Mailing List Archive: NANOG: users

Penetration Test Assistance

Index | Next | Previous | View Threaded

Timothy.Green at ManTech

Jun 5, 2012, 7:52 AM

Post #1 of 21 (579 views)
Permalink

Penetration Test Assistance

Howdy all,

I'm a Security Manager of a large network, we are conducting a Pentest next month and the testers are demanding a complete network diagram of the entire network. We don't have a "complete" network diagram that shows everything and everywhere we are. At most we have a bunch of network diagrams that show what we have in various areas throughout the country. I've been asking the network engineers for over a month and they seem to be too lazy to put it together or they have no idea where everything is.

I've never been in this situation before. Should I be honest to the testers and tell them here is what we have, we aren't sure if it's accurate; find everything else? How would they access those areas that we haven't identified? How can I give them access to stuff that I didn't know existed?

What do you all do with your large networks? One huge network diagram, a bunch of network diagrams separated by region, or both? Any pentest horror stories?

Thanks,

Tim

________________________________
This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.

lathama at gmail

Jun 5, 2012, 8:32 AM

Post #2 of 21 (567 views)
Permalink

Re: Penetration Test Assistance [In reply to]

On Tue, Jun 5, 2012 at 10:52 AM, Green, Timothy
<Timothy.Green [at] mantech> wrote:
> Howdy all,
>
> I'm a Security Manager of a large network, we are conducting a Pentest next month and the testers are demanding a complete network diagram of the entire network. We don't have a "complete" network diagram that shows everything and everywhere we are. At most we have a bunch of network diagrams that show what we have in various areas throughout the country. I've been asking the network engineers for over a month and they seem to be too lazy to put it together or they have no idea where everything is.
>
> I've never been in this situation before. Should I be honest to the testers and tell them here is what we have, we aren't sure if it's accurate; find everything else? How would they access those areas that we haven't identified? How can I give them access to stuff that I didn't know existed?
>
> What do you all do with your large networks? One huge network diagram, a bunch of network diagrams separated by region, or both? Any pentest horror stories?
>
> Thanks,
>
> Tim

Any penetration test should only require your networks and masks. As
far as a diagram it is of value to keep a staff member with the
singular task of documentation and auditing or an optional contract
basis. Small things like typographical errors can cause great
confusion in emergency situations. Take the time and do it right. I
personally prefer the flexibility and ease of use that Mediawiki
offers but other free and pay solutions exist.

--
~ Andrew "lathama" Latham lathama [at] gmail http://lathama.net ~

streiner at cluebyfour

Jun 5, 2012, 8:52 AM

Post #3 of 21 (567 views)
Permalink

Re: Penetration Test Assistance [In reply to]

On Tue, 5 Jun 2012, Green, Timothy wrote:

> I'm a Security Manager of a large network, we are conducting a Pentest
> next month and the testers are demanding a complete network diagram of
> the entire network. We don't have a "complete" network diagram that
> shows everything and everywhere we are. At most we have a bunch of
> network diagrams that show what we have in various areas throughout the
> country. I've been asking the network engineers for over a month and
> they seem to be too lazy to put it together or they have no idea where
> everything is.

As someone who is charged with both engineering and maintaining the
records and diagrams of a large network, I take exception to the word
'lazy' ;) Network engineers tend to be an over-worked lot, and their work
is often interrupt-driven, so large blocks of time to work on a single
task are often a rarity.

The issue is that if they haven't kept their diagrams up to date (many
people don't, unfortunately), then getting them up to date turns into a
much more labor-intensive job. If they have kept the diagrams up to date
and they're just not getting them to you, then take the issue up with
their manager.

There might also be the question of how much information they are allowed
to release to third parties, even if it is for a pentest. This could mean
that some information might need to be removed or redacted from the
diagrams. Again, the engineering manager/director/CIO/CTO might be able
to provide clarification on this.

> I've never been in this situation before. Should I be honest to the
> testers and tell them here is what we have, we aren't sure if it's
> accurate; find everything else? How would they access those areas that
> we haven't identified? How can I give them access to stuff that I
> didn't know existed?

From what I've seen, in-depth pentests are often done in coordination with
other groups, such as engineering/ops. In a large network, that's often
done out of necessity, if for no other reason than dealing with issues
like the ones you've raised (logistics, communication, etc...).

> What do you all do with your large networks? One huge network diagram,
> a bunch of network diagrams separated by region, or both? Any pentest
> horror stories?

