Making our mark

It was time to go. We’d succeeded in breaking into their primary systems and had installed our backdoor. We hung the company shirt and other marketing tchotchke around the room.

Now we had to get out quietly. We waited until we could mix with a shift change and left unnoticed in the crowd.

At the front entrance, we asked to see the security chief. The guards were confused. They didn’t believe us when we said that their boss was in his office. Our mission was complete. The news was not good.

We’ve turned south now. The Aleutians are falling behind us. I can see the first hint of dawn, and home is six hours away.

The end, (part 7 of 7) (go back to part 1)

Fourth time is a charm

It was 23:30 local time. We’d just adjusted our tools for another try. Lights had switched off as the last few employees had left. We knew it was time to move.

The “finger” pressed the button, the lock released. Now, on to the prize: we entered the room into the camera’s blind spot. We were behind the server farm. The safety lighting gave us a clear view past the racks. Our targets (the file servers, databases and external firewall) were all in this room. We knew that we had to move fast, capture the data, and, if possible, backdoor the firewall so that we could re-enter from the Internet — this was our goal.

We had arranged our priorities. If we could capture next year’s product design, our client would be chagrined. If we could capture the design for two years hence, they would be appalled. If we could backdoor the firewall and demonstrate the ability to pillage at will… It’s an interesting job; we were earning our payday by emulating our client’s worst enemy or most ruthless competitor.

Part 6 of 7, (to be continued)

Pen testing

Hi Michael,

I was wondering if I could get a little pen testing advice. What were the primary factors in determining the cost for a penetration test? In general, what is a ball park range that is reasonable to charge for say, 5 external IPs/servers?

Thanks,

(name withheld)

Well, like everything, that will depend on several factors.

• Is this an external attack only, or internal, external and wireless?
• Is social engineering involved, will a physical penetration be attempted?
• Will you be dumpster diving?

My guess from your question is that you are performing a remote network penetration test without social engineering.

The scope of work then depends on the level of adversary you are imitating:

1. Motivated attacker, a user with inside knowledge or an attack by a professional seeking monetary gain
2. Robot master, someone looking for bots to add to their army
3. Opportunist, a script-kiddie or other non-professional attempting to crack systems because it's a rush

Level 3 is a little above what you can do with a flat Nessus scan. I'd certainly add a little MetaSploit work and some light web application inspection, looking for obvious input flaws.

Level 2 will run several well-known exploits and perhaps a 0day. You need to take a very careful look at the attack surface, validate all web applications for input checking (multiple encodings) and prevention of script or SQL injection.

Level 1 will do all of the above, plus deep research on the target and target employees, this level is beyond the capability of a small-business IT defense.

For a client with only five external IP, simulating either a level 2 or level 3 attack is your best bet.

You should be able to perform a Level 3 with automated tools and a little manual work involving the more interesting targets, three hours per IP address is probably a reasonable guess, but you won't actually spread your time that evenly.

Level 2 is tougher; a true attacker of this type hits you and moves on. However, since we can't predict the exact exploits that this attacker would use, a pen-tester has to perform a far more thorough review of the attack surface. This attack simulation will start at a few minutes per IP address, but you should expect to spend 5-10 hours (each) inspecting specific web application services and web server code for flaws. You will need to run exploit and possible denial-of-service attacks. Economically, you can’t bid this at more than 5-10 hours per IP address, but you could easily double that amount of time if you run into an interesting web application.

My estimates include, the time for testing, data gathering and report writing -- never under-estimate the time you will spend on the report. The report is the most lasting and visible product of your efforts.

Most small clients can bite-off a blend of these two attack scenarios. Cover all of the systems with an automated scan and a little manual follow-up, but spend a day or two taking a hard look at their primary web server and/or back-end.

Sample Stay out of Trouble Language

This posting is provided "AS IS" with no warranties.

The question of safe penetration testing or security research comes up time an again. Good guys get prosecuted too. [1] [2]

So, to follow-up my comment on RSnake's recent post, here is something that I have used to stay out of trouble.

