0x0e.org | pentesting perspective

braindump on pentesting, QA, metasploit, constant learning

Archive for February 2009

Scoping a Penetration Test

with one comment

Scoping a penetration test is difficult. This is why Statements of Work and Requests for Proposals are necessary evils. It’s not an exact science.

There’s a lot of factors that can be involved:

  • Number / Complexity of Systems and Networks – Standard windows boxes? What about the patching system controlling their updates? Are they located in the DMZ, or would exploitation of the system drop you directly into the internal network?
  • Number / Complexity of Applications – Number of pages (a horrible metric)? What technologies were involved? How many developers? In-house, or Third-Party? Remote Administration? The List goes on…
  • Depth of Testing – How “deep” should the test go? Should we stop once we’ve run a vulnerability scan and confirmed / denied the results? What about brute forcing of authentication? What about attacking the users? What happens when we gain access? Should we continue?
  • Focus Areas – Where should testing be focused? What systems are of critical importance? How are those systems used?

A number of helpful things to do:

  • Define a goal. If you haven’t DEFINED a goal, you should start there. Some goals are obvious — Gain Domain Administrator access. Some are not so obvious: Gather document on sally from accounting’s desktop.
  • Accept that each test is going to be different. Each time you do one of these, the goals are going to be slightly different. Disregard that fact at your own risk.
  • Look at the system from the perspective of controls. Which controls are you trying to test? The firewall? The spam filter? The user’s intuition? (The danger of this method is testing to the control, not the gaps between them.)

In the end, it’s scoping == budgeting. You have to be able to make reasonable estimates about the time that you’re going to spend testing. How do you scope penetration tests and other services work? I’m interested in the tactical (and repeatable) metrics that you use!

Advertisements

Written by jcran

February 19, 2009 at 7:18 PM

Posted in Uncategorized

Raising the Bar

leave a comment »

I often hear technologies or controls disregarded on the basis of  “It can’t protect against X scenario.” or “It doesn’t completely protect me.”

For example, take a web application firewall. It can be boiled down to a regex, and possibly some fancy behavior analysis. It CAN be subverted. Encoding, session splicing, other types of evasion can defeat them.

That’s not to say technologies and products shouldn’t strive for more. It’s just accepting the reality of the situation that you can’t completely control your environment.

It’s not about creating a perfect defense. It’s about raising the bar.

Security only works as a process, only as defense-in-depth. There is no silver bullet that can protect against all scenarios. Everything breaks when its assumptions are violated.

The whole security industry is wrapped up in an arms race. As soon as you add another layer of protection, an attacker is forced to work that much harder, and they will.

The question becomes, does the arms race ever end? (Hopefully not. It’s paying my bills.)

Smarter people than i have written about this.

Written by jcran

February 19, 2009 at 12:51 AM

Posted in Uncategorized

Back|Track 4 First Impressions

leave a comment »

It’s damned liberating to take this distro and be able to update it. This, along with specialized security-tool repositories, is the killer feature of the new Back|Track 4 release. A

If you haven’t tried either the LiveCD or the VM version, give’m a shot.

My first impressions are extremely positive. I like the fact that you can choose your window manager, KDE or FVWM (FVWM is /sexy/). Most of the Ubuntu folk (myself included) are going to be used to using Gnome, but KDE will do.

It would be better if the distro would auto-generate a password on first load, rather than using the default of root:toor. Especially, now that the disk has become installable, and thus, more permanent. I look forward to owning a corporate auditor’s Backtrack box. 🙂

Good work all around. Now to get documentation on how to set up & maintain my own Debian/Backtrack tool repository! 

jcran

Written by jcran

February 17, 2009 at 4:21 AM

Posted in Uncategorized

Just about right…

with one comment

justaboutright3

Written by jcran

February 16, 2009 at 5:39 PM

Posted in Uncategorized

Tagged with

ShmooCon 2009 Wordle Visualization

leave a comment »

ShmooCon 2009 Talks

ShmooCon 2009 Talks

Visualization of the 2009 Shmoocon talks created byWordle.net.

Written by jcran

February 6, 2009 at 2:37 PM

Posted in Uncategorized

ShmooCon 2009 picks

leave a comment »

Written by jcran

February 6, 2009 at 2:17 PM

Posted in Uncategorized