Re: Penetration Test Assistance

[Peter Kristolaitis <alter3d () alter3d ca>]

On 12-06-05 11:32 AM, Andrew Latham wrote:
> On Tue, Jun 5, 2012 at 10:52 AM, Green, Timothy
> <Timothy.Green () mantech com>  wrote:
> > Howdy all,
> >
> > I'm a Security Manager of a large network, we are conducting a Pentest next month and the testers are demanding a complete network diagram 
> > of the entire network.  We don't have a "complete" network diagram that shows everything and everywhere we are.  At most we have 
> > a bunch of network diagrams that show what we have in various areas throughout the country. I've been asking the network engineers for over 
> > a month and they seem to be too lazy to put it together or they have no idea where everything is.
> >
> > I've never been in this situation before.  Should I be honest to the testers and tell them here is what we have, we aren't sure if 
> > it's accurate;  find everything else?  How would they access those areas that we haven't identified?   How can I give them access to 
> > stuff that I didn't know existed?
> >
> > What do you all do with your large networks?  One huge network diagram, a bunch of network diagrams separated by 
> > region, or both?  Any pentest horror stories?
> >
> > Thanks,
> >
> > Tim
> Any penetration test should only require your networks and masks.  As
> far as a diagram it is of value to keep a staff member with the
> singular task of documentation and auditing or an optional contract
> basis.  Small things like typographical errors can cause great
> confusion in emergency situations.  Take the time and do it right.  I
> personally prefer the flexibility and ease of use that Mediawiki
> offers but other free and pay solutions exist.

Yup, a list of subnets in use on your network is all I've ever needed to 
provide to pen testers in the past on the few occasions I've worked with 
them.  A good pen test should scan everything on your network anyways, 
with a reasonable chance of figuring out what everything is.

As far as horror stories... yeah.   My most memorable experience was a 
guy (with a CISSP designation, working for a company who came highly 
recommended) who:
    - Spent a day trying to get his Backtrack CD to "work properly".  
When I looked at it, it was just a color depth issue in X that took 
about 45 seconds from "why is this broken?" to "hey look, I fixed it!".
    - Completely missed the honeypot machine I set up for the test.  I 
had logs from the machine showing that his scanning had hit the machine 
and had found several of the vulnerabilities, but the entire machine was 
absent from the report.
    - Called us complaining that a certain behavior that "he'd never 
seen before" was happening when he tried to nmap our network.  The 
"certain behavior" was a firewall with some IPS functionality, along 
with him not knowing how to read nmap output.
    - Completely messed up the report -- three times.  His report had 
the wrong ports & vulnerabilities listed on the wrong IPs, so according 
to the report, we apparently had FreeBSD boxes running IOS or MS SQL...
    - Stopped taking our calls when we asked why the honeypot machine 
was completely missing from the report.

In general, my experience with most "pen testers" is a severe 
disappointment, and isn't anything that couldn't be done in-house by 
taking the person in your department who has the most ingrained 
hacker/geek personality, giving them Nessus/Metasploit/nmap/etc, pizza 
and a big ass pot of coffee, and saying "Find stuff we don't know about. 
Go.".   There is the occasional pen tester who is absolutely phenomenal 
and does the job properly (i.e. the guys who actually write their own 
shellcode, etc), but the vast majority of "pen testers" just use 
automated tools and call it a day.  Like everything else in IT, security 
has been "commercialized" to the point where finding really good 
vendors/people is hard, because everyone and their mom has CEH, CISSP, 
and whatever other alphabet soup certifications you can imagine.