RE: PT Activity duration/time

From: Michael Gargiullo (mgargiullo_at_pvtpt.com)
Date: 09/26/05

  • Next message: Rafael San Miguel: "OpenSSH exploit"
    Date: Mon, 26 Sep 2005 10:08:47 -0400
    To: pen-test@securityfocus.com
    
    

    While I agree with Mr. Miller on several points, I generally will
    exploit holes found, as long as the goal of the exploit is not a DoS
    attack. I do this for several reasons, the most important being the
    final deliverable.

    If I hand the CIO a report stating he has 3 critical areas to address,
    and list them, he nods and gives it to his tech guys.

    If I hand him a report that says he has 3 critical areas, and show him
    step by step with screenshots how a malicious user could gain access,
    they generally get on top of their tech guys until it's fixed. This also
    gives the CIO a chance to see if the guy(s) watching the logs (or IDS)
    can catch this. When I grab a box, I don't wipe the logs clean, but
    I'll add a line to the effect of "The malicious user has gained access
    to this machine, please report this to the appropriate persons".

    We also don't just do a PT/VA, it's almost always associated with a
    security audit. The VA/PT is used to vet the company's security
    policies.

    -Mike

    -----Original Message-----
    From: Miller, Joseph A [mailto:joseph.miller@eds.com]
    Sent: Monday, September 26, 2005 12:23 AM
    To: sol@haveyoubeentested.org; BSK; pen-test@securityfocus.com
    Subject: RE: PT Activity duration/time

    Sol,

    My discussion point is the need to do it at all.

    Let us take 2 cases:

    1) Penetration Testing

    If your requirement is to get as deep into the network as possible doing
    a black box penetration and you have no problem crashing boxes trying to
    get there, then this is totally acceptable.

    The moment you have to call and ask if a system is important enough that
    you need to know whether you can exploit a well know vulnerability on it
    or not... You might as well just have a network diagram and say Okay if
    I root this box, then I get here on the network and I own this entire
    set of systems due to the gain of passwords, etc... So this leads into
    2)

    If you are doing this (regardless whether it's 10% or 35% of your time)
    then you MUST believe that the hole is real, thus is exploitable. So
    figure out the workaround or log it and give the client the patch notes.

    If you assume that the exploit is real. The hole is real. Why are you
    exploiting it? Unless it doesn't matter if you break the system because
    it's a REAL full penetration test, you wouldn't spend 35% of your time
    exploiting it, because you can just skip it and let the client know to
    fix it. If your JOB is to write and get working exploits, that is
    completely different from doing an assessment for a client.

    2) Vulnerability Assessment

    To assess the state of security for a network. I'm sure there are a
    million interpretations of what this means, however... Assessing a hole
    by writing a vulnerability and researching it on-site doesn't give value
    to the client and is NOT doing a vulnerability assessment. That is
    research and development. If you wanted to have a exploit ready, then
    code it in the lab and then take it with you to help on assessments. The
    client wants to be safe not serve as a test bed for new development. I
    guess it is an extra bonus and fun if you don't have anything better to
    do.

    The benefit of pen/assessment for the client is security. Obtaining that
    doesn't require actually exploiting the WELL KNOWN exposure you found.
    That is just proof that it could happen. However, we don't need to do
    something bad to prove it can happen, when we already KNOW it can.

    That was my point is all. As far as how long for each of the notes you
    have below, I can assure you that most penetration testers hoard
    exploits and most likely will rarely ever create one on site. They
    either have them on hand when they can use them, or don't need them at
    all.

    -----Original Message-----
    From: Sol Invictus [mailto:sol@haveyoubeentested.org]
    Sent: Saturday, September 24, 2005 11:43 PM
    To: Miller, Joseph A; 'BSK'; pen-test@securityfocus.com
    Subject: RE: PT Activity duration/time

    Joe and All,

    After reading thru both posts, we need to determing what tasks fall
    under Vulnerability Exploitation. Here is what I would say..

    1. Researching the availability of the exploit on the net.
    2. Ensuring that exploit is "trojan free"
    3. Contacting the point of contact at the client to notify them and
    request permission to move forward with exploitation.
    4. Using this exploit (or one from your toolkit) to exploit the box.

    #1 would probably be the most time consuming of the 35%. But this is
    also a very important step. Not every malicious hacker out there has
    commercial tools with all the latest and greatest exploits out there.
    #3 is also a very important task. Even during a black box test, you
    need to keep in touch with your Point of contact to ensure exploiting
    the box at that point in time will not cause unreasonable damage to the
    target. With their permission it takes some of the liability off the
    tester.

    Sol Invictus

    -----Original Message-----
    From: Miller, Joseph A [mailto:joseph.miller@eds.com]
    Sent: Friday, September 23, 2005 3:52 PM
    To: BSK; pen-test@securityfocus.com
    Subject: RE: PT Activity duration/time

    Perhaps this will start a rant but... Is there really a need to spent
    30% of your time breaking into a hole when you can show the exposure as
    well documented and exploitable? I understand there is a difference
    between full pen and vuln assessment. However, that's like black box
    determining the external IPs for an external. The value to any client
    for a "hacker"
    approach is giddy and fun, but if you were just handed the IPs you could
    just show the exposures and not waste your time OR YOUR CLIENT'S.

