

What are the best practices for penetration testing the viability
of placing root kits on a client's external servers - vpn, web,
app...?

If you did not write it yourself _and_ are confident that its impactin business critical systems is 0 don't do it. If you have thecapability to install a root kit in an external server the game isover, it might be better for you (and for the client) to allow you toplug a system (laptop) to the external server LAN and go from therethan to compromise production servers. Of course, that depends on thevalue your customer places on those servers.

And, while I'm asking - what are the best practices or
countermeasures for root kit placement?

Properly bastion hosts and severly limit the capabitilies of the usersthe services exposed to the Internet as running at (i.e. defense indepth, chroot jails, up-to-date patched systems, etc.) includinghost-IDS with (in Windows) updated antivirus (which will carry rootkitsignatures too) or (in UNIX) rootkit detectors.

What root kits are still viable/current?


Too many to list, take a look at  http://packetstormsecurity.org/
For UNIX: http://www.packetstormsecurity.org/UNIX/penetration/rootkits/

All comments/tomatoes welcome...cd


Tomato.

Javier

------------------------------------------------------------------------------

Audit your website security with Acunetix Web Vulnerability Scanner:Hackers are concentrating their efforts on attacking applications on yourwebsite. Up to 75% of cyber attacks are launched on shopping carts, forms,login pages, dynamic content etc. Firewalls, SSL and locked-down servers arefutile against web application hacking. Check your website for vulnerabilitiesto SQL injection, Cross site scripting and other web attacks before hackers do!Download Trial at:


http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

root kit detection/penetration cdewitt (Sep 14)
- RE: [lists] root kit detection/penetration Curt Purdy (Sep 14)
- Re: root kit detection/penetration Javier Fernandez-Sanguino (Sep 15)
  - RE: root kit detection/penetration Omar A. Herrera (Sep 16)
- <Possible follow-ups>
- RE: root kit detection/penetration Chris Fahey (Sep 16)