Re: Re: Re: Password cracking algorithm

This statement worries me a little bit. How exactly do you go about looking for ALL exploits? I am not saying that you don't do a thorough job... I may know that no matter how hard you look, and no matter how hard you try, you can't possibly catch everything.

Well, when I conduct an audit, we do both external as well as internal testing. We usually start with some enumeration of the system, port scans and the like. Using the results we know what services are running on the computers at that time. Based upon further inspection, i.e. determining what version and what product is exactly running, we can learn quite a bit about what vulnerabilites might be present on a given port.

At that point we conduct further probing, we may attempt to exploit a hole, to see if the hole exists. On top of this manual testing, we also run two vulnerability analysis tools, Nessus and Retina. Nessus is freeware, you're welcome to check it out, Retina has a bit of a hefty price tag. This programs use the port scan results that we feed them and test against thousands of known vulnerabilities to determine if the service(s) are vulnerable to a certain exploit.

These tools generate large reports, which we then test manually again and distill into a finalized report. Perhaps when we conduct an audit there is some we miss, you can look at it as a snapshot of the network at that time, so if you come in after the audit and load up some new service, its not going to be on the report, so I guess in that sense we can't be sure we catch everything, but as far as our tools go, experience has proven them to be extremely reliable. Reliable enough that at that current point in time where the audit is taking place I'd be at least 95% sure that we caught everything. Of course there could be a new vulnerability out on a service that a plugin for the tools has not been developed, but I can't really control that, and we usually check the most recent ones manually anyways.

Trouble is, any non-technical person you talk to probably believes that you are truly going to find any possible hole.

This is true of any situation where you as a business are marketing yourself to someone whom you are technically superior too. There is a measure of trust that is associated with all business, and I back my business 100%. We have had only good responses to the business we conducted. Not to brag, but we recently finished an audit for a division of the university that I attend and we received much praise for our work, this from a company who had been audit a year prior by one of the "big" security companies.

During that time, one of the auditors wanted either administrative rights to our domain, or a copy of the password hash to test against. I would hope you would see why we would be very against this happening. We would have been significantly more comfortable if we had been asked to run it ourselves, and report back on the results.

Then I'd love to do an audit for you! You'd be doing part of my work. This goes back to your point about being technically savvy. I don't think that all that many places would have the staff to do such a thing. I'm not going to spend time to teach them, it wouldn't make sense, that's why there paying me to be there. Besides, how many places have the spare workers?

To give away every username and password on our domain to an outside company like that is most definitely not a very secure thing to do. As a matter of fact, I would hope to lose points on a security evaluation for giving in to such a request :).

In the contract that both myself and the clientel sign off on, I state that all passwords must be changed after the audit. This is for two reasons, number one being exactly what you said. You don't want me to have your passwords, and heck I don't want them either! If some massive vulnerability comes out the week after we do an audit and you didn't take the time to patch it, I don't want someone to think that I hacked them with the passwords that I got from the audit! Its as much for our protection as there's. Secondly, and most importantly, almost all business that we conduct audits for do not have any password policy in place. If this is the case, we put one into place with the assisstance of the Network Administrator and then force everyone to change their password to fit the new criterion.

Hope this clears some things up. I never thought I'd be defending my business at posting this, but such is the nature of my business. In any situation, I will likely be looked upon as a hacker first, and an aspiring security professional last.

