Diary of a penetration tester

Posted:

15:22 16 Apr 2004

Poor passwords, Russian hacking groups and more new vulnerabilities. Here pen tester Richard Brain describes his week

Monday

The week begins with an external penetration test for a medium-sized company in the property sector. Although not particularly exciting in terms of the discovered infrastructure, some issues are found, most notable of which is the company's recently installed firewall. This still allowed remote administrator access with a weak password of, yes, you've guessed it, "password"!

It should be noted that there are mitigating circumstances for this issue as special management software is needed to authenticate the password and normally it is unlikely a hacker will have the software.

ADVERTISEMENT

When we contacted the client, he was more than a little embarrassed, but you would be surprised at how common weak passwords actually are.

As a general rule, we advise clients that all passwords should include upper and lower case letters, numerals and symbols and, in this case, that firewall external administrator access be disabled.

Tuesday

A slightly tougher assignment beckoned today, with a test for a large firm in the professional services sector, which started at 10am.

It transpires that this organisation remained susceptible to a buffer overflow vulnerability in Microsoft Windows that was published in mid-February amidst enormous publicity on the television, and in the national press. This flaw would allow an attacker to overwrite heap memory on a susceptible machine and cause the execution of arbitrary code.

The organisation was very lucky not to have been compromised as exploitation of this flaw could have led to an attacker gaining complete control over the system: able to install programs; modify or delete data and more.

No doubt that script kiddies and hackers were out there in cyberspace running scanning tools against various targets as soon as this flaw was made public in the hope that some organisations had not patched it.

Some of the targets tested today were also vulnerable to cross-site scripting attacks. This is a serious issue for any organisation, but especially banks and online betting sites. Many of them have been targeted by phishing scams which use the same kind of techniques to obtain user IDs, passwords and other personal information.

I had to dash off at 5.30pm to do a presentation to the company's evening security seminar in central London. It was a good turnout and, as always, it was interesting and useful to discuss some of the issues raised with the delegates over a drink at the end.

Wednesday

Testing for the large professional services firm continued today, with some very interesting and unexpected results.

One of its IIS 5.0 servers had been compromised by a Russian hacking group a few weeks ago and some malicious programs were uploaded. We telephoned the client's technical contact immediately and advised the removal of the company's server from the internet right away, as it requires rebuilding and hardening.

Once the server was disconnected from the internet, the client was provided with practical step-by-step advice from our consultants as well as being given some guidelines from the Cert Co-ordination Centre, the internet security body based at Carnegie Mellon University, Pittsburgh, on steps for recovering from a compromise. As well as providing useful security information, the centre liaises between researchers and suppliers over new vulnerabilities.

Thursday

This morning we began testing the website of a local authority for the first time. The actual testing was finished by late afternoon, but there were some interesting results within an hour or so of the start.

The authority was using a popular Windows-based mailing program that we found to have several brand new vulnerabilities including cross-site scripting; directory transversal attacks; and disclosure of the servers' webroot.

After contacting the client, a consultant set about writing the four advisories that, having requested the permission of the client to do so, were submitted to Cert. The centre will contact the supplier and patches - or at least work-around fixes - can be issued to all users of this commonly-used software as soon as possible.

Friday

We started testing the websites of a property conglomerate. This customer is one of our regulars, with a contract for penetration testing to be conducted on its websites on a quarterly basis. On the sites tested regularly, we did not find anything apart from a couple of low-severity vulnerabilities that had been published since the previous test.

However, this week we tested one of its newly-developed e-commerce websites and found it to be susceptible to multiple SQL insertion attacks which would have allowed us to take almost full control of their system. Yet again we were straight on to the telephone getting the client secure as soon as possible.

All in all not a bad week's work!

Richard Brain is technical director at specialist penetration testing company ProCheckUp 

www.procheckup.com

www.cert.org

Top 10 website penetration issues   

Here are the 10 most common issues found by ProCheckUp during a penetration test:   

• SQL insertion 
• Cross site scripting 
• Webroot disclosure 
• Source code disclosure 
• Server errors giving configuration information 
• Weak passwords 
• Unpatched servers running old software 
• Configuration errors (eg mapping the FTP server to root) 
• Leaving test and sample files on servers 
• Incorrectly locked down servers.