[Dailydave] "The organization I belong to doesn't have initals"(that evil dude in Heroes)
David Maynor
dmaynor at gmail.com
Tue Nov 14 12:55:03 Local tim 2006
Using 0day in pentests I still very valid, IMHO. The goal of designing
a secure environment is that it could survive and repel an assault
from a determined attacker. Since the debate about whether 0day is
used in real world attacks seems to finally be over thanks to thing
like IE and office bugs, a person has to take the 0day angle into
account while designing an infrastructure. Of course people that leave
password lists on open shares will care about this less than people
who have been through a pentest process and implemented the
suggestions.
On 11/14/06, Nicolas RUFF <nruff at security-labs.org> wrote:
> >> When I was a consultant my shtick was that a "pen-test" is a complete
> >> waste of time if you don't have
> >> your other ducks in line. This was based on the un-scientific research
> >> conducted by myself that
> >> basically concluded that 99/100 pen-tests are almost always successful.
> [...]
> > That's a misleading way to frame the conversation, don't you think? A
> > pen-test isn't supposed to answer the yes/no question, "Can you be hacked?"
> > It's supposed to ask the open-ended questions, "How can you be hacked?" and
> > "How can you fix it?"
>
> In my experience, "99/100 internal pen-tests are successful during the
> first 10 minutes, without using any 0day attack".
>
> (I don't even own a CANVAS licence :)
>
> This means:
> - Domain admin account created with a trivial password, for someone who
> never logged in.
> - "Password.xls" file found on a public share.
> - Variations: the share is hidden ('$' sign), the Excel file is
> password-protected.
> - Local admin password is the same on every workstation - once you get
> yours, you can connect to any admin workstation.
> - Service accounts can be used to log in anywhere, and passwords are
> stored on every workstation (=> LSADUMP).
> - VNC/PCAnywhere/... using the same password on all mission-critical
> legacy NT4 servers.
> - Blank "SA" password, especially in case of 3rd party applications that
> silently installed a MSDE database.
> - ...
>
> How can you fix it ? Certainly not by fuzzing and flaw-finding :)
>
> Regards,
> - Nicolas RUFF
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
More information about the Dailydave
mailing list