Re: Pen testing Fiber Channel



Bojan,

Thanks for the helpful email, the information below might also be of value...

World-Wide names are sometimes spoofable.
Softzone's are often easy targets for compromise.
The "fibre channel" protocol looks very similar to that of TCP/IP and can on
occasion be used to carry information other than data.

You started to hit the nail on the head with your questions below, however,
other questions should be asked about the protocol(s) that the target network
is running on.

Also a little known fact is that many of the Fibre Channel switches have
undisclosed backup accounts with default passwords that will allow for easy
access and management of the security zones.

If direct access to the network is available, a top notch protocol analyzer
will come in handy and show which protocols can exist for exploitation.

Some other solutions out there also work as fibre channel variants and allow
for C&C to occur over their devices, as an example, all kinds of hacks and
applications are available for Myricom gear...

Hope this helps,
Bob Beringer


------ Original Message ------
Received: Thu, 19 Jan 2006 12:56:09 AM EST
From: Bojan Zdrnja <bojan.zdrnja@xxxxxxxxx>
To: "pentesticle@xxxxxxxxx" <pentesticle@xxxxxxxxx>Cc:
pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: Pen testing Fiber Channel

On 17 Jan 2006 20:06:45 -0000, pentesticle@xxxxxxxxx
<pentesticle@xxxxxxxxx> wrote:
> Hello list...
>
> I'm performing my first pen-test on a network that uses fiber channel for
their backup network. The network diagrams show fiber channel switches on the
backside and nothing else to prevent access from one
> server to another on a different higher security network. Can anyone tell me
if it is possible once I compromise one of the servers on the lower security
network can I hop across the fiber channel to a server on the
> higher security network? If so how would I go about hopping over via the
fiber?

Are you sure you are not talking about SAN here? If it's SAN then you
can't use it to do anything else but transfer data on it. You could
check one of the machines to see which LUNs (logical disks) are mapped
- there can be problems here if a SAN admin allowed access to more
LUNs than needed.

Other than that, SAN servers (backend servers) are usually on isolated
or private network, so you can check if you can reach them somehow
(you shouldn't be able to). They basically hold the "keys to kingdom"
as they can allow you to map LUNs to anything and then access the disk
from other servers, completely compromising the security.

Cheers,

Bojan

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities

to SQL injection, Cross site scripting and other web attacks before hackers
do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------






------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



Relevant Pages

  • IT Security Administrator in Bend, OR
    ... workstations as well as physical security for I/T systems. ... manages network security software and hardware. ... Extensive experience with Windows 2000/2003 servers and Exchange ... Two years experience configuring, installing and implementing VMWare ...
    (comp.arch)
  • Re: How to access I/O port directly in VC6.0?
    ... As soon as you have standalone machines, ... Their "security" as far as servers was a joke; ... discovered the internal wireless network was completely unencrypted. ...
    (microsoft.public.vc.mfc)
  • RE: [fw-wiz] Security Audit and Priorities
    ... Learn your network. ... - Linux Security Cookbook ... Building Secure Servers with Linux ... It's one thing to be a firewall admin and write ...
    (Firewall-Wizards)
  • Re: Cisco VPN AIM: is really needed for me?
    ... IOS 12.4ADV SECURITY ... public /29 range for my servers ... I would like to establish the tunnel from the site A (using network link ...
    (comp.dcom.sys.cisco)
  • inheriting a network
    ... NT servers had never had updates or SPs installed on ... I would start by running the Microsoft Baseline Security ... Analyzer on all servers and workstations in the network ... Best Practices for Enterprise Security (Microsoft Technet) ...
    (microsoft.public.win2000.security)