So, I have passed the timeframe where I have been actively penetration testing for over a decade….
I have a large number of pretty strongly held beliefs on penetration testing and I thought it would be fun to walk through how I came to those conclusions and got angry, bitter and highly protective of my ideas and private property.
Yes… This seems like a perfectly logical trajectory for me at this point
One of the things I am a bit harsh on is how many testers these days are focused on scanning and simply looking for red vulnerabilities.
A long time ago we were testing an organization and they had a fairly clean network. They were doing regular scans and worked very hard to keep all the reds and even yellows at bay.
And yes, they were smug about it… Very smug. You see, they had a number of tests over the years where teams of recent college grads would show up and simply run Nessus and leave. They had no idea how anything worked, could not get DHCP to work, and simply ran through checklists and spent all their time copying and pasting results from tools into their word template.
This of course never happens today. This was back in the time when security testing companies were in it for the biggest buck possible.
Not like today.
“Sarcasm. I know this language.” -Jack
Anyway, the target organization was pretty confident. And why wouldn’t they be? 99.9% of testers knew next to nothing about pretty much anything. Not like today, where all testers are sysadmins and developers and hold multiple degrees and are fully vetted before sending a single packet in anger. Like I said, a different time.
So, we started breaking down services and actually connecting to them to see what we could find.
Service, by service… Banner, by banner.
We can across one Linux system which was running an older 2ish version of Linux. All it had was a lonely banner stating the SSH version. We resolved the name of the system back to roomwizard.company.com.
It was a room reservation system, running full Linux and just waiting for a password.
We did not know the password. So, we brute-forced the root password for a few days to no avail. This is when I learned that you can easily overload SSH with too many password attempts. We scaled it back to one guess at a time and let it run again…. To no avail.
So, I decided to call the Room Wizard company and ask for the root password.
“That’s so wizard!” – Phantom Menace reference achievement unlocked.
The very nice tech support lady spent five or six minutes looking it up. Then, she put me on hold for like an hour.
When she came back she said “Please do not hack the Room Wizard”.
I responded “No, I just need to update the SSH version. It is out of date and it is messing with our DIACAP score”.
She said “No, that is the password… All lower case.”
I tried it and it worked!
I was in!
“Like a G….eek.”
You see, the lesson is that sometimes the greatest exploits and success come from weird places.
This is the genesis. This is where it all transitioned for me on network assessments. I cannot remember all the times I exploited MS03_026. It was a lot.
But this stuck. This is where I started looking at network testing as something more than simply looking at scans.
This is what makes our job special. It makes it fun and unique.
It keeps us employed.