DISCLAIMER: I am not a lawyer. If in doubt, ALWAYS, ALWAYS, ALWAYS get professional advice from an attorney. I hope this document puts the reader on the right track and helps keep them out of trouble.

CompanyName (“COMPANY”) hereby accepts the services and the related terms and conditions set forth in the attached Statement of Work (the “SOW”) of SecurityResearcher (“HACKER”).

COMPANY expressly acknowledges that the performance of these services will require HACKER to gain access to COMPANY confidential and proprietary network and information assets, and authorizes this access for the purposes described in the SOW, subject, however, to the Mutual Nondisclosure Agreement, dated ____________________, between COMPANY and HACKER (the “NDA”).

Due to the nature of the services contemplated by the SOW, COMPANY acknowledges that no representation or warranty can be made by HACKER with respect to such services or the efficacy thereof. In particular, COMPANY acknowledges that damage to COMPANY systems or information could result from the performance of such services, and that, following completion of such services, there can be no assurance that the COMPANY network will be secure or that unauthorized access thereof will not occur.

WITHOUT LIMITING THE FOREGOING, HACKER MAKES NO EXPRESS OR IMPLIED REPRESENTATIONS WITH RESPECT TO ITS PERFORMANCE OF THE SERVICES HEREUNDER OR ANY DELIVERABLES CONTEMPLATED HEREBY, INCLUDING WITHOUT LIMITATION ANY REPRESENTATION OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

In order to induce HACKER to perform its services COMPANY is accepting the terms and conditions and making the representations set forth herein, and COMPANY irrevocably waives and releases, and shall be stopped from asserting, any claims for damages or otherwise arising out of or in connection with the services, except as expressly contemplated by the NDA.

COMPANY represents and warrants that the COMPANY information systems to be accessed by HACKER do not contain confidential or proprietary information or other property belonging to any person other than COMPANY, or any classified information. By accepting HACKER’s services, COMPANY assumes any and all liability for any disclosure of any third-party confidential or proprietary information assets, or any classified information, arising out of or resulting from such services, and agrees to indemnify, defend and hold harmless HACKER from and against any claim, loss or liability asserted by any person arising out of or relating to any such disclosure, subject, however, to the NDA.

COMPANY expressly authorizes HACKER to gain access, including without limitation external network access and without regard to the COMPANY Information Security Policy, to all COMPANY computer networks and information systems which is reasonable and necessary, in HACKER’s sole judgment, for the purposes described in the SOW, and COMPANY acknowledges that such access shall be obtained by HACKER with the express permission of COMPANY and that such access is not a violation of any federal, state or local laws, rules or regulations, including without limitation the Computer Crime Act of 1986, as amended, or the Economic Espionage Act of 1996, as amended. Execution of this SOW by the representative of COMPANY shall constitute a representation and warranty by COMPANY that such representative is duly authorized to do so and has received all requisite governmental consents and approvals which may be necessary or appropriate to execute this SOW and to carry out the terms hereof, including without limitation the preceding sentence.

Accepted and approved by:

Name Title

Signature Date

Request to exit

The industry calls it a Request-To-Exit (RTE). Some are motion sensitive, others require the push of a button, and a very few require another wave of the badge. We’d examined the client’s public areas. Some of their RTEs were motion sensitive, and some used a button. What about the data center? We knew that the RTE could be a weak spot. The security system might log the RTE, but even here at the data center, it would probably not trigger an alarm. The motion sensitive types unlock at any close approach, and pressing a button is a normal event. If we could trigger an RTE and avoid forcing the door, we would have more time to work.

Our view was limited. We had a four-by-eight-inch view above the door handle. We could see another camera, a blank stretch of wall and a small corner of a lit room. We watched for shadows and assembled our tools.