I don't have any pentest horror stories, but sometimes large network
diagrams have to be broken up into pieces, to maintain some degree of
readability. Large diagrams can get cluttered very quickly if you try to
put every minute piece of detail on them. I tend to treat the main
diagram as a high-level view of the network, and then either break out
sections that need more detail as a separate drawing, or as a link to our
internal knowledge base that can go into very high detail, including
pictures, access information, etc.

There is no right way to diagram every network. It depends on what best
suits your needs, and what established proceures are already in place.

jms

deleskie at gmail

Jun 5, 2012, 9:07 AM

Post #4 of 21 (567 views)
Permalink

Re: Penetration Test Assistance [In reply to]

A complete diagram makes their life easier, may make for a more
complete test, but they are working for you, so if you don't have it,
you don't have. I'm not a big fan of having a single diagram with
everything laid out anyway, but I'm from the old shcool.

-jim

On Tue, Jun 5, 2012 at 11:52 AM, Green, Timothy
<Timothy.Green [at] mantech> wrote:
> Howdy all,
>
> I'm a Security Manager of a large network, we are conducting a Pentest next month and the testers are demanding a complete network diagram of the entire network. �We don't have a "complete" network diagram that shows everything and everywhere we are. �At most we have a bunch of network diagrams that show what we have in various areas throughout the country. I've been asking the network engineers for over a month and they seem to be too lazy to put it together or they have no idea where everything is.
>
> I've never been in this situation before. �Should I be honest to the testers and tell them here is what we have, we aren't sure if it's accurate; �find everything else? �How would they access those areas that we haven't identified? � How can I give them access to stuff that I didn't know existed?
>
> What do you all do with your large networks? �One huge network diagram, a bunch of network diagrams separated by region, or both? �Any pentest horror stories?
>
> Thanks,
>
> Tim
>
> ________________________________
> This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.

joelja at bogus

Jun 5, 2012, 9:09 AM

Post #5 of 21 (567 views)
Permalink

Re: Penetration Test Assistance [In reply to]

On 6/5/12 07:52 , Green, Timothy wrote:
> Howdy all,
>
> I'm a Security Manager of a large network, we are conducting a
> Pentest next month and the testers are demanding a complete network
> diagram of the entire network. We don't have a "complete" network
> diagram that shows everything and everywhere we are. At most we have
> a bunch of network diagrams that show what we have in various areas
> throughout the country. I've been asking the network engineers for
> over a month and they seem to be too lazy to put it together or they
> have no idea where everything is.
>
> I've never been in this situation before. Should I be honest to the
> testers and tell them here is what we have, we aren't sure if it's
> accurate; find everything else? How would they access those areas
> that we haven't identified? How can I give them access to stuff
> that I didn't know existed?
>
> What do you all do with your large networks? One huge network
> diagram, a bunch of network diagrams separated by region, or both?
> Any pentest horror stories?

Logical diagrams tend to elide the information consider unnecessary for
them to be suitably informative.

An ethernet switch with 560 network segments radiating out from it may
be accurate but not all that easy to parse or use.

Documentation needs to be sufficiently accurate and appropiate to the
tasks at hand, so it may be that you don't have what you need or perhaps
you do.

> Thanks,
>
> Tim
>
> ________________________________ This e-mail and any attachments are
> intended only for the use of the addressee(s) named herein and may
> contain proprietary information. If you are not the intended
> recipient of this e-mail or believe that you received this email in
> error, please take immediate action to notify the sender of the
> apparent error by reply e-mail; permanently delete the e-mail and any
> attachments from your computer; and do not disseminate, distribute,
> use, or copy this message and any attachments.
>

lostinmoscow at gmail

Jun 5, 2012, 9:34 AM

Post #6 of 21 (570 views)
Permalink

Re: Penetration Test Assistance [In reply to]

It's not much of a penetration test, imho, if the "attackers" have detailed
knowledge of your network and systems before the attack. You should
determine what kind of a scenario you are trying to simulate, and how the
results will be used to improve security. Is this a "black box" situation,
where you want to see what potential attackers can discover about your
systems without insider information? Or will this be a step by step,
examine each part of the system and then step back to see what's going on
from a high level scenario?

If you're trying to both reduce vulnerabilities and your attack profile, I
would go for the black box approach and see what your pentesters can come
up with themselves. Man is a resourceful creature, and you never know what
they could turn up.

