Re: Pen Test mistake

From: Anders Thulin (Anders.Thulin@kiconsulting.se)
Date: Fri Aug 22 2003 - 02:35:25 EDT


Jeff Johnson wrote:

> Anyone else have any better advice?

   So far I think you are right. But what then? How can you
(or any other pen-tester in this situation) avoid getting
into this kind of mess again?

   Having a large toolkit usually means having to enter the
same data over and over -- it's not a question *if* an error
will be made, but *when*.

   And having a small toolkit (say, just Nessus or Retina or
whatever) means the target will get pretty badly hit before
anyone on the pen-testing side really notices ... I'm not
sure I'd like to imagine what could happen with fairly
autonomous tools (CORE Impact, perhaps -- haven't tried it,
so I may be mistaken about this).

   Doing a nmap -sL scan (i.e. reverse DNS only) early may help.
"What is apex.com doing on an acme.com network? Better check
this before we continue..."

   I've sometimes thought that sitting behind (or rather in
front of) a back-to-front firewall (that is, one that you set
up to prevent you from going anywhere but to the target network)
would help. It would stop single mistakes (configuring the firewall
the right way, but targeting the wrong network, and vice versa),
though it won't help preventing double mistakes, or situations
where the customer has mistyped or made a bad guess about where
his subnets *really* end. (The idea is, of course, to avoid hitting
the wrong target, not just to avoid the responsibility for doing so.)

   A similar situation can occur with RFC1918 nets. On the remote
system you've just taken you see a number of sessions from, say,
172.16.3.1-5, and you start scanning those hosts from your home
base without quite registering that they are private. And find
that you're scanning entirely different systems, and systems you're
not supposed to touch. May happen in large organizations who make
systematical use of 1918-nets...

   Pen-test your own pen-testing: how can your working process
get disrupted (accidentally or deliberately), and what can you
do to lessen the risks. As has been mentioned, insurance
is sometimes a possibility.

-- 
Anders Thulin   anders.thulin@kiconsulting.se   040-661 50 63	
Ki Consulting AB, Box 85, SE-201 20 Malmö, Sweden
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world<92>s premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symanetc is the Diamond sponsor.  Early-bird registration ends September 6 Visit: www.blackhat.com
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:38 EDT