Pen testing

Hi Michael,

I was wondering if I could get a little pen testing advice. What were the primary factors in determining the cost for a penetration test? In general, what is a ball park range that is reasonable to charge for say, 5 external IPs/servers?

Thanks,

(name withheld)

Well, like everything, that will depend on several factors.

• Is this an external attack only, or internal, external and wireless?
• Is social engineering involved, will a physical penetration be attempted?
• Will you be dumpster diving?

My guess from your question is that you are performing a remote network penetration test without social engineering.

The scope of work then depends on the level of adversary you are imitating:

1. Motivated attacker, a user with inside knowledge or an attack by a professional seeking monetary gain
2. Robot master, someone looking for bots to add to their army
3. Opportunist, a script-kiddie or other non-professional attempting to crack systems because it's a rush

Level 3 is a little above what you can do with a flat Nessus scan. I'd certainly add a little MetaSploit work and some light web application inspection, looking for obvious input flaws.

Level 2 will run several well-known exploits and perhaps a 0day. You need to take a very careful look at the attack surface, validate all web applications for input checking (multiple encodings) and prevention of script or SQL injection.

Level 1 will do all of the above, plus deep research on the target and target employees, this level is beyond the capability of a small-business IT defense.

For a client with only five external IP, simulating either a level 2 or level 3 attack is your best bet.

You should be able to perform a Level 3 with automated tools and a little manual work involving the more interesting targets, three hours per IP address is probably a reasonable guess, but you won't actually spread your time that evenly.

Level 2 is tougher; a true attacker of this type hits you and moves on. However, since we can't predict the exact exploits that this attacker would use, a pen-tester has to perform a far more thorough review of the attack surface. This attack simulation will start at a few minutes per IP address, but you should expect to spend 5-10 hours (each) inspecting specific web application services and web server code for flaws. You will need to run exploit and possible denial-of-service attacks. Economically, you can’t bid this at more than 5-10 hours per IP address, but you could easily double that amount of time if you run into an interesting web application.

My estimates include, the time for testing, data gathering and report writing -- never under-estimate the time you will spend on the report. The report is the most lasting and visible product of your efforts.

Most small clients can bite-off a blend of these two attack scenarios. Cover all of the systems with an automated scan and a little manual follow-up, but spend a day or two taking a hard look at their primary web server and/or back-end.

Sample Stay out of Trouble Language

This posting is provided "AS IS" with no warranties.

The question of safe penetration testing or security research comes up time an again. Good guys get prosecuted too. [1] [2]

So, to follow-up my comment on RSnake's recent post, here is something that I have used to stay out of trouble.

DISCLAIMER: I am not a lawyer. If in doubt, ALWAYS, ALWAYS, ALWAYS get professional advice from an attorney. I hope this document puts the reader on the right track and helps keep them out of trouble.

CompanyName (“COMPANY”) hereby accepts the services and the related terms and conditions set forth in the attached Statement of Work (the “SOW”) of SecurityResearcher (“HACKER”).

COMPANY expressly acknowledges that the performance of these services will require HACKER to gain access to COMPANY confidential and proprietary network and information assets, and authorizes this access for the purposes described in the SOW, subject, however, to the Mutual Nondisclosure Agreement, dated ____________________, between COMPANY and HACKER (the “NDA”).

Due to the nature of the services contemplated by the SOW, COMPANY acknowledges that no representation or warranty can be made by HACKER with respect to such services or the efficacy thereof. In particular, COMPANY acknowledges that damage to COMPANY systems or information could result from the performance of such services, and that, following completion of such services, there can be no assurance that the COMPANY network will be secure or that unauthorized access thereof will not occur.

WITHOUT LIMITING THE FOREGOING, HACKER MAKES NO EXPRESS OR IMPLIED REPRESENTATIONS WITH RESPECT TO ITS PERFORMANCE OF THE SERVICES HEREUNDER OR ANY DELIVERABLES CONTEMPLATED HEREBY, INCLUDING WITHOUT LIMITATION ANY REPRESENTATION OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

In order to induce HACKER to perform its services COMPANY is accepting the terms and conditions and making the representations set forth herein, and COMPANY irrevocably waives and releases, and shall be stopped from asserting, any claims for damages or otherwise arising out of or in connection with the services, except as expressly contemplated by the NDA.