    I guess you have to gauge what you are trying to prove. If your client
    requires you to gain root, great. If you are doing a pen, you already
    have the understanding from the client. That's what you are there for in
    the first place. You are the expert and showing that there is an
    exposure for a remote buffer overflow on a given system is your job, and
    more so showing the customer how to fix it.

    Eventually it all comes down to time, like you said. What amount of time
    should you spend on what... I think everyone on this list will agree to
    the
    following:

    1) AUTOMATE as much reporting as possible (35%?????) ouch
    2) Define your scope to your client

    If they want full stealth black box, ensure they understand the time
    limitations... I assume you don't work for free.

    IP count is decent, however, the numbers in the open source testing doc
    show decent numbers that can help you determine scan times for large
    sets of IPs, etc.

    Of course, a FULL UDP port scan of a Solaris is a tad different than
    other systems... Plan accordingly.

    3) Experience... The more you do the more you can optimize, have a game
    plan when you show up. You should already be done with your information
    gathering before the start time.

    ..... Did I miss anything?

    -----Original Message-----
    From: BSK [mailto:bishan4u@yahoo.co.uk]
    Sent: Thursday, September 22, 2005 9:43 AM
    To: pen-test@securityfocus.com
    Subject: PT Activity duration/time

    Dear All,

    We have been conducting a number of PT's till date.

    1. There is one thing which has always bothered us, a good effort
    estimate, especially for Black-box PT. We generally estimate our efforts
    based on IP addresses.
    I would request other Pen-Testers on this list to share their views and
    methods of effort estimation.

    2. Secondly, what is the amount of time that should be spent on each
    phase of PT?

    For e.g:

    Information Gathering - 5%
    Footprinting - 10%
    Vulnerability Scanning - 10%
    Vulnerability Analysis - 10%
    Vulnerability Exploitation - 30%
    Reporting - 35%

    Await some input/ feedback from other Pen-Testers on this list.

    Thanks,
    Bshan

                    
    ___________________________________________________________
    To help you stay safe and secure online, we've developed the all new
    Yahoo!
    Security Centre. http://uk.security.yahoo.com

    ------------------------------------------------------------------------
    ------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on
    your website. Up to 75% of cyber attacks are launched on shopping carts,
    forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
    servers are futile against web application hacking. Check your website
    for vulnerabilities to SQL injection, Cross site scripting and other web
    attacks before hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    ------------------------------------------------------------------------
    -------

    ------------------------------------------------------------------------

    ----
    --
    Audit your website security with Acunetix Web Vulnerability Scanner: 
    Hackers are concentrating their efforts on attacking applications on
    your website. Up to 75% of cyber attacks are launched on shopping carts,
    forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
    servers are futile against web application hacking. Check your website
    for vulnerabilities to SQL injection, Cross site scripting and other web
    attacks before hackers do! 
    Download Trial at:
    http://www.securityfocus.com/sponsor/pen-test_050831
    ------------------------------------------------------------------------
    ----
    ---
    ------------------------------------------------------------------------
    ------
    Audit your website security with Acunetix Web Vulnerability Scanner: 
    Hackers are concentrating their efforts on attacking applications on
    your website. Up to 75% of cyber attacks are launched on shopping carts,
    forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
    servers are futile against web application hacking. Check your website
    for vulnerabilities to SQL injection, Cross site scripting and other web
    attacks before hackers do! 
    Download Trial at:
    http://www.securityfocus.com/sponsor/pen-test_050831
    ------------------------------------------------------------------------
    -------
    ------------------------------------------------------------------------
    ------
    Audit your website security with Acunetix Web Vulnerability Scanner: 
    Hackers are concentrating their efforts on attacking applications on
    your 
    website. Up to 75% of cyber attacks are launched on shopping carts,
    forms, 
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers
    are 
    futile against web application hacking. Check your website for
    vulnerabilities 
    to SQL injection, Cross site scripting and other web attacks before
    hackers do! 
    Download Trial at:
    http://www.securityfocus.com/sponsor/pen-test_050831
    ------------------------------------------------------------------------
    -------
    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner: 
    Hackers are concentrating their efforts on attacking applications on your 
    website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
    futile against web application hacking. Check your website for vulnerabilities 
    to SQL injection, Cross site scripting and other web attacks before hackers do! 
    Download Trial at:
    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------
    

  • Next message: Rafael San Miguel: "OpenSSH exploit"

    Relevant Pages

    • RE: PT Activity duration/time
      ... Vulnerability Scanning - 10% ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Hackers are concentrating their efforts on attacking applications on ... Up to 75% of cyber attacks are launched on shopping carts, ...
      (Pen-Test)
    • RE: 3rd party vuln assesment firms
      ... > "We use the same tools hackers bring to bear against your systems. ... >> I'm looking for a firm to conduct annual 3rd party vulnerability ... Up to 75% of cyber attacks are launched on shopping ... >> your website for vulnerabilities to SQL injection, ...
      (Pen-Test)
    • Re: Hacking to Xp box
      ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability ...
      (Pen-Test)
    • Re: Hacking to Xp box
      ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
      (Pen-Test)
    • RE: 3rd party vuln assesment firms
      ... > "We use the same tools hackers bring to bear against your systems. ... >> I'm looking for a firm to conduct annual 3rd party vulnerability ... Up to 75% of cyber attacks are launched on shopping ... >> your website for vulnerabilities to SQL injection, ...
      (Pen-Test)