[sclug] This is for Tim or anyone really re:Firewall IPCop

Sat Oct 25 09:05:28 UTC 2003

On Sat, 28 Sep 2002, John Dickson wrote:

> Alex Butcher wrote
> 
> [snip]
> >Apologies for being a pedant, but if anyone's *buying* a penetration test and
> >all they're getting for their money is a simple port scan, they're being
> >misled and/or ripped off.
> 
>  Would be grateful for advice on what else should be done.

Well, for a vulnerability assessment, I start by probing DNS servers to see
whether zone transfers are still enabled, whether BIND version information
is available and whether there are "interesting" hostnames present in the
database. I also use various tools (nessus and whisker always) and check the
results they give manually. The manual check is generally what takes the
time as all the automated tools give false positives. Sometimes, I'll find
something less run of the mill than an IIS webserver (e.g. a Citrix, LDAP,
or MS-SQL server) and use tools and techniques appropriate to that system
(The "Hacking Exposed" books, together with google and securityfocus.com are
pretty good at covering the oddball situations).

For a penetration test, as above, but with client-authorised options
including social engineering (boiler suit, temp worker, "two cups of coffee
and a swing door" etc.), dumpster diving, and actually _exploiting_ the
holes found by the vulnerability assessment part of the exercise in order to
"capture the flag" (achieve some goal such as placing a file on a server, or
inserting or retrieving a record in a database table or whatever).

In the course of providing these services, I find that it's usually
necessary to be able to read and understand the code for Nessus and its
plugins, as well as being able to create shell/perl scripts and new Nessus
plugins. I anticipate the need to create my own exploits in the course of
a longer penetration testing engagement.

Finally, and perhaps most importantly, I document the discoveries I make,
explaining the background of each vulnerability, the risks of leaving it
unfixed and possible remedial approaches.

<plug mode="OFF"> ;-)

For more details, check out <http://www.ideahamster.org/projects.htm>.

IME, most organisations only find a business need for vulnerability
assessments; they provide a "breadth first" view of the most obvious ways
into an enterprise network. Penetration testing is also useful, but as a
"depth first" view, perhaps to make a political point within the
organisation.

Best Regards,
Alex.
-- 
Alex Butcher         Brainbench MVP for Internet Security: www.brainbench.com
Berkshire, UK                       Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950                            <http://www.assursys.com/>