COMPANY represents and warrants that the COMPANY information systems to be accessed by HACKER do not contain confidential or proprietary information or other property belonging to any person other than COMPANY, or any classified information. By accepting HACKER’s services, COMPANY assumes any and all liability for any disclosure of any third-party confidential or proprietary information assets, or any classified information, arising out of or resulting from such services, and agrees to indemnify, defend and hold harmless HACKER from and against any claim, loss or liability asserted by any person arising out of or relating to any such disclosure, subject, however, to the NDA.

COMPANY expressly authorizes HACKER to gain access, including without limitation external network access and without regard to the COMPANY Information Security Policy, to all COMPANY computer networks and information systems which is reasonable and necessary, in HACKER’s sole judgment, for the purposes described in the SOW, and COMPANY acknowledges that such access shall be obtained by HACKER with the express permission of COMPANY and that such access is not a violation of any federal, state or local laws, rules or regulations, including without limitation the Computer Crime Act of 1986, as amended, or the Economic Espionage Act of 1996, as amended. Execution of this SOW by the representative of COMPANY shall constitute a representation and warranty by COMPANY that such representative is duly authorized to do so and has received all requisite governmental consents and approvals which may be necessary or appropriate to execute this SOW and to carry out the terms hereof, including without limitation the preceding sentence.

Accepted and approved by:

Name Title

Signature Date

Remote Microsoft Outlook and Vista Exploit

A new vulnerability is being exploited against Microsoft Outlook and all Microsoft Windows Operating Systems: Windows 2000 SP4 through Vista.

The exploit allows remote attackers to execute programs on your system or create a denial of service. There is no patch available for this exploit.

This is the first remote exploit against Vista and the security community is concerned that this vulnerability may be converted into a wide-spread attack worm.

The Community recommends:

1. All users make sure their Anti-virus software and detection files are up to date.
   
2. Spread of this exploit by email may be prevented by blocking all .ani, .cur, .ico and .jpg files at your email gateway.

Additional information about this vulnerability may be found at these links:

• SANS Internet Storm Center
• Common Vulnerabilities and Exposures
• Microsoft Response Center Blog

UPDATE: 4/2/2007, Microsoft plans early patch update to address this flaw:
Microsoft Response Center Update
UPDATE: 4/3/2007, Microsoft has released a patch.
MS07-017

I will update this blog post as more information becomes available.

Request to exit

The industry calls it a Request-To-Exit (RTE). Some are motion sensitive, others require the push of a button, and a very few require another wave of the badge. We’d examined the client’s public areas. Some of their RTEs were motion sensitive, and some used a button. What about the data center? We knew that the RTE could be a weak spot. The security system might log the RTE, but even here at the data center, it would probably not trigger an alarm. The motion sensitive types unlock at any close approach, and pressing a button is a normal event. If we could trigger an RTE and avoid forcing the door, we would have more time to work.

Our view was limited. We had a four-by-eight-inch view above the door handle. We could see another camera, a blank stretch of wall and a small corner of a lit room. We watched for shadows and assembled our tools.

We knew the probable height and position of the button. Could we reach it? The door was not the automatic-opening type. The dead bolt was open, but the electromagnetic lock was closed. We’d taken our MacGyver shopping list to a local hardware store, our $40 worth of spare parts versus a multi-million dollar data center. We made the viewing scope from 1/2 inch narrow pipe, carpet tape, and a convex mirror. We bent the pipe and squeezed the mirror below and past the door. The data center was on a raised floor, and we had a three-fourth-inch clearance. We had our window. In the three-inch mirror, there was the button! We quickly assembled the “finger.” The mirror became a problem because we needed to have both of our devices in view, as we squeezed down next to the door. Two pairs of hands blindly working, while a third pair of eyes directed, and a fourth kept watch. You know what they say about convex mirrors: “Objects in mirror are closer than they appear.”

Part 5 of 7, (to be continued)

ICANN Factsheet: Root server attack on 6 February 2007

I'm reading through the the ICANN factsheet (08mar07.pdf) and this paragraph jumps out at me.

