Re: Testing large networks

From: Dhruv Soi (dhruv_ymca@yahoo.com)
Date: Tue Mar 08 2005 - 15:57:09 EST


('binary' encoding is not supported, stored as-is) In-Reply-To: <c7821a3105030508054af0836f@mail.gmail.com>

Greetz Don,
To handle such a situation you need to workout on two kinds of reports.
First one would focus on Managements requirement. As you mentioned they
are not much aware of Pen-Testing process. So you need to provide them
a layman report. Reviewing which, they can get a fair idea about
weakest part of their IT infra. It could be at the max. 5 page report. Rather than showing in-depth techniques, you need to show week polices in this report.

As IT Department would be involved in tightening the security. So you
should provide a second report to them with ample information about
their network/systems. And this report can exceed any number of pages. I am sure you will find few 100s of weakness in Network that may be in terms
of Vulnerabilities/Information Disclosure/Password weakness/Default
running services/OS response of TCP/IP Stack for DOS attacks and many
more. So in such situation if report comes in few hundreds pages, it should not disappoint anyone till the time report involves healthy information about network/systems.

But first you need to create a report for IT department including every
part. And then make the report optimistic to present in front of
management by stripping out technical details and simply putting bad policies and resources that are required to maintain security. I think
management is investing to get pen-test report, coz they would like to know by investing in which area/device they can feel more secure.

Thanks
Dhruv

>Received: (qmail 16776 invoked from network); 7 Mar 2005 15:51:10 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
> by mail.securityfocus.com with SMTP; 7 Mar 2005 15:51:10 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
> by outgoing2.securityfocus.com (Postfix) with QMQP
> id 585FA1439CC; Mon, 7 Mar 2005 08:58:11 -0700 (MST)
>Mailing-List: contact pen-test-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <pen-test.list-id.securityfocus.com>
>List-Post: <mailto:pen-test@securityfocus.com>
>List-Help: <mailto:pen-test-help@securityfocus.com>
>List-Unsubscribe: <mailto:pen-test-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:pen-test-subscribe@securityfocus.com>
>Delivered-To: mailing list pen-test@securityfocus.com
>Delivered-To: moderator for pen-test@securityfocus.com
>Received: (qmail 4147 invoked from network); 5 Mar 2005 16:20:45 -0000
>DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
> s=beta; d=gmail.com;
> h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding;
> b=ILs9ovs4cG/uxEBqd85owA7k/6oWr0WvZr20svS8+g3WjEzjiKGFywDwYtmxvkGz+9nmdPYGwQcO/dTQj4xYoUDGK0vglKX6ERCAyFr/IvUwHGVFKS++mKf3bNWPBk8gzSabo6TRF3vvi154pMrSuJLD+yQ4dMbAzzf3ZA0VsCI=
>Message-ID: <c7821a3105030508054af0836f@mail.gmail.com>
>Date: Sat, 5 Mar 2005 16:05:23 +0000
>From: Dan Rogers <pentestguy@gmail.com>
>Reply-To: Dan Rogers <pentestguy@gmail.com>
>To: pen-test@securityfocus.com
>Subject: Testing large networks
>Mime-Version: 1.0
>Content-Type: text/plain; charset=US-ASCII
>Content-Transfer-Encoding: 7bit
>
>Hi list,
>
>In the last few months I have been asked to assess a number of fairly
>large networks, which have been addressed very inefficiently. So,
>usually this consists of one or two main networks with about 1000
>devices, and ten or so remote sites connected by WAN links or VPN's.
>It's not uncommon for the HQ to have a class B (or worse) as their
>internal subnet, even though there are nowhere near that many hosts.
>
>The problem I have is that a lot of the owners of these networks don't
>really know what they want in terms of testing, and ask very generic
>questions - things like "we want to know where we are weakest" or even
>"we want to know whats on our network".
>
>A lot of the motivation for this testing is usually passed down from
>senor management who just want to feel are secure, so they tell their
>IT managers to get a pen test without knowing what it means. This
>means IT managers can't often tell me what they actually want to be
>tested. I'm effectively given a blank sheet, and free reign to
>approach the testing from any angle I choose.
>
>It is also not uncommon for there to be little or no useful
>documentation - so I rarely have a complete set of network diagrams
>from which to work.
>
>These engagements mostly range from seven to twenty working days.
>
>Usually the approach goes something like this.
>
>1. Ask IT manager to identify critical network infrastructure
>(servers, routers, wireless access points, Domain Controllers) - chose
>a representative sample for review
>2. Attempt to establish general network architecture using a
>network-mapping tool
>3. Perform internal scanning of network using NMAP/Nessus or GFI LANguard
>4. look for really obvious problems. E.g. public/private SNMP or
>default passwords, missing patches, well known open trojan ports
>
>Create report giving fairly high-level areas of concern, and
>remediation (e.g. patch management solution/strategy, segregate
>servers from workstations with firewalls, update default passwords/use
>strong password strategy)
>
>When I conduct the tests, time is usually very tight, and therefore
>scanning of internal networks is quite costly time wise (especially if
>there is a class A/B to scan). Following a methodology which
>recommends scanning in several different ways and checking TCP
>responses just isn't practical. Using something like nessus can yield
>hundreds and hundreds of pages of results, and wading through them
>looking for false-positives is also not practical.
>
>So how do you lot approach testing a lage network? Also, how do you
>decide what to report to the client on?
>
>Cheers
>
>Dan
>



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:17 EDT