Pen Test - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16

Thread: Pen Test

  1. #11
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Preach on brother Tiger... LOL.


    Yes, I also approach friends in the industry (in the same fashion that Tiger and I worked his scan) and have them give a crack at my internet facing servers. Typically they just verify what I already know (again, just like in Tiger's case) and then I feel very confident that I have been thorough in my tasks.

    My post wasn't exactly an opposing stance to JP's but rather a realistic glimps into what the industry has degraded to (in my humble opinion of course).
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #12
    AO Part Timer
    Join Date
    Feb 2003
    Posts
    332
    My post wasn't exactly an opposing stance to JP's but rather a realistic glimps into what the industry has degraded to (in my humble opinion of course).

    See this is the root of the whole problem. It is very true also. You give somebody who has no real desire at all a degree. Then s/he goes and works for Midnight Oil Server Company. They set up some stuff for your business. Two weeks later when your servers get owned, you realize all they have is a generic degree. Which allowed them to plug in all your ****, and then run a few config utilities. Out of the box techs.

    Long and the short. I disagree with you Jp 100%. The industry has degraded alot. Hell I don't even work in the business and I can tell you that. When I have been "gaming" with the admin at my place of employment for a few months now. Using the same "feature in IE" to do what ever I want to his time clock computers via systemroot in the address line. But he is a MSCE.

    What I am saying is this. If you allowed your friend to check your set up. You might as well of checked it yourself. Chance are he knows and proably cares as much as you do. With the exception of a 10% group which if you look around here you will find alot of these folks.

    That is why we use tools like Nmap. When is the last time you or one of your friends wrote a tool even compariable to Nmap? (I withdraw my question if you personally know fydor [spelling of handle?])


    Be safe and stay free
    Your heart was talking, not your mind.
    -Tiger Shark

  3. #13
    Banned
    Join Date
    Jul 2001
    Posts
    1,100
    Originally posted here by steve.milner

    Not entirely accurate JP

    That's the beauty of using the automated tools - you are relying on the authors' proficiency in vunerability testing, and the more tools you use, the more proficiency you will bring to bear. Better still most tools (nessus esp.) will tell you about the problem and then either tell you how to resolve it, or point you in the direction of further info. Contrary to what you are suggesting, the use of these tools will actually improve your proficiency & knowledge.
    Steve
    Well, that's all fine and dandy Steve, use automated tools, and learn things. Great! I just know that I wouldn't want it to be the security of MY company or MY servers that you're using these automated systems on so that you can "improve proficiency & knowledge".

    Live servers on live networks that are performing real work for real companies or real projects are not the place to be playing around to "improve your proficiency & knowledge". That's what test bed networks and your lan at home are for.

    I think that the points that you made in your post do little but to bolster my point that it's incredibly beneficial to have others do penetration tests for you.

    BTW: The little thing with you keeping your ssh keys on a usb drive to keep them "safe" is absolutely adorable. Unforunately, a lot of other people think like you, and there are a bunch of trojans out there now that exist for the single purpose of downloading all of the important information that people keep on these things the second they're plugged in, then shipping it off to a host computer somewhere. Data is no safer on these than it is on your hard drive. And data on both are only as safe as the security of your system and network are.

  4. #14
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Originally posted here by JP
    I have never understood the logic of people that do their own penetration tests.

    You set up a server to the best of your ability and the limits of your knowledge, then you examine it for vulnerability based on that same skill set and knowledge base? What is that supposed to accomplish?
    For one, it points out the flaws in your skillset and lack of knowledge regarding specific issues. People should do their own penetration testing for the same reason developers should do their own alpha testing: To pick up on the rather obvious things that can be overlooked.

    Originally posted here by JP
    Well, that's all fine and dandy Steve, use automated tools, and learn things. Great! I just know that I wouldn't want it to be the security of MY company or MY servers that you're using these automated systems on so that you can "improve proficiency & knowledge".
    Who said it had to be as a consultation, where a third party is being put at risk?

    Live servers on live networks that are performing real work for real companies or real projects are not the place to be playing around to "improve your proficiency & knowledge". That's what test bed networks and your lan at home are for.
    Of course, you are 100% correct. Pen-testing on live systems is utter foolishness IMO. I don't see what was said that contradicted that idea.

    I think that the points that you made in your post do little but to bolster my point that it's incredibly beneficial to have others do penetration tests for you.
    As a second step yes, but if a tool catches something incredibly obvious, or even a slight oversight, then why not? Where is the harm in doing it yourself?

    Originally posted here by thehorse13
    A few years back, this would be a valid argument/position. Today, there are so many tools that "do it all for you" that an indepth understanding is no longer a requirement when doing pen testing. A perfect example of this is when auditors show up on-site with 100K worth of vulnerability assessment software yet none of them know what a PGP key is.
    An in-depth understanding is no longer required for any sort of security/vulnerability testing -- network-wise, system-wise, or even in the context of app development. There are so many tools out there for all areas it is literally becoming a job for people who are semi-computer literate. It's not a good thing IMO.

    While I am from the oldskool and truly believe that you should be an expert when doing these sort of things, current industry conditions dictate otherwise.
    I agree, too many people are eager to wave around their paperwork which proves they passed some such cert or other, but are incapable of doing much more than working with a specific application or set of applications, and have little knowledge in whichever field they are doing this sort of thing in.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  5. #15
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    I agree, too many people are eager to wave around their paperwork which proves they passed some such cert or other, but are incapable of doing much more than working with a specific application or set of applications, and have little knowledge in whichever field they are doing this sort of thing in.
    Hey Hey,

    This is only part of the problem. Half the people we have are incompetent, but what about the other half? The knowledgeable people? They're so afraid of someone new coming in, that even when they are told about something or warned about something, they chose to disregard it. The problem is that IT people in general are cocky and arrogant, anyone that says otherwise is ignorant . We see it on here all the time, I, myself, am guilty of it. We don't want to be proven wrong, or dislike being showed up. I see a lot of this at work and it really pains me to see it. My supervisor asked me the other day if I wanted to move over to Network Services for my next co-op term, and I laughed and said it would never happen. She basically said they didn't hire me because they're scared of me... in my opinion you shouldn't be afraid of knowledge... you should welcome it with open arms, however a good chunk of IT people don't do that. I've see people from NS tell me that a cisco router won't operate without a password... and I've seen people with 30 years of industry experience tell me that you can sniff all the packets on any port of a switch with ethereal. You correct these people and they just get mad, and look down on you because they have the "experience".

    Personally when it comes to pen testing, I think doing it yourself first is a good idea. I say screw the high priced consultants with their "experience" who says they have good experience. We scan at the college for viruses (a good chunk of you have seen pyscan that i developped for this period). Since they won't give us a port on the switch with port monitoring enabled, we have to simply scan for viruses that open ports. However they recently took away our ability to turn off these ports, we now have to go through them (they didn't like sharing the power). Now they are challenging our finds. After I find a port open, I service fingerprint it with nmap. If i get back a fingerprint it doesn't know, I look at it and see if it's anything or if it's just kazaa on a random port. If I get an unknown with no fingerprint I assume virus (I prefer to hedge my bets and scan a few extra PCs rather than leave an infected machine). Anyways one of the viruses we scan for is the outdated Nachi/Welchia Worm because these are student machines and no one forces them to patch them. Now according to both Symantec and Trend Micro, the worm uses ports 666-765.. however most occurances are found on port 707. In my last series of scans I found a machine with port 701 open, service couldn't be identified. I put in a request to have the connection terminated (they then call us and we fix it and they are re-enabled)... however I was vetoed because NS insisted that Nachi/Welchia only opens port 707. A debate ensued and I provided sources. However, apparently Symantec and Trend Micro know nothing about viruses and the admins at NS know everything. The result is that only 707 is an accepted port... everything else we're going to let go. In this case, I'd say the little guy (me) would be a better person to have working on the system than them (the experienced people). I'd be very upset if someone said oh you've got 15 ports open.. but they aren't common ports so we're not going to worry about them.

    The problem is people with experience can't be proven wrong, don't really care about their work and are only interested in the money. If you are running your own server and spending time in places like this learning more... then do the audit yourself. So what if it's a learning experience... the more you learn, the better job you'll do next time. Just make sure everything is logging and you have back-ups. If something happens and someone breaks in.. restore... read the logs and you've learned a little more. If you pay someone to come in and do it for you... you are never going to learn anything.. and they could be sloppy and miss.. or not care.. about a bunch of things. Audit yourself, get a friend to do it.. hell get a second friend to do it... You don't want to be hacked/cracked... no one does, however look around the internet. It happens quite often... to many people. If it happens to you... you won't be the first and you definately won't be the last.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  6. #16
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    HT: I don't disagree with your summation of many in the IT field.

    What follows is a broad generalization and will probably badly put..... read into it to understand what I am saying and if you match the characteristics.... Don't be offended..... Learn from it - you'll be a better "geek" in the end.....

    Most of the people, especially those that have been around for a while, are not the most outgoing, well liked by their peers "college quarterback" types. For many computers were something that "evened their playing field". They were a place they could "excel", (compared with others), and competition was not something that was an issue. Many got their jobs on the fact that they were some of the few who could make the computers work. Many of them suffered from some misconceptions such as those that HT mentioned but since there was no-one around that knew what a Cisco router was the misconception could never be challenged. Having spent enough time in this "godlike" place it is easy to begin to begin to believe that you are special, always right and irreplacable.

    Times have changed and while the times still generate similar kinds of people the industry is a lot more "open" than it was several years ago. The "old hacks" are still there, in more powerful positions, carrying the same bad information and having not learned a lot of the new stuff, (or not learned it well enough). Now they are confronted with the young "hotshots". Kids that grew up with computers from the time they could walk. A far greater proportion of these "young un's" are the antithesis of the "old hacks", they are outgoing, well liked by their peers, "quarterback" types. They aren't afraid, (like the "old hacks" were when they started), to challenge misconceptions and misinformation.

    After many years in the "godlike" state, with their often errant ideas firmly in place these people are scared. After all these years of harboring the misinformation unchallenged the one thing they did learn is economics..... It's cheaper and more efficient to hire a young "hotshot" who knows his stuff than it is to pay the aging "hack" who has built a nice salary over his years of tenure that isn't necessarily getting the best out of the network. That's a bloody scarey thought for many. Couple that with the "normal" personality of the older "hacks" and you find that their only means of maintaining their position and "godlike" status is to protect it by keeping the "hotshots" at arms length. Don't grant them access to things they they know may be wrong, don't listen to what they have to say - do what you always did - issue an edict that doesn't really make sense but that protects your "godlike" status.

    It's all quite understandable if you look at the personalities involved. It's not right, far from it, but it's one of those nasty little facts of life. "Godlike" status _must_ remain unchallenged because it always has. Any challenge to the "godlike" status must be quashed for fear of being proven a false 'god".

    These people are the bain of our industry, but they are there, they are entrenched and there's no-one who's going to do anything to remove them because they have trusted them for years..... Therefore they must be right.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •