Penetration Testing mailing list archives
Re: Need Some Guidance Please
From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 18 Apr 2009 18:10:58 +0100
Hi Daniel,
This can get you in trouble. I've been part of many incidences where alarms start going off (literally - What's Up Gold and NetIQ) in the NOC because the Security Team was testing without informing anyone. The result is that someone higher up on the food chain gets very irritated because the NOC team had to report downtime on servers.So the servers aren't patched or reliable enough to withstand a scan?
Not the case at all. For example, in the Windows world it is possible to configure the security policy to reboot the machine when the pagefile is full. The incident I recall is the security team filling up the page file on 4 of 7 domain controllers across the country. What really got them in trouble was lying about it. I called a friend on the security team. He stated they were not doing anything with the servers. So I had to call the CIO and let him know that servers were unexpectedly bouncing, security was not testing, and virus definition were up to date. Bad news all the way around. As far as patching, there's nothing I can do with some Vendors. Symantec/Veritas is a classic [pathological] case. I'm lucky if I can get a support incident resolved in under a week (and one Enterprise I worked had support costs of over $150,000 a year). Backup Exec does not need to be tickled to crash or hang. I can't make these folks bring in whitehat during QA.
Sounds like the _assessment_ is working and showing flaws in your architecture.
I could have told him they would they would bounce if he filled up the page file - its the customers policy :). I failed to see the point of the exercise (for this particular test), why the team lied about the engagement, and why it was performed during business hours.
Hackers rarely inform sysadmin of their intentions.
Agreed. But I'd like to think the relationship between IT and Whitehat is more amicable.
We have thousands of people in the world that drive cars, but only few of them drive race cars for a living.
No problem. I'll drive right and you can pass on the left. But there's no need to run folks off the road 'just because you can'. Going back to Michael: MB > and reboot servers individually, you have a MB > problem with the system management bit. Not all servers are Proliants with RILOs or enterprise Dells with DRACs. Not all switches are managed. You guys have been to the server rooms and closets. I'd love to have Catalyst 4000s and Proliant clusters at every site. Again, just a view from a Admin. Jeff On 4/18/09, Daniel Clemens <daniel.clemens () packetninjas net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Apr 17, 2009, at 11:35 PM, Jeffrey Walton wrote:This can get you in trouble. I've been part of many incidences where alarms start going off (literally - What's Up Gold and NetIQ) in the NOC because the Security Team was testing without informing anyone. The result is that someone higher up on the food chain gets very irritated because the NOC team had to report downtime on servers.So the servers aren't patched or reliable enough to withstand a scan? Sounds like something you might want to know about incase it was a real attack. Sounds like the _assessment_ is working and showing flaws in your architecture.And it only gets worst when Domain Controllers are forced to reboot because a test 'got away' from the Security team. I was also part of a database recovery because a server was rebooted due to a penetration test. Again, no one was informed, the DBA did not have an up to date backup, and the instantaneous reboot corrupted the database.Hackers rarely inform sysadmin of their intentions.In the end, nearly anyone can acquire and use the tools.True people can use acquire tools. But the people who drive those tools make the difference. We have thousands of people in the world that drive cars, but only few of them drive race cars for a living. A good pentester doesn't just use all the tools, he knows where certain configuration and implementation flaws will crop up and how he can leverage them to his or her advantage. | Daniel Uriah Clemens | Packetninjas L.L.C | | http://www.packetninjas.net | c. 205.567.6850 "Moments of sorrow are moments of sobriety" -----BEGIN PGP SIGNATURE----- iD8DBQFJ6gEglZy1vkUrR4MRAjPLAJ0TRVzcYnrH2ATOQWsnum8UPUs7cQCeIYya zHlDjtT3pmFtPdEnLieEXNo= =DITe -----END PGP SIGNATURE-----
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Need Some Guidance Please Elizabeth Tolson (Apr 17)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 17)
- Re: Need Some Guidance Please Michael Boman (Apr 18)
- Re: Need Some Guidance Please Daniel Clemens (Apr 18)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 18)
- Re: Need Some Guidance Please Micheal Cottingham (Apr 18)
- Re: Need Some Guidance Please Michael Boman (Apr 21)
- Re: Need Some Guidance Please Nate (Apr 18)
- Need for Intrusion/Infection Data Baykal, Adnan (CSCIC) (Apr 21)
- Re: Need for Intrusion/Infection Data Jon Janego (Apr 21)
- Re: Need for Intrusion/Infection Data Leonardo Cavallari Militelli (Apr 21)
- RE: Need for Intrusion/Infection Data Honer, Lance (Apr 21)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 17)
- Re: Need Some Guidance Please Elizabeth Tolson (Apr 21)
- Re: Need Some Guidance Please Stephen Mullins (Apr 21)
- Re: Need Some Guidance Please Aarón Mizrachi (Apr 30)