Penetrationtester.com

I left Pure Hacking yesterday after 2.5 years I had a great time but it is now onwards and upwards as the Director of HackLabs. HackLabs is a new boutique penetration testing company looking forward to making a significant impact on the industry.

I come up against Watchguard Firewalls and these little guys and they are not bad little firewalls for the small to medium size organisations. This is mostly because they have quite a bit enabled by default. One of them is the port scan detection module which locks any IPs when it detects a port scan. One of the problems for pen testers is that it does not have a whitelist so for a client it's either on or off.

When you are performing an infrastructure penetration testing its important to get good reliable port scans. So often we ask customers to turn it off to ensure we capture every open port as often we don't have the luxury of time to allow us to run slow scans to bypass the detection rules. As clients who run Watchguard only have the option of on or off it will most often remain enabled and force the tester to do a slow scan.

After playing with a few different timings to get the best result I found against the default Watchguard settings was the following nmap command to get them done the quickest but without getting my IP blacklisted.

nmap -sS -iL targetlist.txt -P0 -sV -T4

When done with a full port range (-p1-65535) on four IP's it takes 1000 seconds to complete. The -T4 option is the time setting, T1 is the slowest.

I was listening to the the Risky Business podcast this morning (by the way thanks Patrick you do a great job putting the show together). In episode 85 (http://itradio.com.au/?p=206) Patrick talks to one of his sponsors and legendary security expert Marcus Ranum. Old Marcus has some funny views on pen testing and I think they are slightly missing the mark.

Marcus believes that tools such as CORE Impact and Metasploit are not a good idea as it makes a pen tester lazy (If I could generalise his comments to mean that). The things were left out which are an argument as to why tools such as the above are needed and why pen testing is still a valuable exercise are illustrated by the following points;

1. A pen test is not just exploitation of devices ! A pen test is about using the technical access you gain to gather business sensitive information to highlight the risk of weak IT Security controls. It's not about just getting the access !!!! Whilst the tech's in the target organisation understand the impact. It's about highlighting the business impact should someone malicious exploit the same vulnerability and attempt to extract sensitive business information or disrupt operations, this is what senior management are interested in.

2. The tools that assist a penetration tester such as CORE Impact and Metasploit are only as good as the person driving them. CORE Impact whilst having a automated wizard is handy but the manual process is required to get complete coverage. The reason customers like this tool being used is that it has great logging and reporting of all actions taken. Also as a tester when you are finished all you have to do is select cleanup and it removes all the agents (control modules you have installed whilst you have been exploiting systems). Once again great to show compromised hosts but unless you link these to business risk it's not that good for the customer. (Disclosure: Pure Hacking are re-sellers for CORE Impact)

3. Coverage - The old problem with any consulting job is time and with a pen test time is always limited. Customers might not want to dedicate much time to the assessment but still expect a tester to find all the holes ! That is obviously a tough job, with scanning tools at least you get coverage of the target environment and whilst it's working away you focus on the other manual tasks of the test.

4. The win or Loose scenario for a pen testers. This is not something we are too concerned about it's great to compromise a customer network and illustrate a security attack vector that they had not though of. But we still get paid even if we don't find any security weaknesses. In saying that however there are always security controls that can be strengthened to help reduce the risk a environment is exposed to.

5. Secondly both tools have very limited Web Application security support and the shift to Web Application security testing has been very significant in the last 3 years. Most pen testing I perform (70%) is now on Web Applications.

Happy to hear constructive thoughts on my post.

Found it hard to find some of this info so thought I'd mention it my blog for fellow hackers/ Pen testers.

Passwords for the Cisco IP Phone 7936;

User Level Access @ Web interface: 7936

Admin Level Access @ Web Interface:**#

No actual username is required ! and after doing a bit of research it turns out if you change the accounts the rightful owner has no mechanism to change them back. If you thought a re-flash might be the answer the device requires administrator access to perform that function! So there is no mechanism to reset to factory defaults without admin access! There are a few stories of bricked phones as a result !

One of the curse's of being an infosec professional has always been a healthy dose of paranoia. However this is often compounded by knowing the rules that people have to follow. Today I noted two really bad practices.

1.) The privacy laws in Sydney one are crap and two are not really followed but today I saw a great example of something to be scared of. I was in Kings Cross (Shopping I might add accompanied by my wife before you ask). We entered the swans club and as we are out of the 5km radius which allows us to enter as visitors we just have to prove it with photo ID. This is something we are all accustomed with. But when my wife gave it to them before you could say boo they scanned it and printed a "visitor pass" wtf?

Did they just take an electronic copy of my wife's drivers license ? Where is that stored ? How long do they keep it ? what do they use it for ? How do they dispose of the data when at end of life ?

There was no point going into a conversation with the burly front guy about his data security management plan so another potential risk to us a family...

2.) Then after a nice meal and a few czech beers I went to pay. I payed by visa and went to sign for the goods she checked my signature (could not speak english) her boss a guy who looked liked he'd worked in the cross for about 50 years next to her. She then proceed to ask me where on my visa was my security code (CVV2) I explained there but why and she wen to write it down !! Whoa sorry not letting you write that down.

The boss gave me a steely scare as I explained that was not required and not a practice merchants needed to use. He said it was good for him ... I'm sure it was given the dodgy area but I was not going to let them so I whipped my card away. The stare from the ex-croatian war vet was very chilling best I leave my PCI speech / best practices speech on this guy for another day ;-).

It's tough being a infosec professional ...