Comment on Re: Re: Re: Password cracking algorithm

Replies are listed 'Best First'.
Re: Re: Re: Re: Password cracking algorithm by oknow (Chaplain) on Jul 22, 2003 at 22:41 UTC
On top of this manual testing, we also run two vulnerability analysis tools, Nessus and Retina. Nessus is freeware, you're welcome to check it out, Retina has a bit of a hefty price tag. I've used Nessus off and on for quite a few years now, thanks :). Reliable enough that at that current point in time where the audit is taking place I'd be at least 95% sure that we caught everything. 95% is a HUGE distance away from looking for ALL exploits(it's probably the last fraction of a percent that bites you though :p). I hope you don't think I am implying that it is possible to find everything, I know better. The trouble is your client doesn't know better, and it is a dangerous thing to tell him. This is true of any situation where you as a business are marketing yourself to someone whom you are technically superior too. Yes, but in your position you have to be extra careful with what you say. I have no idea what your actual skill level is, I only have what I read here to go on. All I am saying is that you need to pick your words more wisely... If you will make statements like that to us, who know you are stretching the truth, I can only assume you are making similar claims to your clients(who probably believe every word without question). Then I'd love to do an audit for you! You'd be doing part of my work. I'll take by that statement you haven't audited any large shops? :) It is always my job to, at the very least, make sure any of my machines are as secure as possible. Hope this clears some things up. I never thought I'd be defending my business at posting this, but such is the nature of my business. I certainly hope you don't think I've been replying to you under the assumption that you are a cracker looking for help breaking passwords. Whether you are or not, I hope the info in these replies will be useful for someone reading it even if it isn't you :). I have been severely disappointed my MANY so-called 'security experts', ALL of which were from one of the big consulting firms. The way I see it, I know a good deal about the security of the systems that I own... When I hear a security consultant make mistakes related to MY hardware, I assume he will make similar mistakes where I have less knowledge. (boy that didn't feel like a good sentence :p) I hope you are taking all this information constructively. You are only making the same mistakes every security consultant I have dealt with makes... Except the one that really bugs me... When they make a HUGE deal about a very minor security risk, yet completely ignore gaping holes(specifically password expiration schedule for a domain, vs. an intranet application storing plain text passwords in a database). In any situation, I will likely be looked upon as a hacker first, and an aspiring security professional last. Good luck! You are chasing a very rapidly moving target in the security world :).	[reply]
Re: Re: Re: Re: Re: Password cracking algorithm by SyN/AcK (Scribe) on Jul 23, 2003 at 00:00 UTC
95% is a HUGE distance away from looking for ALL exploits(it's probably the last fraction of a percent that bites you though :p). I hope you don't think I am implying that it is possible to find everything, I know better. The trouble is your client doesn't know better, and it is a dangerous thing to tell him. Well, I guess it depends on how you look at it. I make it clear to all of my clients that securing them today does not mean they will be secure tomorrow. I stress that its an ongoing process, I try to convince them to join lists like bugtraq, I inform them of tools like Nessus that can help them. When I say 95%, I'm taking into account those vulnerabilities that haven't been established as plugins yet, as well as any vulns that aren't on the network at that time. I stress to all of my clients that our initial tests are just a snapshot of the network, which could potentially be changing based on what machines are on, and what services are on. I try to stress to them that during the audit period, all of the machines should be on so that its as complete as possible. So in that sense, I don't think that the portion we are missing is that significant. It is as you say though, the fraction of a percent that you miss is the one that bites you in the ass. ;P I have a saying though, "If you want a network that's 100% secure, unplug your computers from the wall." I stress that we try to bring a measure of security above that of what they already have. Half the battle is making the client aware of all the potential problems they have now, and how those will continue in the future unless they take active steps to make themselves secure. If you will make statements like that to us, who know you are stretching the truth, I can only assume you are making similar claims to your clients(who probably believe every word without question). I'm not sure exactly which comments you are referring to. Besides, I'm not trying to sell you guys anything. In a business environment, I never claim something I can't back up. That's why my business has been successful. I have a good reputation that I would not tarnish. I'll take by that statement you haven't audited any large shops? :) It is always my job to, at the very least, make sure any of my machines are as secure as possible. Actually I've done mostly medium to large networks, although I have not actually done an audit on a company that had a security department. I do not know if you have a security department or not. Actually, I've found in the larger companies that I've audited, they're more apt to just set me off on my own. The admins are either to busy to worry about the security all the time, or not capable. I think its awesome though that your company relies on you to make sure your machine is secure. I try to instill this with the audit, I try to stress that workers as well as the admins be aware of patches and things that come out. I have been severely disappointed my MANY so-called 'security experts', ALL of which were from one of the big consulting firms. The way I see it, I know a good deal about the security of the systems that I own... When I hear a security consultant make mistakes related to MY hardware, I assume he will make similar mistakes where I have less knowledge I think this is a fair assumption. I feel comfortable with my skills, I have not yet been in a situation where I dealt with someone who knew more on the subject than I. If I was put into that situation, I would not be afraid to make someone in charge of the dealings aware of the situation and suggest that the person may do well to help in the audit. I would be comfortable with that. I'm not going out there to prove I know more than someone, I do the best job I can, and if someone has positive input, or knows more than I, I would admit it, and hope to bennefit from the knowledge I gained from that person. hope you are taking all this information constructively. You are only making the same mistakes every security consultant I have dealt with makes... Except the one that really bugs me... When they make a HUGE deal about a very minor security risk, yet completely ignore gaping holes(specifically password expiration schedule for a domain, vs. an intranet application storing plain text passwords in a database). Yes, I didn't look on these particular comments as a negative. If anything, arguing for my skills and my business is just like what happens when I go in to negotiate with a client. I've never gone into a dealing where the person there said, "Oh we've heard so much good stuff about you, you really must know what you are doing."... What I hear is, "Oh we've heard good things about you, but we have a lot of questions for you." Good luck! You are chasing a very rapidly moving target in the security world :). Thank you! I appreciate the kind words and the suggestions.	[reply]