Dailydave mailing list archives

Re: Herps

From: Max Vision <vision () whitehats com>
Date: Sat, 28 Feb 2004 12:24:39 -0800 (PST)

On Fri, 27 Feb 2004, Dave Aitel wrote:

So I just finished a week-long assessment of a software product and
didn't even find a way to crash it. This sort of thing is very
depressing to me, but does occasionally happen. It's like another
assessment I did recently of a web application where the most
interesting thing I found was cross-site-scripting.

I understand the feeling you are describing.  I felt that the strongest
when I first ran into a customer whose network I couldn't get into from
the outside-in.  ("first", relative to since I started doing full time
penetration for r&d/living money)  I always knew the time would come, and
had a sinking feeling, though I was happy for the customer :).  However, I
quickly compromised their network using client-centric attack.  It was
then that I decided to scrap my old model of penetration testing and
include client-centric attack as a mandatory part of the exercise.  I've
been confident about the 100% rate ever since..  The thing is my playing
field is *giant*.  You're doing the hard work.  The more narrowly you look
at something, naturally the less there is to see.  I know you are
Fuzzmaster Dave, but seems like you should expect more "failure" when
narrowly focused on one piece of code.

We're really talking apples and oranges with site versus application
assessment.  Different tools, different techniques.. just the mindset is
the same.

I occasionally hear people say "We always find something in our
assessments. We've never failed to get in." Usually the way they
justify this is by putting ICMP timestamp on their deliverables (or
the equivalent - can we just take that out of Nessus now and stop
having to see it ever again? So many other protocols (SMB and RSYNC
for example) give you the current time that it's really not an issue.
It's really not. Please, please take it out of your vulnerability
database, nessus team, if you read this).

I agree that many reported findings are seemingly trivial, however I think
it is the responsibility of the person performing the audit to present the
results of his/her testing in a meaningful way.  ICMP timestamp or netmask
replies would be relevent if perhaps that was the only response at all
from a particular IP, so it would be an explanation for it's existence on
the map (am I the only person who loves making Visio network maps
manually?)  It could also indicate a broken firewall ruleset that could be
a clue that leads them to find larger problems.  I don't think anything
should be left out... I just think that it should be reported
appropriately - in the right context in the right part of the report.

Speaking for myself though, about your comments, for me penetrating a
network is about concrete deliverables - ceo's mailspool, adding entries
to a critical database, cutting demonstration payroll checks, handing
over a list of all the executive's passwords, etc.  I'm sure there are a
lot of security companies handing over default nessus output, and its
shameful they often use the same language we do to describe their work.

Oh and about Nessus, it's a great tool, but really downright weird how so
many people fail utterly to CONFIGURE the darn thing and use it as they
should.  Based on what I've heard, it looks as though people just run the
default configuration without making any effort at all. <insert long rant
about nessus here, or not>

I have to think that if you find something major on everything you
assess that you are:
1. Way ahead of your time, skill-wise...like the ADM/ISS X-Force
people, various people on this list who hate being named, MaXX, etc.

Hm, well personally I seem to know a lot, but often go through phases of
feeling really smart, and really stupid both.  I win in large part because
I am focused and stubborn, beating my head against a problem until it's
solved (hopefully learning something in the process).  Sometimes I do
something brilliant, but usually its just ordiary hard work and LOTS of
time.  (btw I agree about MaXX - good job with the module yesteray! I have
some comments I'll write offlist)

Sorry about your bad luck on the audit Dave.  Although under NDA, maybe
you could share general observations about the application without
disclosing names or trade secret - what language it was written in, and
any special things they did to resist attack.  Did you have source?

Max
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Herps Dave Aitel (Feb 27)
- Re: Herps wirepair (Feb 27)
- Re: Herps Nexus (Feb 28)
- Re: Herps Max Vision (Feb 28)