A third category is the huge increase in individual Internet users installing routers in their homes, usually to provide wireless access or to link up several computers in the house. These consumer products usually come with the same password and a large percentage of home users never change this default password, making it easy for hackers to seize control of them for their own ends. If consumers were encouraged to change the default password or if router manufacturers were persuaded to provide each unit with a different password, then future attacks against the Net’s infrastructure could be tackled at (the) source.
(my emphasis)

I know there has already been quite a bit said about this topic here, here and here. However, this particular paragraph is written by the people who make sure that the wheels stay on the Internet's bus. This is really a very important issue and it's time the router vendors solve this problem.

The factsheet is well written and introduces a lot of information regarding the attack. Now that is has been published I can speak a little about it here. (Full disclosure: Catbird performs DNS monitoring for some of the root service providers.)

After the attack I reviewed our aggregate DNS and web performance data. Catbird gathers over one million data samples each day so I had more than enough to choose from. I chose a random samples of our monitors and developed the two charts included in this post.

The Feb 6 attack occurs around the midpoint of each chart. The attack hit two of the thirteen root servers very hard, but as you can see from these graphs the downstream DNS providers and the web sites they serve were not affected.

I make this point because I do not believe the attackers intended to bring down the Internet. I think that this was the performance test of an attack botnet. This attack combines good advertising with a live product demo. I will not be surprised to hear about a rise in DDOS attacks and extortion demands made against high-value commerce web sites.

I recommend that we all brush up on our understanding of anycast, GeoDNS and related defenses against DDOS.

Airline Security Since 9/11

Over on Schneier's blog, there is a lively discussion about an article link Bruce posted. I posted a comment, but have more to say below.

What real security improvements have been made?

1. Stronger cockpit doors
2. Air Marshals
3. Passengers (and crew) who know that resisting the hijacker may be the best course of action

Regarding number three, it is not always necessary to fight the hijacker. In 2004, Eritrean hijackers seeking political asylum, diverted a plane to the Sudan.

However, in the continuing to fight the last war department, we have multi-million dollar projects to build a hijack-proof plane.

SAFEE coordinator Daniel Gaultier said: "You never reach zero level of threat, no risk, but if you equip planes with on-board electronics, it will make them very difficult to hijack."

<sarcasm>Sure, electronics will make it better. Just like the on-board electronics in RFID equipped passports. Electronics always make you safer.</sarcasm>

It is important that we address known threats and act to make people feel safer on airplanes but what are we doing about the next threat?

We could be loading baggage into blast-proof cargo containers, but as I pointed out in my comment, this is being fought by the airlines themselves. The airlines must believe it is much cheaper to just pay-off the relatives or sue Libya.

What else? Protecting our ports of entry? You could ship an entire tank division through one of our ports, let alone a chemical, biological or nuclear weapon. Meanwhile people think building a 2000-mile fence to keep out our gardeners, housekeepers and building contractors is a good idea. Hello, New Orleans, sorry all those folks actually helping you rebuild the city... Please send them back to Mexico. If I were Bin Laden, I would be driving a taxi in New York, availing myself of our excellent hemodialysis care, while personally selecting the next target.

Does anyone really think that a terrorist will risk dying of thirst crossing the Mexican border, when they can just as easily enter the country on a Princess Cruise? Am I the only person who saw Speed 2?

The latest craze with liquids on airplanes, is an example of the hype involved here. These activities do not make us safer and will most likely lead us to ignore the real warning signs. After all, smokers are (warning: may be inappropriate for some viewers) still finding ways around the system.

If individual safety is more important than lobbyist dollars or inconvenience, then we should be building safer planes, blast-proof cargo containers, banning most carry-ons and getting rid of those awful snacks. We also need a homeland security organization that consults with people like the Tofflers, Vinges and Harlan Ellison.

Popular Blog Software Cracked

A successful attack was made on the WordPress 2.1.1 download. The attacker modified the files theme.php and feed.php. These modifications created a backdoor which would allow a user to gain privileged access to any server running WordPress 2.1.1.

All users have been requested to update immediately to WordPress 2.1.2. Users who access updates through the Subversion repository were not compromised.