Q

On Tue, Jun 5, 2012 at 8:52 AM, Green, Timothy <Timothy.Green [at] mantech>wrote:

> Howdy all,
>
> I'm a Security Manager of a large network, we are conducting a Pentest
> next month and the testers are demanding a complete network diagram of the
> entire network. We don't have a "complete" network diagram that shows
> everything and everywhere we are. At most we have a bunch of network
> diagrams that show what we have in various areas throughout the country.
> I've been asking the network engineers for over a month and they seem to be
> too lazy to put it together or they have no idea where everything is.
>
> I've never been in this situation before. Should I be honest to the
> testers and tell them here is what we have, we aren't sure if it's
> accurate; find everything else? How would they access those areas that we
> haven't identified? How can I give them access to stuff that I didn't
> know existed?
>
> What do you all do with your large networks? One huge network diagram, a
> bunch of network diagrams separated by region, or both? Any pentest horror
> stories?
>
> Thanks,
>
> Tim
>
> ________________________________
> This e-mail and any attachments are intended only for the use of the
> addressee(s) named herein and may contain proprietary information. If you
> are not the intended recipient of this e-mail or believe that you received
> this email in error, please take immediate action to notify the sender of
> the apparent error by reply e-mail; permanently delete the e-mail and any
> attachments from your computer; and do not disseminate, distribute, use, or
> copy this message and any attachments.
>

BaklarR at amtrak

Jun 5, 2012, 9:41 AM

Post #7 of 21 (560 views)
Permalink

RE: Penetration Test Assistance [In reply to]

Not discounting the need for network diagrams, there are also differing approaches to pen testing. One alternative is a sort of black-box approach where the pen testers are given little or no advanced knowledge of the network. It is up to them to 'discover' what they can through open source means and commence their attacks from what they glean from their intelligence gathering. This way they are realistically mimicking the hacker methodology.

Ron Baklarz C|CISO, CISSP, CISA, CISM, NSA-IAM/IEM
Chief Information Security Officer
Export Control Compliance Officer
National Passenger Railroad Corporation (AMTRAK)
10 G Street, NE Office 6E606
Washington, DC 20002
BaklarR [at] Amtrak

-----Original Message-----
From: Green, Timothy [mailto:Timothy.Green [at] ManTech]
Sent: Tuesday, June 05, 2012 10:53 AM
To: nanog [at] nanog
Subject: Penetration Test Assistance

Howdy all,

I'm a Security Manager of a large network, we are conducting a Pentest next month and the testers are demanding a complete network diagram of the entire network. We don't have a "complete" network diagram that shows everything and everywhere we are. At most we have a bunch of network diagrams that show what we have in various areas throughout the country. I've been asking the network engineers for over a month and they seem to be too lazy to put it together or they have no idea where everything is.

I've never been in this situation before. Should I be honest to the testers and tell them here is what we have, we aren't sure if it's accurate; find everything else? How would they access those areas that we haven't identified? How can I give them access to stuff that I didn't know existed?

What do you all do with your large networks? One huge network diagram, a bunch of network diagrams separated by region, or both? Any pentest horror stories?

Thanks,

Tim

________________________________
This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.

alter3d at alter3d

Jun 5, 2012, 9:52 AM

Post #8 of 21 (558 views)
Permalink

Re: Penetration Test Assistance [In reply to]

On 12-06-05 11:32 AM, Andrew Latham wrote:
> On Tue, Jun 5, 2012 at 10:52 AM, Green, Timothy
> <Timothy.Green [at] mantech> wrote:
>> Howdy all,
>>
>> I'm a Security Manager of a large network, we are conducting a Pentest next month and the testers are demanding a complete network diagram of the entire network. We don't have a "complete" network diagram that shows everything and everywhere we are. At most we have a bunch of network diagrams that show what we have in various areas throughout the country. I've been asking the network engineers for over a month and they seem to be too lazy to put it together or they have no idea where everything is.
>>
>> I've never been in this situation before. Should I be honest to the testers and tell them here is what we have, we aren't sure if it's accurate; find everything else? How would they access those areas that we haven't identified? How can I give them access to stuff that I didn't know existed?
>>
>> What do you all do with your large networks? One huge network diagram, a bunch of network diagrams separated by region, or both? Any pentest horror stories?
>>
>> Thanks,
>>
>> Tim
> Any penetration test should only require your networks and masks. As
> far as a diagram it is of value to keep a staff member with the
> singular task of documentation and auditing or an optional contract
> basis. Small things like typographical errors can cause great
> confusion in emergency situations. Take the time and do it right. I
> personally prefer the flexibility and ease of use that Mediawiki
> offers but other free and pay solutions exist.
>

Yup, a list of subnets in use on your network is all I've ever needed to
provide to pen testers in the past on the few occasions I've worked with
them. A good pen test should scan everything on your network anyways,
with a reasonable chance of figuring out what everything is.

