Penetration Testing mailing list archives
Re: Internal Servers (noob post)
From: τ∂υƒιφ * <tas0584 () gmail com>
Date: Fri, 5 Jun 2009 10:33:26 +0530
Hey, Going by the idea of your IT dept, if you just secure the perimeter what about the internal threats? Attacks are not just restricted to bypassing the packet filtering device or something. There could be phishing attacks, emails, malicious documents worms etc spreading through emails as well. You can protect yourself from external threats but most common is the weakness within. A simple patch missing on they server could throw up a remote shell to the attacker. Default admin accounts come with blank passwords & most of the time they are prime reasons that lead to compromise of a system. Even weak passwords do contribute. It not just hardening the OS but even important to make sure that the application shipped on the OS are equally well hardened. A sa with blank password on SQL server could compormise a complete network. Because you can run OS level commands from the database itself. It all depends on the attacker, what is the motive. But most common would be to steal the sensitive information & sell it to the competitor. He could also create a permanent backdoor in the network to have constant access to the network. If in case for some reason the firewall is compromised & the internal server are hardened you are restricting or isolating the movement of the attacker inside. Though he broke in the house but he has nothing much to steal. By doing so you are minimizing the loss & risk of losing sensitive information. -- Taufiq Ali http://www.niiconsulting.com/products/auditpro.html 2009/6/2 pma111 <pmaneedham () hotmail com>
I wonder if you could give me some pointers on ways you pen testers would try to penetrate / or gain access to an organisations internal server “farm”. I have read numerous hardening guides for both UNIX and Windows Servers, which we use for our host based Systems, but our IT dept insist perimeter defences (firewall etc) are sufficient to protect the internal servers so there is no need to invest heavily or put resources into hardening internal servers. Is this statement valid or would hardening internal servers also give pen testers a hard time gaining access to data, backups or host based apps residing on internal servers? What I am really after (I am no pen tester but am intreged by what techniques you guys use) is to get into the mindset of the ways you guys would try and gain access to our internal servers and data? If I make some assumptions, could someone with experience (be it white hat, black hat, grey hat) give me some pointers as to whether my assumptions are correct? To attack (bring down, steal confidential data etc) one of our internal servers would you always try to penetrate the firewall or find some vulnerability in the firewall in order to get remote access into our internal servers? Once through the firewall what methods would you guys use to gain access to the server? Would you try default accounts that you know exist (I noticed the vast majority of hardening guides always say disable or remove unnecessary default UNIX / Windows accounts etc)? Is hardening an internal server much protection if somebody has broken through the Firewall or is easy practice to still get data off internal servers? Any pointers most welcome. Regards, -- View this message in context: http://www.nabble.com/Internal-Servers-%28noob-post%29-tp23832003p23832003.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Internal Servers (noob post), (continued)
- Re: Internal Servers (noob post) Muhammad Farooq-i-Azam (Jun 03)
- RE: Internal Servers (noob post) Gorgon Beast (Jun 03)
- RE: Internal Servers (noob post) R. DuFresne (Jun 04)
- Re: Internal Servers (noob post) Don Miesle (Jun 04)
- Re: Internal Servers (noob post) R. DuFresne (Jun 12)
- Re: Internal Servers (noob post) Jeffrey Walton (Jun 04)
- Re: Internal Servers (noob post) Wim Remes (Jun 04)
- Re: Internal Servers (noob post) R. DuFresne (Jun 12)
- RE: Internal Servers (noob post) R. DuFresne (Jun 04)
- Re: Internal Servers (noob post) Remo Cornali (Jun 08)
- Re: Internal Servers (noob post) Sanjay Badala (Jun 08)