RE: Penetration test of 1 IP address

From: Levenglick, Jeff (JLevenglick@fhlbatl.com)
Date: Thu Feb 09 2006 - 12:39:35 EST




" On Wed, 2005-01-05 at 20:46 -0500, Edmond Chow wrote:
> Hello all,
>
> My name is Ed and I run a technology consulting company. I have begun
> offering computer security audits to my clients and, as I am not
experienced
> in hacking, have been subcontracting this work out.
>
> The written reports that I have received back from the hackers leave
much to
> be desired! Not knowing too much about intrusion detection but
realizing
> that when almost nothing is found wrong (from a security viewpoint)
with a
> client's network, I am in big trouble! Either the hacker does not
have the
> experience to find any problems or there really are not any problems.
>
> On my first few audit assignments, I was barely able to break even as
I had
> to hire two independent hackers for each i.e., a second hacker had to
be
> hired to give me an independent assessment of the network. I then cut
and
> pasted the two reports into a final "acceptable" one.
>
> I am at a crossroads where I can either give up on the security audits
or
> learn to do them myself. I have chosen the latter and was hoping to
get
> some help from experts like you. I realize that I will have a steep
hill to
> climb but I feel confident that I can learn enough to be much more
> proficient that the hackers that I am currently paying."


1) Since your post to lists.virus.org, have you taken any classes?
2) Everybody hates to pay someone money to do the work, but you can't
take years of experience and think you
Can do it yourself over night.

I do not think you understand all of the 'parts' of this project. First
you stated that you wanted to pen test one ip. Now your
Saying that they want to make sure the application is secure.
Ok.. (simple list)
Is the OS patched and secure? (tons of tools to use)
Is IIS patched and secure? (again, tons of tools)
Is the network secure? (sniffing tools)
Is the firewall secure? (ditto)
A quick google on the app shows that it is integrated with AD/NT
security. Is that setup correctly? (ie: are passwords long and
random..ect)
Are there known bugs in the app?
It uses a database. MS Sql? Is that secure...ect.. Oracle.. Is that
Secure?...ect.... SQL injection....

You get the point? In a very nice way, I think you need to step back and
look at the whole picture. Getting bits of information
>From list groups is not going to solve your problem. If you need to make
sure the app is secure, then you will need tools that
Can test the app,the box, the os, the network, the firewall, the
database.


-----Original Message-----
From: Edmond Chow [mailto:echow@videotron.ca]
Sent: Thursday, February 09, 2006 08:09 AM
To: 'Daniel Grzelak'; pen-test@securityfocus.com
Cc: 'Michael Gargiullo'
Subject: RE: Penetration test of 1 IP address


Hello Daniel,

Thanks to you and all the other helpful (yes, there were a few less than
helpful!) posters.

You are right in that this is a "capture the flag" project. It's a law
firm that wants to make sure that the WebBlaze application is secure
before putting it into production.

The login screen is a typical windows logon screen with user name and
password prompt. It does not look like the login screen found on the
webblaze web site.

Thanks again!

Regards,


Edmond


-----Original Message-----
From: Daniel Grzelak [mailto:daniel.grzelak@sift.com.au]
Sent: Wednesday, February 08, 2006 10:54 PM
To: pen-test@securityfocus.com
Cc: 'Edmond Chow'; 'Michael Gargiullo'
Subject: RE: Penetration test of 1 IP address

Hi Edmond,

I'm sure there will be a vast and many responses to your question with
regards to carrying out the actual testing phase of the engagement so I
will concentrate on something else. I am making a very big assumption
based on your wording but I believe the major issue you have with this
engagement centres around scoping. I apologise if I unnecessarily
trivialise your original post.

"I have been asked to perform a security audit of 1 IP address for
client."

This statement sounds like a misunderstanding waiting to happen. In
general a security audit is considered a review of a system with all
relevant information provided. For instance, system configuration, file
system access control list, user lists etc. It will also tend to relate
to a system rather than an IP.

>From what I gather, you are being asked to conduct a blind penetration
test of a single IP. As such you are being provided very little
information and probably being asked to "capture the flag". This can be
a very delicate point. Make sure you know the limitations of the testing
you have been asked to perform. Is it just a vulnerability assessment,
or are you tasked with taking full control of the system. There are of
course legal issues which have been addressed previously on this list
and various sources on the web.

Since you have been provided a clue of webblaze, that may indicate that
only that particular application is to be tested. If so, it is important
to agree on what constitutes such testing. Is this really a system
penetration test or an application penetration test? The two can differ
greatly in the amount of assurance you can provide the client on a
particular component.

Finally, blind testing is not always the most effective way to go. Given
a narrow scope and access to only a login page, the client may not gain
much from your testing. Perhaps you should agree that upon completion of
the blind testing, the client will provide a number of logins of varying
access levels to allow you to perform a more in-depth analysis.

I know this doesn't directly address your question, but hopefully it
will help in the preparations you need to make prior to executing an
engagement.

Daniel.


-----Original Message-----
From: Edmond Chow [mailto:echow@videotron.ca]
Sent: Wednesday, 8 February 2006 5:45 PM
To: 'Michael Gargiullo'; pen-test@securityfocus.com
Cc: 'Edmond Chow'
Subject: RE: Penetration test of 1 IP address




To all:

I have been asked to perform a security audit of 1 IP address for
client.
They have given me the 1 IP address and a clue (webblaze).

If I enter the IP address and then /webblaze, I am taken to a login page
(user name and password requested).

What tools would you recommend that I use for this assignment?

Thanks for your help.

Regards,


Edmond


------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on
your
website. Up to 75% of cyber attacks are launched on shopping carts,
forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before
hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------



-----------------------------------------
This e-mail message is private and may contain confidential or
privileged information.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:29 EDT