Penetration Testing mailing list archives
Re: Conficker (and friends) v.s. Penetration Testing
From: "Adriel T. Desautels" <ad_lists () netragard com>
Date: Sun, 5 Apr 2009 19:51:02 -0400
Bruno,I'm familiar with the materials that you lined below, never the less much appreciated and agreed. Nothing in our industry is absolute, everything can be defeated. Was that an absolute statement? The way that I see it is that it is our job as security professionals to make sure that our customers are as secure as they can be within the limits and requirements of their business. Its all about helping our customers run faster than the other people being chased by the bear. the slowest people will get eaten, the fastest will survive. That said, if there's a sniper in the woods nobody can outrun the bullet and anyone with enough money can hire a sniper. Sure we can be snipers, but if thats not the realistic threat then we've implemented sufficient defenses. Does that make sense?
On Apr 4, 2009, at 7:27 PM, Bruno Cesar Moreira de Souza wrote:
Adriel, I liked your post and would like to comment this part: ----------------------------------------------------------------Continuing with the pdf customer... One of the recommendations that we made to our customer was that they install a proxy to control outbound http and https traffic. We also recommended that they drop all outbound traffic that is not necessary for day-to-day business operations. We made that recommendation because of how easily we penetrated their network with PDF and the reverse http connection. The customer implemented our recommendations and when we retested their network were unable to get anything to call home.-----------------------------------------------------------------While I agree that a proxy will be a barrier against unauthorized reverse communication (eg. reverse shells or reverse tunneling) and should be recommended, is not so easy to stop a determined attacker or a sophisticated malware "to call home". The following presentations and papers discussed about bypassing HTTP proxies and firewalls to intrude internal networks:Placing Backdoors Through Firewalls (THC - Van Hauser) - http://freeworld.thc.org/papers/fw-backd.htmClient Side Penetration Testing - (Core Security - Black Hat - Max Caceres) - http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Caceres-up.pdfPost-Exploitation on Windows using Activex Controls - (Skaped - Uninformed)(http://www.uninformed.org/?v=1&a=3)Reverse DNS Tunelling Staged Loading Shellcode - (Pure Hacking - Black Hat - Ty Miller)There are several countermeasures discussed in the above links that should be implemented by organizations to decrease the risk of such attacks.Regards, Bruno Cesar M. de Souza--- Em sáb, 4/4/09, Adriel T. Desautels <ad_lists () netragard com> escreveu:De: Adriel T. Desautels <ad_lists () netragard com> Assunto: Conficker (and friends) v.s. Penetration Testing Para: "PenTest list" <pen-test () securityfocus com> Data: Sábado, 4 de Abril de 2009, 2:20 Conficker (and friends) v.s. Penetration Testing Its funny to me that people haven't commented on the fact that the ability of a worm to spread is proof positive of just how insecure today's networks are. (Yet, even with this lack of security others are talking about this kick-ass idea of "Cloud Computing"). The fact is that if people managed their networks properly (which includes testing properly with quality security service providers) that worms would not be able to spread, or at least not so quickly and on such a wide scale. As an example, we recently performed a penetration test for one of our customers. The time between project kickoff and successful penetration was less than 15 minutes. That is to say that we were able to hack into our customers network within 15 minutes of starting the project. The way we did it was to create a .pdf based invoice and send it to the customer from a trusted source. This particular invoice wasn't really an invoice of course, it was a pdf document designed to exploit a vulnerability in their adobe acrobat reader. In this case, when our victim opened the pdf document their computer established a reverse http connection back to us. We then tunneled back in over that connection and had access to our customer's network. If we were malicious it would have been game over. So what does this have to do with worms? If you think about it a worm uses the same methodology for penetrating into networks as hackers do. Just like hackers, worms will penetrate your network by embedding themselves in files (like our PDF example above), or by exploiting vulnerabilities in computers systems, or maybe via social engineering. Either way, the technique is the same, and as such the defense should be the same. Why isn't it? Most people _try_ to protect their networks with anti-virus scanners and other technology. They implement these scanners on their desktops, servers, gateway's etc. They also use Intrusion Detection/Prevention Systems, firewalls and other similar solutions in an attempt to prevent infection or penetration. They never stop to question the security of the technology that they install. In 2006 Symantec's own Antivirus technology was vulnerable to attack. Back then it was possible to send someone a specially crafted email to penetrate into their computer. The fact is that technology is, and will always be fallible unless it is proved to be secure with mathematics. I'm not saying that technology is useless because it isn't. I am saying that technology should be augmented with frequent security testing. Those tests should be delivered by a quality security provider capable of creating a threat that is at least as intense as what customers will face in the real world. Once testing is done at that "real" level the resulting deliverable will enable people to build good defenses that are based on solid recommendations. Continuing with the pdf customer... One of the recommendations that we made to our customer was that they install a proxy to control outbound http and https traffic. We also recommended that they drop all outbound traffic that is not necessary for day-to-day business operations. We made that recommendation because of how easily we penetrated their network with PDF and the reverse http connection. The customer implemented our recommendations and when we retested their network were unable to get anything to call home. As a result of our work worms like Conficker can not function properly on our customer's network because they can not call home. Instead, if they do get in they sit on the network isolated and useless until they are eliminated by the anti-virus technology. Feel free to comment on the blog, much appreciated. http://snosoft.blogspot.com Adriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. http://www.infosecinstitute.com/request_online_training.html ------------------------------------------------------------------------Veja quais são os assuntos do momento no Yahoo! +Buscados http://br.maisbuscados.yahoo.com
Adriel T. Desautels
ad_lists () netragard com
--------------------------------------
Subscribe to our blog
http://snosoft.blogspot.com
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT
and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
Current thread:
- Conficker (and friends) v.s. Penetration Testing Adriel T. Desautels (Apr 04)
- Re: Conficker (and friends) v.s. Penetration Testing kalgecin () gmail com (Apr 07)
- Re: Conficker (and friends) v.s. Penetration Testing Bruno Cesar Moreira de Souza (Apr 07)
- Re: Conficker (and friends) v.s. Penetration Testing Adriel T. Desautels (Apr 07)
- [Suspected Spam]Re: Conficker (and friends) v.s. Penetration Testing Marc Doudiet (Apr 09)
- Re: Conficker (and friends) v.s. Penetration Testing Adriel T. Desautels (Apr 07)