Re: [PEN-TEST] Testing a "rogue site"

[Rich Richenberg <rrichenb () PEREGRINE COM>]

Mike,
Perhaps it would be a good idea to contact an IDS vendor (ISS comes to mind)
and have them demo their product to you by scanning the target machines for
vulnerabilities. You might also want to take advantage of free trials from
other vendors like eeye (retina). Since it can be done acroos the Internet,
you won't need to physically be at the machine - though it might be a good
idea to have your point man there standing by to monitor.

As a side note, one of the biggest challenges in security is to get the
customer - in this case the decision-makers at your company and the offices
you are bringing into the fold - to want to do the right thing. Even if you
are successful in "mak(ing) them buy a firewall," that's only one step
(albeit an important one. A better goal might be to get them to want to buy
a firewall - and use it properly. If you can do that, the next steps of
perfroming vulnerability assessments and getting real-time IDS in placew
will be much easier.

Rich Richenberg
Technical Security Manager
Peregrine Systems, Inc.

-----Original Message-----
From: Kelly, Mike [mailto:Mike_Kelly () RYDER COM]
Sent: Friday, September 08, 2000 6:29 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] Testing a "rogue site"


 Hi folks!

 I've got an interesting scenario/case study  here.

Very recently, there was a slight organizational change in our company and
two
out of town sites became added to our "circle of responsibility". Although
they
were added, company politics prevents us from dictating any IT policy to
these
new sites.

 One of the sites has just found itself an ISP. There is no firewall between
the
site's network and the rest of the Internet. Just a NT PDC Server.
All of this was done without consulting our IT department, and the politics
of
the situation has allowed them to do this. Fortunately, they are not tied
into
our network just yet.

 Anyway. I was named Security Manager last year for no other reason than I
have
a greater interest in network security than most of the people here.  (Now
you've seen my entire set of credentials.) I've been asked to determine any
vunerablity on the server at the new site so a report can be delivered to
the
CEO regarding what is going on down there.

 I've managed to get the IP address of this site and run some port scans.
I've
found 3 telnet ports (port 23), 1 ftp port (port 21) and 1 port 80. There
are 10
addresses responding to pings and I'm guessing that at least one of them is
an
HP 4000 print server. (That was the FTP port)

Connecting to port 23 doesn't give you any information about the OS or
anything.
Connecting to the FTP port (anonymously!) lets you see inside the HP 4000
printer server. Port 80 is on the same machine as the FTP port, so I'm
comfortable in assuming that it is there for remote administration of the HP
4000. Port 80 is on the printer server as well and it's there for remote
administration. I don't think they have set passwords on the print server; I
looked at the tab marked security and it looks like it's still waiting to
see
it's first administrative password. (concluded thusly because the lines for
"old
password" are grayed out and inactive)

 The only real holes I've found are on the printer server. I haven't really
tried doing anything other than connections on the telnet ports.

I suspect that someone from the ISP must have "hardened" or at least
inspected
the PDC a little because the VNC service seems to have been turned off.

I also know that the PDC is running NT 4, Service Pack 6.

If you were me, which way would you look next? Physical access is impossible
as
they are probably an 8 hour flight from here.  I've had thoughts about
arranging
for one of the IT guys there to stand by the server on a weekend while I try
and
Smurf it, but I'm not really excited about doing that if I can help it.
 We want to be able to make the case to the Boss that someone should have
bought
a firewall (we're a CISCO shop and we use PIX here) before getting online.
And then we want to make them buy a firewall.

Thanks folks,

Mike Kelly