As far as horror stories... yeah. My most memorable experience was a
guy (with a CISSP designation, working for a company who came highly
recommended) who:
- Spent a day trying to get his Backtrack CD to "work properly".
When I looked at it, it was just a color depth issue in X that took
about 45 seconds from "why is this broken?" to "hey look, I fixed it!".
- Completely missed the honeypot machine I set up for the test. I
had logs from the machine showing that his scanning had hit the machine
and had found several of the vulnerabilities, but the entire machine was
absent from the report.
- Called us complaining that a certain behavior that "he'd never
seen before" was happening when he tried to nmap our network. The
"certain behavior" was a firewall with some IPS functionality, along
with him not knowing how to read nmap output.
- Completely messed up the report -- three times. His report had
the wrong ports & vulnerabilities listed on the wrong IPs, so according
to the report, we apparently had FreeBSD boxes running IOS or MS SQL...
- Stopped taking our calls when we asked why the honeypot machine
was completely missing from the report.

In general, my experience with most "pen testers" is a severe
disappointment, and isn't anything that couldn't be done in-house by
taking the person in your department who has the most ingrained
hacker/geek personality, giving them Nessus/Metasploit/nmap/etc, pizza
and a big ass pot of coffee, and saying "Find stuff we don't know about.
Go.". There is the occasional pen tester who is absolutely phenomenal
and does the job properly (i.e. the guys who actually write their own
shellcode, etc), but the vast majority of "pen testers" just use
automated tools and call it a day. Like everything else in IT, security
has been "commercialized" to the point where finding really good
vendors/people is hard, because everyone and their mom has CEH, CISSP,
and whatever other alphabet soup certifications you can imagine.

bill at herrin

Jun 5, 2012, 10:23 AM

Post #9 of 21 (559 views)
Permalink

Re: Penetration Test Assistance [In reply to]

On 6/5/12, Green, Timothy <Timothy.Green [at] mantech> wrote:
> I'm a Security Manager of a large network, we are conducting a Pentest next
> month and the testers are demanding a complete network diagram of the entire
> network. We don't have a "complete" network diagram that shows everything
> and everywhere we are. At most we have a bunch of network diagrams that
> show what we have in various areas throughout the country. I've been asking
> the network engineers for over a month and they seem to be too lazy to put
> it together or they have no idea where everything is.
>
> I've never been in this situation before. Should I be honest to the testers
> and tell them here is what we have, we aren't sure if it's accurate; find
> everything else?

Tim,

Your system is what it is, including any defects in configuration
management. Provide the testers with what you have, give them contact
info for the engineers so they can ask questions and specify that you
expect strengths and weaknesses in configuration management which
impact system security to be reflected in their report.

Regards,
Bill Herrin

--
William D. Herrin ................ herrin [at] dirtside bill [at] herrin
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004

aledm at qix

Jun 5, 2012, 10:47 AM

Post #10 of 21 (559 views)
Permalink

Re: Penetration Test Assistance [In reply to]

On 5 June 2012 15:52, Green, Timothy <Timothy.Green [at] mantech> wrote:

> Howdy all,
>
> I'm a Security Manager of a large network, we are conducting a Pentest
> next month and the testers are demanding a complete network diagram of the
> entire network.
>
>
I'd treat this as the first of their pen tests - a social engineering
attack to obtain secret information about the network, and refuse.

Aled

xenophage at godshell

Jun 5, 2012, 11:05 AM

Post #11 of 21 (560 views)
Permalink

Re: Penetration Test Assistance [In reply to]

On Jun 5, 2012, at 12:52 PM, Peter Kristolaitis <alter3d [at] alter3d> wrote:
> In general, my experience with most "pen testers" is a severe disappointment, and isn't anything that couldn't be done in-house by taking the person in your department who has the most ingrained hacker/geek personality, giving them Nessus/Metasploit/nmap/etc, pizza and a big ass pot of coffee, and saying "Find stuff we don't know about. Go.". There is the occasional pen tester who is absolutely phenomenal and does the job properly (i.e. the guys who actually write their own shellcode, etc), but the vast majority of "pen testers" just use automated tools and call it a day. Like everything else in IT, security has been "commercialized" to the point where finding really good vendors/people is hard, because everyone and their mom has CEH, CISSP, and whatever other alphabet soup certifications you can imagine.

