RE: network auditing

["Hagen, Eric" <ehagen () DenverNewspaperAgency com>]

> Unless I do it at home(which isn't practical at the moment due to
> me still using a dialup).   But perhaps my understanding of this 'black
> box' test isn't that correct.  Why do you say it's 'impossible'?

The difference between a "black box" and a "crystal box" test are more about
your knowledge of the target than your physical access.  If you have
physical access to a computer or computer network, it's almost trivial to
"hack" it.  Very few hackers have the balls (or the skills) to try to
"social engineer" their way INTO your server room and then stand there while
they sniff traffic or reboot a monitoring station in order to gain root
access.

Both black box and crystal box tests are usually done from outside the
network.  Black box testing is sometimes called "Blind" testing, but some
people will argue there are differences between 'blind' and 'black box'.  In
either case, the test requires that the attacker know little or nothing
about the network, it's structure or the applications found on it.  It's a
great way of looking at how a hacker would approach the network who had no
prior knowledge of it.  The crystal box tests involve the attacker being
provided details on the workings and layout of your network and possibly
even the configuration of the servers and IDS systems.  Sometimes
crystal-box tests even involve providing the source code for the various
systems, where available.   As you sounds like you work as an administrator,
it would be impossible for you to "forget" how your network is layed out and
approach it as if you were trying to discover where all the servers are
located and what they do.

Hacking from inside a network is a legitimate (if less common) form of
penetration testing, but both "black box" and "crystal box" tests are
frequently conducted externally to the network.


> That seems quite logical.  As it does take quite a bit of bandwidth.

It's not the bandwidth.  Afterall, a full portscan may only send a few
hundred KB of traffic.  The trick is that port scans are "aberrant" traffic.
There is no "legitimate" (pardon the use of that word) application which
engages in the type of behavior that port scanners do.  IDS systems and
firewalls are tuned to pick up on this and send out alerts and/or block the
intruder/virus that is portscanning.


> Shouldn't most people by now should have logging enabled by default?
> Whether they look at the logs is another matter.  just as long as they
> are logged.

Yes, people have logging enabled.  It can be very tricky to pick out an
attacker's movements through the system if it's mixed in with a bunch of
legitimate traffic, even if the administrator is aware a hack is taking
place.  When you use brute-force attacks, it becomes PAINFULLY obvious which
traffic is yours and you will leave traces that way.  In addition,
host-based IDS systems almost always keep and eye out for things like this
and you will likely set off alarms or get yourself locked out of a system
where you try to brute-force your way in.  This is one case where a "crystal
box" is very helpful.  If you know a system has no IDS capabilities or that
a log is off, you can whack away at it all you want...

> I'll check it out at the bookstore.  I'm not entirely sure it'd be
> there and I do hope it's still in print?

I think it's a fairly new book...  I found it at a Barnes & Noble.  Though
it is a fairly small softcover and does cost $50 :-)



> I've seend these.  There's the Windows Hacking exposed and the Linux
> one.  I've flipped through them and they are quite 'bulky' and they
> seem to have lots of info.  The question remains whether they
> are worth the $$$.

I would start with the generic "Hacking Exposed" books.  Then you can move
onto the Windows and Linux versions. If you're seriously considering a
career in this field or even if you're just very interested in it, I would
strongly recommend that book.  It's a great reference later on too.   I
still have it on my bookshelf (an older edition) alongside "stealing the
network" "TCP/IP Fundamentals" "Computer Security Fundamentals" "How the
Network Works" and a few others.

Honestly, I don't like reading them that much, but now and then I pick one
up and read a chapter or three.  In that way, over the past few years, I've
made it through all off them.  :-)

Eric





---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------