Re: Penetration Testing or Vulnerability Scanning?

[aeonflux <aeonflux () aeonflux no-ip com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 02 March 2003 12:49 pm, Etaoin Shrdlu wrote:
> Part of penetration testing ought to be simple detective work, such as
> reading Wall Street's opinions of the company. You might be looking for
> email or usenet postings from current and past employees. Why do a
> penetration test looking for vulnerabilities in a forward facing IIS
> server, when their only DMZ entry is using Websphere on an AIX/Mainframe
> combination?
I completely agree with this point, automated vuln testers can be very very 
stupid in the vulns they look for and report, I've often seen IIS vuln's 
reported in scans that I've done on apache/linux boxes.  Clearly it's a false 
positive, and it would be simple to code a check that would shut off 
scans/checks for services on certain platforms, that couldn't possibly offer 
that service.  For example, scanning for sendmail vulns against a microsoft 
exchange 2000 box is silly.

> There is good reason these scanners don't attempt to penetrate. This is
> YOUR job, not Rene's. YOU find the vulnerability, and then YOU write (or
> find) the exploit. If you are looking for a tool that attempts to exploit
> various different possibilities, then you are looking in the wrong place.
> They exist, I'm sure, but you won't find them on Security Focus.
I wouldn't expect the vast majority of consultants out there to be able to 
write exploits.  The vast majority of IT consultants can't code.  
Networking/Systems Engineering people are especially bad for this.  Exploit 
writting for the most part, isn't difficult, it however is specialized 
knowledge.  It's generally speaking not hard to find an exploit, rip it apart 
and figure out how it works, then write up some plug-in for nessus.   It is 
however unreasonable to expect that most consultants will bother to do this, 
or even have the ability.  There are the expectations of course... (like you 
wonderful people reading this).

> > One needs to have a working version of SSH exploit for the SSH
> > vulnerability detected by the vulnerability scanner, so is it necessary
> > for penetration tester to have access to the latest of underground
> > exploit? or could all this be done in an ethical manner too?
>
> How on earth do you think this has anything to do with ethics? Either
> you're attempting to break in, or you're not. Whether or not you have
> permission, the technique remains the same. Why do you think that someone
> in the "underground" is going to provide you tools? Ought you not to
> provide those yourself? Do you truly think that anything you find is better
> than rank amateur?
There are many cases I can cite, where a company wanted me to see what was 
vuln, but to NOT actually gain access to their systems.

> > please guide I am so confused between two of these methodologies.
>
> In addition, I believe you are confused between penetration of networks or
> computers for hire, and penetration testing of networks and computers for
> hire. This is a subtle difference that many newcomers to the field seem to
> miss. If you are working for someone who insists that a vulnerability is
> not there until you show the exploit, explain that it is not your mission
> to provide entertainment, but rather to help secure the network. A good pen
> tester ought to be able to take pride in NOT breaking things. If you are
> being paid to break in, that's another matter, but don't look for help
> here.
Case and point, many times I need to test if a particular dos WILL crash a 
winNT 4.0 server remotely, and there is no other way to tell, short of 
launching that particular exploit against the server.  I've seen a great many 
production servers die cause simple udp frag attacks like "bonk".  Sometimes 
penetration testing and security scanning can be very destructive, especially 
if we need to test if the vuln is not a false positive.

> In either case, WRITE your own plugins to Nessus if you want to go further
> than identification, or ADD in a DoS to nmap. If you don't have the skill
> to open things up, you don't have the skill to pen test in the first place.
> Scanners such as ISS and Pandora simply point out problems. You need to
> have the knowledge to understand that ISS appears to have a small buffer
> overflow problem in TCP Predictability that causes it to misidentify BSD
> stacks (being random) as being easily predictable, when in fact (as nmap
> tells you), they are not.
I agree in theory, but in practice most consultants will not have the ability 
to write their own nessus plugins.  Besides in my experience, I found adding 
the dos attack to nessus was much better then adding it to nmap.....  almost 
always easier too.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD4DBQE+YoE21mDajpZ9rHwRAuutAJY2cPhGl/2jDNLOkq2qStgZ9rqwAKCJPgRF
gilMwF+5aaCAMoKR6mlvAQ==
=Nt/z
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html