There are definitely a number of incredible pen-testers out there. But I agree with Peter� If you end up with a "report" that's nothing more than an executive statement pasted at the top of a Nessus report, then you've wasted your money. To be honest, I'd recommend getting a sample report from the company and quiz them on it before committing to a contract with them.

---------------------------
Jason 'XenoPhage' Frisvold
xenophage [at] godshell
---------------------------
"Any sufficiently advanced magic is indistinguishable from technology."
- Niven's Inverse of Clarke's Third Law

bgreene at senki

Jun 5, 2012, 11:06 AM

Post #12 of 21 (558 views)
Permalink

Re: Penetration Test Assistance [In reply to]

Hi Tim,

A _good_ pen test team would not need a network diagram. Their first round of penetration test would have them build their own network diagram from their analysis of your network.

Barry

On Jun 5, 2012, at 7:52 AM, Green, Timothy wrote:

> Howdy all,
>
> I'm a Security Manager of a large network, we are conducting a Pentest next month and the testers are demanding a complete network diagram of the entire network. We don't have a "complete" network diagram that shows everything and everywhere we are. At most we have a bunch of network diagrams that show what we have in various areas throughout the country. I've been asking the network engineers for over a month and they seem to be too lazy to put it together or they have no idea where everything is.
>
> I've never been in this situation before. Should I be honest to the testers and tell them here is what we have, we aren't sure if it's accurate; find everything else? How would they access those areas that we haven't identified? How can I give them access to stuff that I didn't know existed?
>
> What do you all do with your large networks? One huge network diagram, a bunch of network diagrams separated by region, or both? Any pentest horror stories?
>
> Thanks,
>
> Tim
>
> ________________________________
> This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.

darden at armc

Jun 5, 2012, 11:33 AM

Post #13 of 21 (560 views)
Permalink

RE: Penetration Test Assistance [In reply to]

Seriously.

--p

-----Original Message-----
From: Aled Morris [mailto:aledm [at] qix]

I'd treat this as the first of their pen tests - a social engineering
attack to obtain secret information about the network, and refuse.

Aled

darden at armc

Jun 5, 2012, 11:34 AM

Post #14 of 21 (563 views)
Permalink

RE: Penetration Test Assistance [In reply to]

I'm with Barry--a network diagram showing everything from the pov of the pen team should be part of the end report.

--p

-----Original Message-----
From: Barry Greene [mailto:bgreene [at] senki]

Hi Tim,

A _good_ pen test team would not need a network diagram. Their first round of penetration test would have them build their own network diagram from their analysis of your network.

Barry

hhoffman at ip-solutions

Jun 5, 2012, 11:37 AM

Post #15 of 21 (561 views)
Permalink

Re: Penetration Test Assistance [In reply to]

There are lots of reasons why a pentester would want a network diagram.

The foremost being a point to which they can say, these are the networks
that I was given as a point of reference to pentest.

This is often a CYA policy for when people start complaining about the
scanning that is going to occur and potentially break their systems.

Cheers,
Harry

On 06/05/2012 02:34 PM, Darden, Patrick S. wrote:
>
> I'm with Barry--a network diagram showing everything from the pov of the pen team should be part of the end report.
>
> --p
>
> -----Original Message-----
> From: Barry Greene [mailto:bgreene [at] senki]
>
> Hi Tim,
>
> A _good_ pen test team would not need a network diagram. Their first round of penetration test would have them build their own network diagram from their analysis of your network.
>
> Barry
>
>

bicknell at ufp

Jun 5, 2012, 11:39 AM

Post #16 of 21 (564 views)
Permalink

Re: Penetration Test Assistance [In reply to]

The bit of information that's missing here is what are you trying
to pentest, and by extension how much do you want to pay your pentest
firm?

For some folks a pentest means starting with zero information and
trying to get IP packets passed a firewall or IDS's undetected.
Basically pentesting layer 3 infrastructure.

For other folks a pentest is purely an application level exercise,
you give the pentester an account on your customer portal for
instance, a full network diagram, and let them try things like SQL
injection or cross site scripting at the applications layer.