We knew the probable height and position of the button. Could we reach it? The door was not the automatic-opening type. The dead bolt was open, but the electromagnetic lock was closed. We’d taken our MacGyver shopping list to a local hardware store, our $40 worth of spare parts versus a multi-million dollar data center. We made the viewing scope from 1/2 inch narrow pipe, carpet tape, and a convex mirror. We bent the pipe and squeezed the mirror below and past the door. The data center was on a raised floor, and we had a three-fourth-inch clearance. We had our window. In the three-inch mirror, there was the button! We quickly assembled the “finger.” The mirror became a problem because we needed to have both of our devices in view, as we squeezed down next to the door. Two pairs of hands blindly working, while a third pair of eyes directed, and a fourth kept watch. You know what they say about convex mirrors: “Objects in mirror are closer than they appear.”

Part 5 of 7, (to be continued)

Hidden in wait

As we waited, we had time to think and review the plan. To us, the world’s greatest hackers are an unknown. No one knew their names and no one would know their faces. The celebrities in the paper are not the best. For tonight, we had to be the best. Otherwise, our faces would be on tape, and we would just be more bad boys who’d been caught.

We arrived at the target floor. We knew there were cameras everywhere. If they saw us in this area, we’d only have a few minutes before guards arrived. Our next stop was the fire suppression closet.

Now the challenge: we had to build our device. We worked by light reflected through a four-by-eight-inch window. As people left for home, they passed our closet, but we remained undetected.

We’d examined the company’s card key system and checked it on the Web. Card key systems are everywhere and they almost all use the same operating methods.

Part 4 of 7, (to be continued)

Outsmarting the motion detectors

We waited until the building was mostly empty. We knew this business, this client. Their operations were 24/7. We arrived in the early evening and had already examined the ground and the building plans in detail. We knew our route. The weather had been perfect: rain with wind. This would mask the infrared, mess with the ultrasound. Still, we knew we had to be quick, and our timing had to be good.

We waited 40 yards from a garage exit. We could see the guard shack, but the patrol was out of sight. We waited until a distraction caused the guards to look the other way. We dashed for the ramp. We couldn’t avoid the sensors, but hoped that after a night of false alarms ours would be ignored. We had to get inside the Garage quickly. A car came down the ramp as we dashed up. This might fool the guards on the motion camera; they’d see the car, but not us. Did the driver see us? We were past him in a blink on the blind side, but one look in the mirror would be all it took.

Up the ramp and into the garage. There was another camera straight ahead. Two seconds to pass the camera, we would show for a few frames on a bank of sixteen monitors. Then into the fire escape. The team climbed past the public areas quickly and silently, before the guards could reach the stairwell. We listened for the sound of pursuit while our hearts pounded – tough work for computer jocks.

Part 3 of 7, (to be continued)

Get out of jail free cards

In the hotel, we met with our client. He gave us two “pass” cards. We joked that the cards said, “Let these guys go, but scare them first.” We knew the procedure. The guards would call the police before calling their boss. The police had guns.

The security chief would wait in his office hoping to hear the good news. He wrote on our passes that they were good for one night only. Trust is carefully measured.

Catching us would be good news. It would inform our client that his system beat us. However, our job was to deliver an honest assessment of his security risks. Idiots are caught every day.

Part 2 of 7, (to be continued)

Penetration Testing

It’s Friday, for the second time.

We left Asia yesterday and are a few hours past the International dateline, traveling parallel to the Aleutian Islands. Sunrise is ahead of us. Our moonlit challenge is behind us.

We had been a team off and on for the last ten years -- C programmers, UNIX kernel engineers, and now a tiger team paid to sneak into secure data centers.

As trained security consultants, our clients paid us to break in -- with the full knowledge of our employer, the company’s security chief -- but without the knowledge of site security.

We’re going to turn south soon. Home is ahead. We have been away for two weeks, carefully planning and arranging to perform the task that took less time from start to finish than the remainder of our flight.

During that time, we analyzed the building and planned the technical part of our attack. We determined the systems that needed our backdoor. We carefully arranged our timing with the security chief; he knew we were coming, but his staff did not. This was a test. Were they as good as they thought they were?

The motion sensors, cameras and guards were on one side. Our skill, technical experience and creativity were on the other. Our job was to determine if the physical security and technical safeguards would be enough to keep us from breaching the physical security of their data center and creating a backdoor to the Internet.

Part 1 of 7, (to be continued)