.

Internal vs external

<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Tue Feb 12, 2008 8:31 pm

Internal vs external

Its interesting to me when I meet a “white hacker” that presents himself as the last word in hacking and then when you see his resume you discover something. You discover that the majority of the work he has done is internal auditing of Universities and other educational facilities.  Now I know both internal and external auditing has its place and value, but there is a difference.

Its well known in hacking circle that edus are the easiest targets even from the outside. Strangely enough, I was aware of one “ethical hacker” teaching pentesting,that recommended to pentesters to practice hacking into educational facilities as a way to practice and get your “chops”.

Now I should say this situation is rapidly changing and security has gotten much better.  I don’t recommend this as a way to get your chops at this time unless you are willing to risk jail time for your art and remember in jail you can’t practice any hacking!  You must remember things are getting so automated now that even the most over worked admin can set things in place that will catch a newbie.

For me internal audits are usually so much easier. Not always, but often. It depends on the situation and what's  allowed.  Sometimes its so easy I don’t even feel like a hacker if permissions exist.  I remember one time I was asked to audit the security of huge Catholic school internally. I was allowed to present myself as the computer repair man so no one seemed to mind me walking around.  I think it took about all of 15 minutes. I went to a station that was available. I reset the bios password. I then changed the settings so I could boot to my live linux CD. I recorded the boot key and I grabbed the SAM file and saved it to my USB thumb.  I walked away and sat back down in a corner and ran my cracker and had the admin pass in just a minute or so with a dictionary crack. It was COUGAR.  Jeeze, I didn’t even need to do all that because having spoken a bit with the admin I already knew she was a cat lover.  I am sure after LION, KITTY, PANTHER,etc.. I would have hit it. I still like password guessing more than cracking, but it was so easy in this situation to grab the SAM.  I remember one time in an internal audit after I got admin access, I installed radmin on a box and was able to log everything that occurred later. Simple little innocent radmin, something they should have noticed in the task bar. Their anti-virus didn’t see it as a threat since it was a commercial product. I haven’t even mentioned hardware keyloggers, lol.  Hardware keyloggers are perhaps the most devastating attack we can do if we have physical access.  If I can have physical access and little limitations, it’s almost scary what you can do. If I get bored, I almost want to see how sloppy I can be and get away with it.  It doesn’t matter if the sever is fully patched and has the latest greatest firewall. It doesn’t matter if the all the clients are firewalled and patched.  Policies and how employees implement them is the key and then how a breach is dealt with when discovered. Strong passwords would have blocked my simple "attacks" every time but it seems rare I encounter one. Peolple like easy to remember things and are usually not educated in making a password paraphrase. 

On the other hand, A black box test from the outside can really test your metal. You can spend days trying to research and find the target. Probe and probe. Finally you are discovering it only to find it completely locked down. UGH! So now you try and go around the other way. Perhaps a client side attack or some social engineering or both.  Actually client side attacks rarely work with out a little social engineering so we could classify it in that category if we chose to.  Ok, your browser exploit didn’t work so what’s next? Can you code a Trojan that can’t be detected? Can you fool whoever into trusting you into downloading it? For what I call a “full on full on” these skills are paramount.
Last edited by Kev on Tue Feb 12, 2008 8:46 pm, edited 1 time in total.
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 531

Joined: Sat Sep 08, 2007 7:48 pm

Post Wed Feb 13, 2008 1:00 am

Re: Internal vs external

Good Read Kev. Even Though I'm Not A Professional Pen Tester, I've Done Some Read Up On Internal/External White/Black Box Testing & Totally Agree On Your View Point. It's Just Good To Read Over Reviews Of People Who Actually Do This Stuff For A Living. Thanks For The Info.
<<

LSOChris

Post Wed Feb 13, 2008 9:34 am

Re: Internal vs external

external is just plain hard unless the admin is an idiot, and even then there are so many devices that it makes it easy for them to be an idiot and still not get owned.  you're really going to be looking for misconfigurations or web app issues. 

inside you are looking for that one box or boxes that didnt get a patch, a default user/pass on 3rd party or a weak password.  even then all that is hard, WSUS handles most windows patches, hopefully you can get lucky with a 3rd party thing, the default password policy on 2k3 is decent enough you're gonna have to get really really lucky or have a really good password lists with all the letter replacements e=3, 1=!, l=1 type stuff.  its tough, the days of launching dcom and getting 200 system shells are over.

SE and phishing are going to be where its at to get a foothold if you can get it put into the scope of the assessment or physical access where you can just load a backdoor offline and wait for people to log in.
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Wed Feb 13, 2008 9:54 am

Re: Internal vs external

Just to play a bit of devil's advocate, internal audits and pen testing are going to have a lot of attention in the near future.  Organizations are starting to figure out that ignoring the internal aspect of security is going to cost them some money.  It got pushed into the forefront by the French trader that cost his bank $7 Billion and almost took out the global stock markets.  He wouldn't have been able to do 90% of his activities if he hadn't bypassed very week controls and popped a few systems and email accounts.  After that news hit the wires our firm got a lot of "feelers" from clients looking into someone coming in and doing a "checkup" on their internal systems. 
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

jimbob

Post Thu Feb 14, 2008 6:05 am

Re: Internal vs external

One big problem with internal audits is that insiders are often used to conduct them. When someone has an interest in the results, the results can get skewed. For example is an operator has a backdoor which they use there's a disincentive for that person to flag this in an audit.

In short the auditor should not be a stakeholder in the system(s) being audited.

Jimbob
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Thu Feb 14, 2008 9:59 am

Re: Internal vs external

Good point to bring up.  Most of the auditing firms have to operate under VERY strict rules of independence, so if the audit is done by any of the major firms they are probably going to have to do some major background work to make sure they are not in violations of any laws.  This is especially true if your audit is "material" to any of their financial systems.  Basically, if I am going to touch a system that is has any impact on their publicly reported financial statements I first have to formally show that I am fully independent and have no vested interest in the results.  However, if this is an audit done by the company for the sole use of the company then you will often see these types of issues pop up.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software