RE: Vulnerability assessment for small business

From: Omar A. Herrera (omar.herrera_at_oissg.org)
Date: 09/28/05

  • Next message: bryan allott: "Re: DCOM Security." 
    To: <pen-test@securityfocus.com>
Date: Wed, 28 Sep 2005 16:06:38 +0100

    Hi Bill,

    > -----Original Message-----
    > From: Billy Dodson [mailto:billy@pmicromart.com]
    >
    > When doing a vuln assessment for a small business (25 PC's, no server)
    > which is using a peer-to-peer windows network, how do you approach this?
    > Say the customer has a firewall...but they don't host any services. All
    > of the PC's have local usernames and passwords that vary from machine to
    > machine. There is no one single administrator account across the board,
    > and you have little time. So you cant run many automated tools to check
    > patch levels and what not because you cant get remote access to the
    > registry. There are no services to be tested from the outside. Do you
    > manually go to each machine and test them individually? Of course you
    > can run null scans on the LAN, but that is not going to provide the
    > depth you need. Any ideas and pointers would be great.
    >

    You might just concentrate in 2 points: the firewall and the workstations.

    For the firewall you might try the standard tests to try to map the rules
    (which will actually be useful for the other tests).

    Most workstations do have some ports open, even if they should not be
    visible from the outside (e.g. ports 135, 137-139, 445 on Windows machines).
    So, from the outside, you would just make sure this is true.

    The main vulnerabilities for workstations that you could test for are their
    ability to run things that shouldn't be supposed to run (i.e. malware). To
    test this you should change the approach and see if things can run in these
    machines and from there jump to the internet (through their firewall). The
    best way to do this is to use some kind of Trojan horse that can establish
    and test reverse connections.

    You should really talk about this approach with your client and explain why
    this is a critical vulnerable point in many network. By using a custom made
    trojan horse you might be able to show your client that Antivirus and
    similar technology is not quite effective against targeted attacks. Just
    make sure that you made the TH yourself or have thoroughly (line per line)
    reviewed and tested anything that you will be running on your client's
    machines.

    Also testing the security from inside their network (i.e. to see what a
    malware that already was able to get in might be able to do) might be
    useful.

    Finally, you could also consider testing ways to install this TH in your
    client's computers from the outside (e.g. social engineering with email
    attachments) instead of just starting from the inside (you have to talk
    about this with your client). But make sure you will be testing the TH (i.e.
    if you can't find a way to get your TH into one of their machines in a
    reasonable amount of time, document your findings, but do test the TH from
    the inside with your client's consent).

    Regards,

    Omar Herrera

    ------------------------------------------------------------------------------
    Audit your website security with Acunetix Web Vulnerability Scanner:

    Hackers are concentrating their efforts on attacking applications on your
    website. Up to 75% of cyber attacks are launched on shopping carts, forms,
    login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
    futile against web application hacking. Check your website for vulnerabilities
    to SQL injection, Cross site scripting and other web attacks before hackers do!
    Download Trial at:

    http://www.securityfocus.com/sponsor/pen-test_050831
    -------------------------------------------------------------------------------

  • Next message: bryan allott: "Re: DCOM Security."

    Relevant Pages

    • RE: Pre-Scanning for Marketing
      ... I collected some unencrypted traffic and realized it wasn't my customer. ... offering assistance in closing these vulnerabilities. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ...
      (Pen-Test)
    • RE: [fw-wiz] CERT vulnerability note VU# 539363
      ... Attacks well known, yes. ... Mitigation methods amongst vendors, bleek. ... Interesting that for other, more damaging, vulnerabilities they don't ... In my opinion if a stateful firewall claims it can filter at rate X ...
      (Firewall-Wizards)
    • Re: Zombie spamming from my PC, Symantec/Spybot, nothing detects it!
      ... "The instant you are without a firewall, you're vulnerable,". ... We are_not_ talking about vulnerabilities that may be there but are ... If the IP stack is vulnerable then the firewall ... The problem of IP stack attacks have nothing to do with ...
      (comp.security.firewalls)
    • RE: Are Fragmentation Attacks Still Used for IDS/IPS Evasion?
      ... Well, like almost any security vulnerability, attacks against it are ... where traffic doesn't pass through a firewall. ... Cenzic finds more, "real" vulnerabilities fast. ... buy it or download a solution FREE today! ...
      (Pen-Test)
    • Re: [fw-wiz] Application-level Attacks
      ... when attacks are shifting towards using the already open ports ... |>> on the firewall, at the application level, ... These scanners are very effective at finding ... > instances of the sorts of vulnerabilities that get CVE entries. ...
      (Firewall-Wizards)