Security Basics mailing list archives
RE: network auditing
From: "Hagen, Eric" <ehagen () DenverNewspaperAgency com>
Date: Thu, 16 Oct 2003 10:40:41 -0600
Unless I do it at home(which isn't practical at the moment due to me still using a dialup). But perhaps my understanding of this 'black box' test isn't that correct. Why do you say it's 'impossible'?
The difference between a "black box" and a "crystal box" test are more about your knowledge of the target than your physical access. If you have physical access to a computer or computer network, it's almost trivial to "hack" it. Very few hackers have the balls (or the skills) to try to "social engineer" their way INTO your server room and then stand there while they sniff traffic or reboot a monitoring station in order to gain root access. Both black box and crystal box tests are usually done from outside the network. Black box testing is sometimes called "Blind" testing, but some people will argue there are differences between 'blind' and 'black box'. In either case, the test requires that the attacker know little or nothing about the network, it's structure or the applications found on it. It's a great way of looking at how a hacker would approach the network who had no prior knowledge of it. The crystal box tests involve the attacker being provided details on the workings and layout of your network and possibly even the configuration of the servers and IDS systems. Sometimes crystal-box tests even involve providing the source code for the various systems, where available. As you sounds like you work as an administrator, it would be impossible for you to "forget" how your network is layed out and approach it as if you were trying to discover where all the servers are located and what they do. Hacking from inside a network is a legitimate (if less common) form of penetration testing, but both "black box" and "crystal box" tests are frequently conducted externally to the network.
That seems quite logical. As it does take quite a bit of bandwidth.
It's not the bandwidth. Afterall, a full portscan may only send a few hundred KB of traffic. The trick is that port scans are "aberrant" traffic. There is no "legitimate" (pardon the use of that word) application which engages in the type of behavior that port scanners do. IDS systems and firewalls are tuned to pick up on this and send out alerts and/or block the intruder/virus that is portscanning.
Shouldn't most people by now should have logging enabled by default? Whether they look at the logs is another matter. just as long as they are logged.
Yes, people have logging enabled. It can be very tricky to pick out an attacker's movements through the system if it's mixed in with a bunch of legitimate traffic, even if the administrator is aware a hack is taking place. When you use brute-force attacks, it becomes PAINFULLY obvious which traffic is yours and you will leave traces that way. In addition, host-based IDS systems almost always keep and eye out for things like this and you will likely set off alarms or get yourself locked out of a system where you try to brute-force your way in. This is one case where a "crystal box" is very helpful. If you know a system has no IDS capabilities or that a log is off, you can whack away at it all you want...
I'll check it out at the bookstore. I'm not entirely sure it'd be there and I do hope it's still in print?
I think it's a fairly new book... I found it at a Barnes & Noble. Though it is a fairly small softcover and does cost $50 :-)
I've seend these. There's the Windows Hacking exposed and the Linux one. I've flipped through them and they are quite 'bulky' and they seem to have lots of info. The question remains whether they are worth the $$$.
I would start with the generic "Hacking Exposed" books. Then you can move onto the Windows and Linux versions. If you're seriously considering a career in this field or even if you're just very interested in it, I would strongly recommend that book. It's a great reference later on too. I still have it on my bookshelf (an older edition) alongside "stealing the network" "TCP/IP Fundamentals" "Computer Security Fundamentals" "How the Network Works" and a few others. Honestly, I don't like reading them that much, but now and then I pick one up and read a chapter or three. In that way, over the past few years, I've made it through all off them. :-) Eric --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ----------------------------------------------------------------------------
Current thread:
- network auditing cc (Oct 14)
- <Possible follow-ups>
- RE: network auditing Hagen, Eric (Oct 14)
- Re: network auditing cc (Oct 15)
- Re: network auditing Ansgar -59cobalt- Wiechers (Oct 16)
- Re: network auditing cc (Oct 15)
- RE: network auditing Meidinger Chris (Oct 14)
- Re: network auditing Lee Rich (Oct 15)
- RE: network auditing Hagen, Eric (Oct 16)