Re: I want the PT list back....

[Peter Wood <peterw () firstbase co uk>]

Hello j0e

>I remember several years ago when I wished I had skill to understand
>some of the questions people asked on this list. I remember when people
>on this list would ask questions about situations they were facing while
>on a assessment. The person asking the question would list all of the
>references he'd already read, what he'd already tried and the error
>message he'd received. And amazingly - people would actually help....

I remember that too.

>Are people afraid to post that kind of stuff anymore or what? Have our
>NDAs pushed us to just talking with our buddies in SILC servers, or just
>posting stuff in blogs?

I think a lot of people have been told not to post infrastructure 
data on groups and lists, but I don't think that affects PT/VA work. 
Maybe they're scared of looking n00b?

>There are a ton of really smart people on this list. I see occasional
>replies from some big names in the industry - really smart cats.

It's true.

>I'm doing 3 pentests a month now, and when I'm not working I live on
>security blogs, and silc servers with my buddies - I don't really follow
>the security lists and closely as I used to because it just doesn't seem
>like people are sharing as much information as they used to on here.
>
>I don't know if anyone else is feeling this way about this list, if you
>disagree with me say so....

I agree.

>Guys here is what I'm dealing with out there - what about you?
>
>* NAC Solutions (tricky, but not as tough as Host-based IPS - MAC/IP
>spoofing still gets by of the stuff I've run into)

One or two sites with NAC. Definitely possible to defeat, depending 
on the implementation. Most of our (very large) clients have 
absolutely no internal IDS or IPS or NAC, even today.

>* Host-Based IPS Solutions (really tough to beat - at least for me)

Very rare in our experience, even though we deal with 
multi-nationals. Therefore not had to deal with host-based IPS yet!

>* Wireless IPS Solutions (a joke)

Again most clients are starting to implement WPA2 (often Cisco) but 
none so far have wireless IPS.

>* 802.1x - I haven't seen it on an assessment yet.

Not really my scene, but Didi, our head of R&D (who leads our 
wireless testing) may have.

>I'm having to hit web app, and client-side stuff to get into the
>networks from the outside. Port scanning and VA tools are damn near
>useless from external.

Absolutely.

>For me web app, to back end server, to the LAN is so rare it might as
>well be non-existent. Web app to DB - yeah...but not to internal LAN for
>me very much.

The same for us (excluding Citrix and the like of course).

>Spear phishing with or without client-side exploits is it for me for
>external to internal. <-- How about you guys?

Spear phishing definitely works. Citrix services on the web with no 
two-factor authentication offer lots of vulnerabilities too.

>Internal networks are still a mess, riddled with old vulnerabilities -
>even when the customer has patch management solutions. I can't be as
>noisy trying to find them like the good old days - but they are still
>there - the bigger the company the more legacy crap they have.

Absolutely. Stupid service account passwords on Windows domains still 
give us Domain Admin in just a few minutes at most sites! Core Impact 
lets us gain root on many different systems using exploits with good 
provenance.

>Rarely I find a Linux box on the client's network that I can use to set
>up shop these days so I've had to develop a collection of command-line
>windows tools. Anybody else in this boat? If so what's in your toolkit?
>I started with meta.cab from Phoenix 2600 and have been customizing it.

We use the Core Impact framework, plus a whole bunch of tools (which 
I posted here a few months ago, but can re-post if wanted).

>For wireless I pretty much just use Kisment/Aircrack-NG, but I'm really
>interested in wicrawl. Anyone using it on pentests yet?

Gonna have to ask Didi this, but mostly she uses a wireless packet 
sniffer and analyses the results manually, making most tools 
unnecessary. We did invest in Airopeek (I think) recently but haven't 
played with it much yet.

>Inguma looks interesting, I run into Oracle on tests a lot. Is anyone
>using it - if so what do you think?

Not used it. We use AppDetective for database testing and audit.

>Some attacks that look really interesting - but I don't know of anyone
>doing them in assessments? Can someone shed some light?
>
>* DNS-Rebinding
>* Oracle Cursor Snarfing
>* Remotely fingerprint OS Language packs
>* Remote SQL/PHP Shell Injection

None of those - sorry.

For internal testing, we start at the bottom of the stack and work 
up, running a sniffer most of the time as an audit trail and to find 
useful things like broadcast SNMP strings etc. Tools include (not a 
complete list, but off the top of my head): Wireshark and CommView; 
nmap, snscan and SuperScan; SolarWinds Engineers Edition; Hyena, 
DumpSec, nbtdump; Nessus (of course), SNSI, AppDetective, WebInspect; 
Core Impact.

cheers
Pete



----------------------------------------------------------------------------------
Peter Wood FBCS CITP FIMIS MIEEE CISSP A.Inst.ISP
Chief of Operations
First Base Technologies
tel: +44 1273 454525
mob: +44 7774 239915
www.fbtechies.co.uk
www.white-hats.co.uk
www.peterwood.com



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------