.

Question on real world pen testing

<<

blueaxis

Newbie
Newbie

Posts: 44

Joined: Fri Sep 09, 2011 9:20 am

Post Mon Sep 26, 2011 7:49 pm

Question on real world pen testing

Hey All,

Thought I'll post this question here as I try to understand pen test from the field perspective. Please forgive any typos, I am using iPhone.

1. If a client engages you for a pen test but their defenses are strong enough and you failed to compromise the network or a system. how is this situation reported? Is this scenario common?

2. My understanding is large companies are spending huge amounts of money on securing their networks - so I am not sure if the conventional pen test tools and techniques taught in books and class would still work in today's world.

Sorry if the question doesn't clarify the point. I will try to repost later. Thanks in advance.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Mon Sep 26, 2011 7:58 pm

Re: Question on real world pen testing

Perimeters are indeed tighter than they were in the past. However, if SE is part of your scope you're likely to get in.
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Tue Sep 27, 2011 10:04 am

Re: Question on real world pen testing

Of course this happens some times. That's why it is so important to have a sound documenting process while performing the tests, so you can show your client all the attack vectors you tried.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Tue Sep 27, 2011 10:59 am

Re: Question on real world pen testing

Last place I worked we had one done and our perimeter was really tight.  Only thing open was Citrix portal.  But like most environments, it was hard candy shell on the outside, but soft squishy filling on the inside.  The test, unfortunately, did not include SE since the ISO and CIO did not want to put employees through such attempts (way to check to see if your Sec Awareness training is working :p ).  In any case, there are always ways in, but sometimes you need to get in to expose them.  Many of the current breaches have occurred due to a phishing email getting through the perimeter and some poorly trained individual clicked the link or opened the attachment.  Many large orgs are most likely not fully patched when it comes to Adobe Reader, so that vector typically works well.
Certs: GCWN
(@)Dewser
<<

blueaxis

Newbie
Newbie

Posts: 44

Joined: Fri Sep 09, 2011 9:20 am

Post Tue Sep 27, 2011 5:29 pm

Re: Question on real world pen testing

Very interesting perspectives. Thanks for sharing them. When you say orgs are weak from inside - do you mean network layer or application layer?
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Tue Sep 27, 2011 6:59 pm

Re: Question on real world pen testing

Based on systems I've seen, a little of both.  I have yet to see a full implementation of app whitelisting and I've been in some places that use a completely flat network topology even though they have the ability to properly segment.  The reasons I have seen for both these factors have been typically due to impatience and lack of training.

So ok we have this nifty layer 3 core switch with all these lesser switches.  Cool lets set up VLANs so we can better secure our servers... 6 months later the ACLs have been all but removed because there are too many problems with traffic being blocked and rather figure out how to resolve, someone in upper management makes them turn off the rule that is blocking it.

We install a nifty enterprise level client side security suite.  We run all the pieces (firewall, heuristics and regular AV).  We figure cool lets use Application and device controls!  Rather than follow the vendor provided whitepapers and set the system to logging only on your test group, you decide to just add MS Office apps but then nothing else is working...  Rather than figure it out, you turn it off and only use blacklisting.

One more on Apps, patching...  Well we use WSUS so all our problems are solved!! 
"Ok so what about Java and Adobe patches?"
....
We don't patch those.
"How bout MS Office?"
Well WSUS does that right?
"No your WSUS is configured with default settings, you are only downloading Windows OS patches, you don't have Office checked off."

So with all that, your apps are not properly patched, your network is no longer segmented and your client-side endpoint protection is about as good as free AVG.  I won't even get started on the unused IDS/IPS appliance :P

Most companies who don't invest in talented individuals to run their networks tend to have all the shiny tools but none of them are configured properly or at all.  Back in the day, you would have to try very hard to crack the shell, but now you just need to compromise the human piece and then make your way back out of the shell.  Our traditional methods of detection no longer work unless you utilize the added pieces and start whitelisting the network.  Do not allow the unknown to run!

Or I am completely full of crap but that is for others to decide.  :D
Certs: GCWN
(@)Dewser
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Sat Oct 01, 2011 5:25 am

Re: Question on real world pen testing

blueaxis wrote:2. My understanding is large companies are spending huge amounts of money on securing their networks - so I am not sure if the conventional pen test tools and techniques taught in books and class would still work in today's world.


It depends on what books you read, and what classes you attend. Some (actually a lot of) ancient knowledge, can still be used today (even flaws in IPv6, and Arp Spoofing on many networks. Think of them as often insider attacks, as these can occur). However, SQL Injection and XSS for example, these are application layer attacks. Both are around 10 years old, and still taught. Buffer overflows, are also very old, these also works still. Even though blackhats target the client applications more and more often, such as the browsers and plugins (like java, flash, adobe reader, etc.) as there's a larger attack surface, and thereby more ways to compromise a client, which may be connected to a network.

But in essence, it is not about the tools, because if you're a good hacker, then you can write these tools yourself if you need to, but writing your own port scanner from scratch (no using netcat, telnet, or whatever), takes time and often there's already a good solution to that such as NMAP, randscan, or whatever you use. NMAP is.. Over 10 years old and it's still being used by pretty much all pentesters? It has it quirks yes, and it's detectable, but if you use it with care, and know how the tool works, you can also avoid detection when you use this program.

There is of course, even protocol attacks you can barely patch against.


blueaxis wrote:Very interesting perspectives. Thanks for sharing them. When you say orgs are weak from inside - do you mean network layer or application layer?


Any layer. Even the physical layer. Often they're vulnerable to various network attacks, but there are also outdated clients and servers on some networks, which goes all the way up to application level vulnerabilities.
I'm an InterN0T'er
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat Oct 01, 2011 9:47 am

Re: Question on real world pen testing

A big key is, if you use existing tools (to save time,) you need to be familiar enough with them to understand 'proper' usage in a pentest (such as running scanning tools in a way which avoids, or at least minimizes, detection of your activities.)  And that familiarity comes with lots of lab time / practice with each tool, etc.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software