From: Anders Thulin (anders.thulin@sentor.se)
Date: Sun Jul 29 2007 - 03:29:47 EDT
Chroot wrote:
> I've been conducting pen tests since 4 yrs now... the methodology I
> follow is that we exploit or attempt to exploit ONLY those
> vulnerabilities that a vulnerability scanner identifies.
It's a sound methodology in so far as you have a very clear reason for
not doing certain tests, and you also have a clear reason for stopping
the test.
You need to know and trust your vulnerability scanner to do what you
want, though. That needs lots of preparation. And you need to know
the vulnerabilities themselves, of course.
> What if the
> appropriate check or signature in the vulnerability scanner was not up
> to date or had some coding issue or was not comprehensiveness enough
> (or anything else) to identify a real existing vulnerability on a
> system. This can result in serious false negatives.
But a pen test is not about finding negatives: it's about finding
positives. It's a catch-the-flag exercise: if you catch the flag there
should be no if or buts about it: you should be able to show the flag.
False negatives are less important: if a pen test does not show
any vulnerable spots, it does not mean the system is secure, and should
not be assumed to mean that. It may show up lack of knowledge in the
tester, though --- and that can be important to the tester, but rarely
to the customer.
That said, there is a great deal of vagueness and ambiguity in
current terminlogy, and the term 'pen test' is sometimes use to mean
anything from a vulnerability scan (but no followup penetration attempts)
to an exercise involving not only computer penetration, but also physical
penetration as well as social engineering, and also involve to little
time to do a proper job to more time than is economically sound.
You need to know what you mean, and you need to ensure that your customers
know what you mean.
> Would downloading,
> installing and cross testing all available exploits for an identified
> service be a good idea to minimize such a case? How many people have
> faced such an issue or a similar issue? For me I faced this issue with
> some bug in Nessus recently.
Yes, ... well, ... but not at show time. You should know the exploits
before you test the system.
(Well, ... everyone takes chances now and then. They just don't rely on
it for doing a decent job.)
> This is something like my NMAP says there is IIS6.0 running on port
> 443 of a target server. I do a Nessus scan on it and it doesn't report
> anything. I then download all available exploits for IIS6.0 (or for
> all version of IIS? would this make sense) from securityfocus.com or
> securiteam.com or similar source and run it manually on the target
> system.
Ah ... no. Personally, never.
Question no 1: Is NMAP's report related to a vulnerability?
Is Nessus's? (I assume you have configured Nessus correctly, and
don't run the Nessus server in a way or on a platform that is liable
to cause loss of traffic.)
My own preference is that early scans are only for vulnerabilities I
know are reliable and successfu., Low-hanging fruit first. If that fails,
and there is time left, scan for vulnerabilities you don't have an
exploit for, take a break, go and research these vulnerabilities and
exploits, and come back if and when you have found something new to try.
(This is why computer penetration testing ultimately is a dead end.
Security can't rely on penetration testing for anything but reports
of bad security.)
Question no 2: What IIS6.0 exploits do you have in your toolkit?
Question no 3: What related exploits (PHP, SQL, Webapps, etc.) do you have
in that toolbox that are relevant to this particular server set-up?
If your toolbox is empty, work on filling it with exploits that you
know how to use, and trust not to damage the target system more than
you have to. There are exploits that are incredibly fragile, and essentially
only give you one chance, after which the system crashes.
Yes, that means you have to have an IIS6.0 system of your own somewhere
to experiment on.
-- Anders Thulin anders.thulin@sentor.se 070-757 36 10 ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:59 EDT