Re: [PEN-TEST] 2 quick questions

[Joe Shaw <jshaw () INSYNC NET>]

On Fri, 15 Dec 2000, Leon Rosenstein wrote:

> First is I was curious about routers:  If a network has a router (a hardware
> one, not a computer running Linux or NT).  Is there anything to be gained
> from breaking into the router through one of the remote administration
> points?  Is this thus a fruitless exercise or is there something to show the
> customer or gain yourself if you are auditing your network's security?

If the router is improperly secured, or not at all, it's definitely worth
it to gain access.  Depending on the type of router, a lot of information
can be gained from from debuging traffic.  Also, you might be able to get
passwords for the routers which might also be used on servers on the
network as well.  I've found poorly configured SNMP to be the biggest
problem in my own personal experience.  My team is usually able get access
by just walking the IP space and trying R/W community strings.

> Second I was curious about social engineering.  Is this considered "fair
> play?"  Is it discussed in advance?

Anything you're planning on doing should be discussed in advance, with
a high-level overview of all areas of the penetration test before the test
begins.  Both parties should be clear on what the penetration tester is
planning on doing and what the customer expects.  If the customer wants
social engineering, then you should certainly provide it as a service
unless you're unprepared to do so.  It's relarively easy to do, but I've
met people who just can't do it even with a script.

Most clients who are hiring you will be doing so for one of two purposes.
They either have no real security posture or a specific group inside the
organization that is responsible primarily for security, or they may have
an IT security group but someone feels that their work needs to be double
checked.  In both of those cases, the customer probably isn't even
thinking about people problems.  They're worried more about strictly
technological issues.  However, the smaller an organization is, the less
vulnerable it generally is to social engineering.  With large
organizations, it's easy to pretend to be someone that the person knows
about but has never met.  With a small organization, trying to impersonate
someone that the person on the phone may know fairly well is tough, and
will usually end up raising red flags.  Generally, if there are less than
two dozen employees, I don't waste time on social engineering.

> If you're allowed to do it how far do you take it?  Do you take it the
> point where you do a mass mailing of BO or Sub 7 to show the owners of
> the network how vulnerable they are to this flaw (because isn't social
> engineering kind of a flaw even though it is a human one?)

As far as it can be taken without causing irreperable damage to the
client.  If I can get a system password out of someone then I'm already
ahead.  If that password leads to an eventual greater escalation of
privileges to the Administrator or root level, then I've done what I
needed to do and it ends there.  I certainly wouldn't rm their backups or
vandalize their web page.  Actually, I don't do anything during a
penetration test that I haven't already had the customer agree to.  Too
many things can go wrong, and a simple misunderstanding can lead to severe
consequences to your business and your freedom.  The Intel vs. Randal
Schwartz case is a prime example.

Social engineering is indeed a people problem, but it is also a policy,
or lack thereof, problem.  Generally, most places I've worked at have
stressed the importance of choosing a strong password.  But only 1/3 have
actually implemented password aging and a method of checking that
passwords conform to the acceptable standards poliy.  And only one has
actually mentioned things like social engineering in their training
materials in relation to passwords.

People in business are supposed to help people, especially if their job is
to answer a phone.  This is easily exploitable.

> Or do you just stop with tricking them into revealing user names and
> passwords?

I generally stop when I can no longer get any useful information or
someone has given me 'the keys to the castle.'

--
Joseph W. Shaw
Sr. Network Security Specialist for Big Company not to be named.
I have public opinions, and they have public relations.