security is as strong as the weakest link..

“Security is only as strong as your weakest link “

Am I a big fan of Penetration Tests?
Yup, I am, but not the way most companies do it or get it done.
Companies look at these assessments as a tick mark in a compliance checklist. No one wants issues to be there in the assessment reports. Every one fights to get the risk ratings from critical to medium and medium to low. I have often realized how hated I am in the organization and somehow concluded that more the IT guy is pissed with me the better work I have done!

So why do Penetration Tests fail & why I think these tests are useless.

Companies fail to understand what is critical for them and what needs to be checked. There are no targeted pen tests being done.
While getting their external router assessed for critical vulnerabilities they often fail to realize that they have a porous wireless network which would be piece of cake for a determined attacker.

One of my clients was after me to ensure that we reviewed his routers and firewalls multiple time while he had his wireless network secured by using MAC filtering only. It took me days to convince the client and his MNC wireless vendor to drive home the point that wireless network directly hooked in your server environment is a bigger risk, and somehow MAC filtering is not a security mechanism. I could show him that it was easier to walk into his premises and put a rogue AP in a conference room rather than working my way through layers of firewalls he had at the internet perimeter. In no way I am demeaning the value of having a secure perimeter, but not at the cost of having a network port open in a guest lounge.

Organizations would put cameras, security guards and turnsters at the main gate while keeping backdoors to lobbies and cafeterias open and unmanned. One other clients was not ready to accept that password guessing, even if I am able to guess his domain admin password was a successful hack and a serious issue, as he wanted something technically fancy, something that looked like those hacker movies we see, something which is magical and gives a shell. If someone can kill you with a hammer he doesn’t need to use his snipers. And death is death whether by cold or by cancer.

Clients come and tell me to perform external pen tests and shy away from including social engineering, client side testing, physical security and stolen equipment tests, without realizing the test would show them only one side of the coin, and not the actual picture. It would take someone minutes to launch such attacks and get the jewels of the organization.Getting internal Penetration tests for servers done without including clients, network devices, password brute forcing and social engineering test?
Come on stop kidding me.
Don’t create a security theater for yourself, a tester with his hands tied behind his back and eyes blinded could not hack your systems and you feel happy about it and feel like a winner! AAH!
Lets have a no hold bar test. Let’s level the playing field. Let’s have actual tests done. Let’s see where we are broken. Let’s check our small offices in sleepy towns.
Lets get ourselves hacked so as to be secure. Hackers do not follow rule books , they do not have an assigned budgets or time frames. They do not have time lines for compliance and do not have time slots to stick to. A determined hacker/tester would get in.
The world has now changed from people trying to catch the low hanging fruit to hackers who are professionals and know who and how to target. Lets stop preparing ourselves s against indiscriminate machine gun fire to more directed sniper shots.
Remember your
“security is as strong as the weakest link which is around the corner waiting to be exploited.”

Advertisements

Pen Test Lab

Aim of this Lab:

  • Provide a complete lab for Penetration Testing a Windows XP box, Linux box and a bit of Web Servers
  • This lab provides three different scenarios:
    • A fully vulnerable box with all kinds of vulnerabilities for a user to exploit.
    • A fully vulnerable system behind a firewall/IPS
    • A fully patched system fully patched and updated behind a firewall. While the vulnerable system will give the attacker a way to try out all the exploits and the tools, the firewalled system will give a real case scenario with the IPS/Firewall/Updates & Patches.
    • A domain is created on a Windows Server 2008, with a Windows XP being a part of the domain. All domain related tests can be performed on these systems.
  • Further expand it to include Web Application testing and Wireless Assessments

You Need:

  • Box 1: Attacking Machine
    • 4 GB RAM
    • OS: RHEL/Ubuntu
    • BackTrack 5 (Attack)
  • Box 2: Target Machine running multiple VMs
    • 8 GB RAM
    • OS: Ubuntu
    • Snort, iptables (Defence)
  • Plenty of HDD space in both
  • Pre-built VMs or ISO for installing OS (Ubuntu, RHEL, Windows, Metasploitable)
  • VMWare/VirtualBox/KVM … Any solution for a virtual infrastructure

Box 1: The Attacker System

  • 4/8 GB RAM
  • OS: RHEL/Ubuntu
  • IP Address For Physical: 192.168.205.3
  • Virtual Infrastructure: BackTrack 5: The Attacker
    • IP: 192.168.210.2
  • Virtual: Vulnerable Windows XP
    • IP: 192.168.210.3
  • Same Copy as Vulnerable Windows XP which is deployed on Box 2. This virtual machine is to attack the XP system without any Firewall/IDS/IPS in between

Box 2: The Target System

  • 8 GB RAM
  • Ubuntu with Snort (Snort on RHEL is not advisable – http://www.snort.org/snort-downloads/rhel5/)
  • Install SE Linux and/or iptables
  • IP of Physical: 192.168.205.2
  • Windows XP SP3:
    • Fully Patched: This will give a sense of the systems which are deployed in production environment. Attacking this system would be fun! Make sure to change your wallpaper to the “Try Harder” from Offensive Security!
    • Make it a part of the Windows Server 2008 domain
  • Windows XP:
    • IP: 192.168.200.3
    • Not at all patched; Automatic Updates are Off
    • Windows Firewall Turned Off
    • Use “Simple File Sharing” (Control Panel)
    • Enable IIS and SNMP
    • Install Microsoft SQL Server 2005. Set a simple password. Ensure this is running on port 1433 (netstat -ano)
  • * Metasploitable:
  • * Windows Server 2008:
    • IP: 192.168.200.6
    • Install Directory Services
    • Enable DHCP, DNS, FTP
    • Firewall/Automatic Updates to be Enabled
  • * Ultimate LAMP:
    • IP: 192.168.200.7
    • Ultimate LAMP runs Apache, MySQL, PostFIX, and older versions of other services
PenTestLab

PenTestLab Network

Note:

* While networking the systems, ensure the VMs on Box 2 is reachable from Box 1, and all traffic is being monitored by the iptables and Snort.
* Secure both the boxes if connecting to the Internet. It is the VMs which are vulnerable, the host machines should be secured before connecting to the Internet.
* Enable some simple routes to make the BT5 on Box 1 to reach the VMs on Box 2 and vice versa. I leave this as a home-work.
* Ensure no sensitive/personal information is stored on either of the Boxes. This is a testing environment.

Available Resources: