Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: "The organization I belong to doesn't have initals"(that evil dude in Heroes)

From: "David Maynor" <dmaynor () gmail com>
Date: Tue, 14 Nov 2006 07:55:03 -0500
Using 0day in pentests I still very valid, IMHO. The goal of designing
a secure environment is that it could survive and repel an assault
from a determined attacker. Since the debate about whether 0day is
used in real world attacks seems to finally be over thanks to thing
like IE and office bugs, a person has to take the 0day angle into
account while designing an infrastructure. Of course people that leave
password lists on open shares will care about this less than people
who have been through a pentest process and implemented the
suggestions.

On 11/14/06, Nicolas RUFF <nruff () security-labs org> wrote:

When I was a consultant my shtick was that a "pen-test" is a complete
waste of time if you don't have
your other ducks in line.  This was based on the un-scientific research
conducted by myself that
basically concluded that 99/100 pen-tests are almost always successful.

[...]

That's a misleading way to frame the conversation, don't you think?  A
pen-test isn't supposed to answer the yes/no question, "Can you be hacked?"
It's supposed to ask the open-ended questions, "How can you be hacked?" and
"How can you fix it?"


In my experience, "99/100 internal pen-tests are successful during the
first 10 minutes, without using any 0day attack".

(I don't even own a CANVAS licence :)

This means:
- Domain admin account created with a trivial password, for someone who
never logged in.
- "Password.xls" file found on a public share.
- Variations: the share is hidden ('$' sign), the Excel file is
password-protected.
- Local admin password is the same on every workstation - once you get
yours, you can connect to any admin workstation.
- Service accounts can be used to log in anywhere, and passwords are
stored on every workstation (=> LSADUMP).
- VNC/PCAnywhere/... using the same password on all mission-critical
legacy NT4 servers.
- Blank "SA" password, especially in case of 3rd party applications that
silently installed a MSDE database.
- ...

How can you fix it ? Certainly not by fuzzing and flaw-finding :)

Regards,
- Nicolas RUFF
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: