[Dailydave] "The organization I belong to doesn't have initals"(that evil dude in Heroes)
Nicolas RUFF
nruff at security-labs.org
Tue Nov 14 08:18:14 Local tim 2006
>> When I was a consultant my shtick was that a "pen-test" is a complete
>> waste of time if you don't have
>> your other ducks in line. This was based on the un-scientific research
>> conducted by myself that
>> basically concluded that 99/100 pen-tests are almost always successful.
[...]
> That's a misleading way to frame the conversation, don't you think? A
> pen-test isn't supposed to answer the yes/no question, "Can you be hacked?"
> It's supposed to ask the open-ended questions, "How can you be hacked?" and
> "How can you fix it?"
In my experience, "99/100 internal pen-tests are successful during the
first 10 minutes, without using any 0day attack".
(I don't even own a CANVAS licence :)
This means:
- Domain admin account created with a trivial password, for someone who
never logged in.
- "Password.xls" file found on a public share.
- Variations: the share is hidden ('$' sign), the Excel file is
password-protected.
- Local admin password is the same on every workstation - once you get
yours, you can connect to any admin workstation.
- Service accounts can be used to log in anywhere, and passwords are
stored on every workstation (=> LSADUMP).
- VNC/PCAnywhere/... using the same password on all mission-critical
legacy NT4 servers.
- Blank "SA" password, especially in case of 3rd party applications that
silently installed a MSDE database.
- ...
How can you fix it ? Certainly not by fuzzing and flaw-finding :)
Regards,
- Nicolas RUFF
More information about the Dailydave
mailing list