Your pentest firm can start with zero information and work all the
way up to an application level attack, but that's costly and time
consuming. Providing them some information is a way to short circuit
the process.

If you (or appropriate company representative) haven't already
discussed the pros and cons with your pentest firm you're off on the
wrong foot.

--
Leo Bicknell - bicknell [at] ufp - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/

dennis at justipit

Jun 5, 2012, 12:47 PM

Post #17 of 21 (553 views)
Permalink

Re: Penetration Test Assistance [In reply to]

Tim,

In the past I've used high level diagrams to illustrate the overall network
topology with individual tabs (drill down) per data center or POP.
The first step to assessing risk is to identify your assets. I'd suggest
performing a discovery of your network. Keep in mind Pen tests are
typically inconclusive of availability based threats DOS/DDOS (a very high
risk today) and in fact specifically avoid tests which might cause
degradation of service. I'd suggest including volumetric network (tcp,
udp), application floods (http get, post, etc. /dns query floods, etc.) and
slow and low attacks.

Best of Luck,

Dennis

--------------------------------------------------
From: "Baklarz, Ron" <BaklarR [at] amtrak>
Sent: Tuesday, June 05, 2012 12:41 PM
To: "Green, Timothy" <Timothy.Green [at] ManTech>
Cc: <nanog [at] nanog>
Subject: RE: Penetration Test Assistance

> Not discounting the need for network diagrams, there are also differing
> approaches to pen testing. One alternative is a sort of black-box
> approach where the pen testers are given little or no advanced knowledge
> of the network. It is up to them to 'discover' what they can through open
> source means and commence their attacks from what they glean from their
> intelligence gathering. This way they are realistically mimicking the
> hacker methodology.
>
> Ron Baklarz C|CISO, CISSP, CISA, CISM, NSA-IAM/IEM
> Chief Information Security Officer
> Export Control Compliance Officer
> National Passenger Railroad Corporation (AMTRAK)
> 10 G Street, NE Office 6E606
> Washington, DC 20002
> BaklarR [at] Amtrak
>
> -----Original Message-----
> From: Green, Timothy [mailto:Timothy.Green [at] ManTech]
> Sent: Tuesday, June 05, 2012 10:53 AM
> To: nanog [at] nanog
> Subject: Penetration Test Assistance
>
> Howdy all,
>
> I'm a Security Manager of a large network, we are conducting a Pentest
> next month and the testers are demanding a complete network diagram of the
> entire network. We don't have a "complete" network diagram that shows
> everything and everywhere we are. At most we have a bunch of network
> diagrams that show what we have in various areas throughout the country.
> I've been asking the network engineers for over a month and they seem to
> be too lazy to put it together or they have no idea where everything is.
>
> I've never been in this situation before. Should I be honest to the
> testers and tell them here is what we have, we aren't sure if it's
> accurate; find everything else? How would they access those areas that
> we haven't identified? How can I give them access to stuff that I didn't
> know existed?
>
> What do you all do with your large networks? One huge network diagram, a
> bunch of network diagrams separated by region, or both? Any pentest
> horror stories?
>
> Thanks,
>
> Tim
>
> ________________________________
> This e-mail and any attachments are intended only for the use of the
> addressee(s) named herein and may contain proprietary information. If you
> are not the intended recipient of this e-mail or believe that you received
> this email in error, please take immediate action to notify the sender of
> the apparent error by reply e-mail; permanently delete the e-mail and any
> attachments from your computer; and do not disseminate, distribute, use,
> or copy this message and any attachments.
>
>

brett at the-watsons

Jun 5, 2012, 12:48 PM

Post #18 of 21 (550 views)
Permalink

Re: Penetration Test Assistance [In reply to]

On Jun 5, 2012, at 9:52 AM, Peter Kristolaitis wrote:

>
> As far as horror stories... yeah. My most memorable experience was a guy (with a CISSP designation, working for a company who came highly recommended) who:
> - Spent a day trying to get his Backtrack CD to "work properly". When I looked at it, it was just a color depth issue in X that took about 45 seconds from "why is this broken?" to "hey look, I fixed it!".
> - Completely missed the honeypot machine I set up for the test. I had logs from the machine showing that his scanning had hit the machine and had found several of the vulnerabilities, but the entire machine was absent from the report.
> - Called us complaining that a certain behavior that "he'd never seen before" was happening when he tried to nmap our network. The "certain behavior" was a firewall with some IPS functionality, along with him not knowing how to read nmap output.
> - Completely messed up the report -- three times. His report had the wrong ports & vulnerabilities listed on the wrong IPs, so according to the report, we apparently had FreeBSD boxes running IOS or MS SQL...
> - Stopped taking our calls when we asked why the honeypot machine was completely missing from the report.
>
> In general, my experience with most "pen testers" is a severe disappointment, and isn't anything that couldn't be done in-house by taking the person in your department who has the most ingrained hacker/geek personality, giving them Nessus/Metasploit/nmap/etc, pizza and a big ass pot of coffee, and saying "Find stuff we don't know about. Go.". There is the occasional pen tester who is absolutely phenomenal and does the job properly (i.e. the guys who actually write their own shellcode, etc), but the vast majority of "pen testers" just use automated tools and call it a day. Like everything else in IT, security has been "commercialized" to the point where finding really good vendors/people is hard, because everyone and their mom has CEH, CISSP, and whatever other alphabet soup certifications you can imagine.

I agree with a lot of what you've said, but there are absolutely good security guys (pen tester, vulnerability assessors, etc) that use both open source and commercial automated tools, but still do a fantastic job because they understand the underlying technologies and protocols.

I used to do a lot of this in the past, had lots of automated tools, and only occasionally wrote some assessment modules or exploit code if necessary.

But again, a person in that position has to understand technology holistically (network, systems, software, protocols, etc).

-b

baconzombie at gmail

Jun 5, 2012, 1:13 PM

Post #19 of 21 (546 views)
Permalink

Re: Penetration Test Assistance [In reply to]

You should have a look at the Pentest Standards page, it was created
by some very skilled Pen Testers how are trying to create a minimum
standard for all tests and reporting.

http://www.pentest-standard.org/index.php/Main_Page

Also you should just have to give them your external net-block
allocation that is in scope unless it is a more forced test and not a
general external test.

On 5 June 2012 20:48, Brett Watson <brett [at] the-watsons> wrote:
>
> On Jun 5, 2012, at 9:52 AM, Peter Kristolaitis wrote:
>
>>
>> As far as horror stories... yeah. � My most memorable experience was a guy (with a CISSP designation, working for a company who came highly recommended) who:
>> � �- Spent a day trying to get his Backtrack CD to "work properly". �When I looked at it, it was just a color depth issue in X that took about 45 seconds from "why is this broken?" to "hey look, I fixed it!".
>> � �- Completely missed the honeypot machine I set up for the test. �I had logs from the machine showing that his scanning had hit the machine and had found several of the vulnerabilities, but the entire machine was absent from the report.
>> � �- Called us complaining that a certain behavior that "he'd never seen before" was happening when he tried to nmap our network. �The "certain behavior" was a firewall with some IPS functionality, along with him not knowing how to read nmap output.
>> � �- Completely messed up the report -- three times. �His report had the wrong ports & vulnerabilities listed on the wrong IPs, so according to the report, we apparently had FreeBSD boxes running IOS or MS SQL...
>> � �- Stopped taking our calls when we asked why the honeypot machine was completely missing from the report.
>>
>> In general, my experience with most "pen testers" is a severe disappointment, and isn't anything that couldn't be done in-house by taking the person in your department who has the most ingrained hacker/geek personality, giving them Nessus/Metasploit/nmap/etc, pizza and a big ass pot of coffee, and saying "Find stuff we don't know about. Go.". � There is the occasional pen tester who is absolutely phenomenal and does the job properly (i.e. the guys who actually write their own shellcode, etc), but the vast majority of "pen testers" just use automated tools and call it a day. �Like everything else in IT, security has been "commercialized" to the point where finding really good vendors/people is hard, because everyone and their mom has CEH, CISSP, and whatever other alphabet soup certifications you can imagine.
>
> I agree with a lot of what you've said, but there are absolutely good security guys (pen tester, vulnerability assessors, etc) that use both open source and commercial automated tools, but still do a fantastic job because they understand the underlying technologies and protocols.
>
> I used to do a lot of this in the past, had lots of automated tools, and only occasionally wrote some assessment modules or exploit code if necessary.
>
> But again, a person in that position has to understand technology holistically (network, systems, software, protocols, etc).
>
> -b

--
BaconZombie

LOAD "*",8,1

alter3d at alter3d

Jun 5, 2012, 1:24 PM

Post #20 of 21 (551 views)
Permalink

Re: Penetration Test Assistance [In reply to]

