Re: Internal Servers (noob post)

[Muhammad Farooq-i-Azam <lists () chase org pk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Tue, Jun 02, 2009 at 05:56:45AM -0700, pma111 wrote:
# 
# I wonder if you could give me some pointers on ways you pen testers would try
# to penetrate / or gain access to an organisations internal server ???farm???. I
# have read numerous hardening guides for both UNIX and Windows Servers, which
# we use for our host based Systems, but our IT dept insist perimeter defences
# (firewall etc) are sufficient to protect the internal servers so there is no
# need to invest heavily or put resources into hardening internal servers. Is
# this statement valid or would hardening internal servers also give pen
# testers a hard time gaining access to data, backups or host based apps
# residing on internal servers?

When talking of security of a network or servers, the job entails not
only securing your perimeter but also each and every individual machine
and device within that network. 

Perimeter defence is only one layer of defence. Once this is compromised
you are open to a number of attacks.


# 
# What I am really after (I am no pen tester but am intreged by what
# techniques you guys use) is to get into the mindset of the ways you guys
# would try and gain access to our internal servers and data? If I make some
# assumptions, could someone with experience (be it white hat, black hat, grey
# hat) give me some pointers as to whether my assumptions are correct?

Attack mechanism will depend upon how have you configured your network,
deployed your machines, what operating systems you are using, what sort
of security policy you have used, etc. And these are only a few of the
attach vectors.


# 
# To attack (bring down, steal confidential data etc) one of our internal
# servers would you always try to penetrate the firewall or find some
# vulnerability in the firewall in order to get remote access into our
# internal servers?

Not necessarily. It is only one route and a difficult one for many
attackers. An attacker, for example, may gain control of a simple
desktop machine within your network with a phishing lure to your
not-much-IT-savy folks. From this machine, he or she can launch attacks
to your other machines and servers.


# 
# Once through the firewall what methods would you guys use to gain access to
# the server? Would you try default accounts that you know exist (I noticed
# the vast majority of hardening guides always say disable or remove
# unnecessary default UNIX / Windows accounts etc)?

Once an attacker owns a machine within your network, he can download an
array of tools and exploits to attack your servers from that owned 
machine. This includes sniffing passwords, remote exploits, etc.

# 
# Is hardening an internal server much protection if somebody has broken
# through the Firewall or is easy practice to still get data off internal
# servers?

If hardening internal servers means only disabling services which are
not needed, then this might not be enough. You should look for patching
the machine for your operating system and the particular server 
application you are using. A local firewall, HIDS, antivirus are also
needed for hardening to work.

# 
# Any pointers most welcome.

Having said all this, the final solution depends upon how costly your
data is and how far an attacker would go to get to your machine. 

And finally, a popular saying which goes in security circles is that
no computer ( electronic device in general ? ) is completerly secure
until its power cords are pulled off and the machine is turned off.


# 
# Regards,
# 
# 
# -- 
# View this message in context: http://www.nabble.com/Internal-Servers-%28noob-post%29-tp23832003p23832003.html
# Sent from the Penetration Testing mailing list archive at Nabble.com.
# 
# 
# ------------------------------------------------------------------------
# This list is sponsored by: Information Assurance Certification Review Board
# 
# Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.
# 
# http://www.iacertification.org
# ------------------------------------------------------------------------

- -- 
Muhammad Farooq-i-Azam

lists () chase org pk
http://www.chase.org.pk/

                                  ////
                                 (o o)
- -----------------------------oOO--(_)--OOo----------------------------
Quality Control, n.:
        The process of testing one out of every 1,000 units coming off
a production line to make sure that at least one out of 100 works.
- ----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkombzEACgkQaVLjC8ViUeJeHACgrJ3Y9s7/Y8GHmmc2bS6Asr9C
sUMAn0ny5mbtfiviiYnDqrC3tiWPbptM
=VdgG
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------