On 12-06-05 03:48 PM, Brett Watson wrote:
> On Jun 5, 2012, at 9:52 AM, Peter Kristolaitis wrote:
>
>> As far as horror stories... yeah. My most memorable experience was a guy (with a CISSP designation, working for a company who came highly recommended) who:
>> - Spent a day trying to get his Backtrack CD to "work properly". When I looked at it, it was just a color depth issue in X that took about 45 seconds from "why is this broken?" to "hey look, I fixed it!".
>> - Completely missed the honeypot machine I set up for the test. I had logs from the machine showing that his scanning had hit the machine and had found several of the vulnerabilities, but the entire machine was absent from the report.
>> - Called us complaining that a certain behavior that "he'd never seen before" was happening when he tried to nmap our network. The "certain behavior" was a firewall with some IPS functionality, along with him not knowing how to read nmap output.
>> - Completely messed up the report -- three times. His report had the wrong ports& vulnerabilities listed on the wrong IPs, so according to the report, we apparently had FreeBSD boxes running IOS or MS SQL...
>> - Stopped taking our calls when we asked why the honeypot machine was completely missing from the report.
>>
>> In general, my experience with most "pen testers" is a severe disappointment, and isn't anything that couldn't be done in-house by taking the person in your department who has the most ingrained hacker/geek personality, giving them Nessus/Metasploit/nmap/etc, pizza and a big ass pot of coffee, and saying "Find stuff we don't know about. Go.". There is the occasional pen tester who is absolutely phenomenal and does the job properly (i.e. the guys who actually write their own shellcode, etc), but the vast majority of "pen testers" just use automated tools and call it a day. Like everything else in IT, security has been "commercialized" to the point where finding really good vendors/people is hard, because everyone and their mom has CEH, CISSP, and whatever other alphabet soup certifications you can imagine.
> I agree with a lot of what you've said, but there are absolutely good security guys (pen tester, vulnerability assessors, etc) that use both open source and commercial automated tools, but still do a fantastic job because they understand the underlying technologies and protocols.
>
> I used to do a lot of this in the past, had lots of automated tools, and only occasionally wrote some assessment modules or exploit code if necessary.
>
> But again, a person in that position has to understand technology holistically (network, systems, software, protocols, etc).
>
> -b

I completely agree. I didn't mean to imply that using automated tools
is a bad thing -- simply that running an automated tool to pump out a
report with no further investigation isn't really a useful pen test.
I've seen vendors whose "comprehensive penetration testing" was
basically "We'll run Nessus against your network, write up an executive
summary and email you the scan results. Quite the bargain for $20K!"

Automated tools are definitely good to provide a first pass over a
network, but even then multiple tools should be used, and an experienced
eye should review the results for anomalies (whether that's a
vulnerability that has a chance for false positives, discrepancies
between the results of two or more automated tools, etc). That kind of
work, along with more aggressive pen tests and exploit development, need
a "guru meditation"-level understanding of the involved technologies,
protocols, etc, as you mentioned.

Like everything else IT, the specific tools used are more or less
immaterial to an excellent practitioner -- a good programmer can hack
code in any language, a good network engineer can use any brand of
network equipment, etc -- because these types of people truly understand
the systems they're dealing with, and use tools to accomplish a specific
task which fits into part of the "big picture" they have in their
heads. Poor practitioners in a field use tools for the sake of using
the tool ("I'm scanning a network with Nessus because that's what the
certification course told me to do") without that deep level of
understanding, and therefore don't provide any real value to the process.

- Pete

brett at the-watsons

Jun 5, 2012, 1:31 PM

Post #21 of 21 (548 views)
Permalink

Re: Penetration Test Assistance [In reply to]

On Jun 5, 2012, at 11:34 AM, Darden, Patrick S. wrote:

>
> I'm with Barry--a network diagram showing everything from the pov of the pen team should be part of the end report.

Maybe, maybe not. It all depends on the scope of the engagement. I've had customers ask for very specific pen test of a group of servers, or specific applications, wherein they provide all the topology, system, and network info, and just want me to look at one specific area.

Then of course others want a "black box" assessment, wherein they don't tell you anything, and expect you to discover whatever you can discover.

I'm personally very specific about scoping, and just give the customer exactly what they want but you've got to "interview" each other to figure all of that out. And totally agree with a previous poster, you should always get a redacted or sample report to see what kind of quality you can expect in the finished product.

-b

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads