Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 33

Thread: user access to switch

  1. #21
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    Quote Originally Posted by humbleman View Post
    He knows he insults people and that is why his signature must justify it.
    If you don't start editing your posts instead of making 2 and 3 in a row you will find yourself with a second infraction.

  2. #22
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by humbleman View Post
    Why are you so angry and such an ass? Do you feel better now? Insecure people crack me up.

    BTW, I ran Hydra against the SSH port that was also open and did not break it...and yes..i do know how to use Hydra.
    Excellent, so what did spending that time get you?

    It got you nothing. Whether you were successful in using Hydra or not the answer is the same. Administrative access to the device should not be available via the internet (especially over a clear text protocol).

    I'm confused by your repeated claims of "knowing hydra" when you opened up with questions about it. If you know everything about Hydra what was this bit about?
    how about a more specific question. In Hydra, when I choose the "cisco" protocol ...what is that trying to guess? The cisco-enable I know and well.not getting anywhere as three attempts and disconnect.
    Although it was timing out at the time of posting you can get further details here:
    http://freeworld.thc.org/thc-hydra/README
    (Available via google cache as well)

    Sorry you feel that I insulted you but the FACT remains doing a test that proves nothing ... PROVES NOTHING. Supposedly your company has limited resources, so since you couldn't see that people where helping you even while calling BS you've managed to waste some of those limited resources.

    One additional test you could perform which would mean something and not be a total waste of time would be to check for default accounts/passwords.
    http://cirt.net/passwords?vendor=Cisco
    http://www.governmentsecurity.org/de...worked_devices
    http://www.phenoelit-us.org/dpl/dpl.html
    etc.

    Obviously any default accounts/passwords which still exist on the device would represent a third strike so to speak.

    Yes, I was fully aware of what I was doing and I had used Hydra before and slowed it down. I also spoke with the network admin before hand. I may be a newbie, but I do have common sense. I was on a time contraint (1 day left) and didn't have time for a lot of research and asked for help. Some people like Thorin don't understand that.
    I totally understand that, which is why I suggested you don't WASTE TIME. This is why I was completely straight to the point in my post.

    Quote Originally Posted by lupin
    Also, keep your chin up about the comments from thorin. He can be a little abrasive at times, but I dont think he meant to insult you, and his advice is generally good.
    It's true, I'm a VERY black and white with no gray kind of person. Hence the sig.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  3. #23
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by thorin View Post
    It's true, I'm a VERY black and white with no gray kind of person. Hence the sig.
    Yes, very direct and to the point. Directness is a good quality in my opinion (I don't like it when people are not straight with you and don't say what they mean), although it can sometimes appear rude to some people and rub them the wrong way. These misunderstandings happen sometimes in text based communications, you miss out on body language and tone cues that help to give context and meaning to your messages.

    (Im posting this mainly so you wont be the last person to post in yet another thread, you thread killer )
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  4. #24
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    17

    Default

    Thorin,
    You mentioned it was a waste of time to use Hydra even if I had gotten admin on the device. I don't understand this logic. I was asked to do a pentest so it is my job to penetrate the device if possible and see where it leads me. Not doing so would make it a vulnerability test, not a pentest. Of course they need to remove these administrative interfaces exposed to the public, but it was my job to exploit it first and quickly so I can tell them ASAP, not just report it.

    I am a direct person as well. There is a difference between being direct and being insulting. For example, you wrote "whether you can figure out how to use Hydra or not". This sentence provided no value to your post what so ever other than to insult me.

    I don't know what you call "BS", but you shouldn't call inexperience BS.

    Lupin or anybody else,
    So if risk is high, but probability is low, would you still give it a high rating? What would an experienced, seasoned hacker or attacker do with a public switch if they were able to sniff traffic and get admin privs on the device? There is obviously DOS. They could span the traffic to another device they own and sniff all company traffic coming in and out the network? What else?

  5. #25
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default

    You keep saying public switch, what are we talking about here? Are you connecting over the internet through a public address or are we talking about inside the lan. Sorry if I missed it in the other posts.

  6. #26
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    17

    Default

    Quote Originally Posted by Lincoln View Post
    You keep saying public switch, what are we talking about here? Are you connecting over the internet through a public address or are we talking about inside the lan. Sorry if I missed it in the other posts.
    I am connecting to the public address from the Internet.

  7. #27
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default

    You said this was Cisco right? What's the model number? Need to know a little more about your topology too.

    For starters you can create some ACL's for blocking outside traffic.

    http://www.sans.org/reading_room/whi...ccess_list_231

  8. #28
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    17

    Default

    Quote Originally Posted by Lincoln View Post
    You said this was Cisco right? What's the model number? Need to know a little more about your topology too.

    For starters you can create some ACL's for blocking outside traffic.
    yes, Cisco. 3750 Catalyst. It routes traffic to the firewall and I believe spans the traffic to our vendors IPS. It is the border router.

  9. #29
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by humbleman View Post
    Thorin,
    You mentioned it was a waste of time to use Hydra even if I had gotten admin on the device. I don't understand this logic. I was asked to do a pentest so it is my job to penetrate the device if possible and see where it leads me. Not doing so would make it a vulnerability test, not a pentest. Of course they need to remove these administrative interfaces exposed to the public, but it was my job to exploit it first and quickly so I can tell them ASAP, not just report it.
    True there is a distinction between Pentesting and VA, however given that resources are limited the additional attempt(s) still provided little to no value in the end. Some may even argue that what you did was a VA w/ attempted exploitation not an actual pentest but that's just semantics. Again, regardless of what you call it or whether you were successful with Hydra or not the result and the remedial action needed are the same.
    In fact depending how limited the company's resources are I'd argue that you should have pointed out to them that a pentest was a waste of resources (time & money) [but that's a completely different issue].

    I am a direct person as well. There is a difference between being direct and being insulting. For example, you wrote "whether you can figure out how to use Hydra or not". This sentence provided no value to your post what so ever other than to insult me.
    I'm sorry you felt that was an insult, to me it was a simple statement of fact. As I've stated numerous times, it's irrelevant if you can use or were successful with Hydra.

    I don't know what you call "BS", but you shouldn't call inexperience BS.
    I wasn't referring to your inexperience as BS I was referring to your repeated statements that you know hydra after having lead in with questions about hydra which are answered in the tool's readme file.

    So if risk is high, but probability is low, would you still give it a high rating? What would an experienced, seasoned hacker or attacker do with a public switch if they were able to sniff traffic and get admin privs on the device? There is obviously DOS. They could span the traffic to another device they own and sniff all company traffic coming in and out the network? What else?
    Probability of MITM attack to gain the password might be low, that does not mean that the probability of a successful bruteforce attack is low. We also haven't yet heard anything about checks for default accounts or passwords.

    A true risk assessment of the issue would require:
    • that you identify what information/systems are processed via or protected by the device.
    • that you reasonably identify likelihood that an external attacker has more interest in said information or systems
    • that you reasonable identify the difference in resources available to that attacker (time, storage, dictionaries, etc) [vs what you had/have]
    • etc


    Assuming a malicious individual did get access to the device and assuming it controls your main website and web based user applications (i.e.: online trading or banking) there are lots of things they could do, including but not limited to:
    • locking out legitimate employees
    • redirecting to phishing sites
    • intercepting traffic (incl. credentials, transactions, etc.)
    • spreading malware
    • inserting fake patches (think Windows, Acrobat Reader, Flash, Firefox addons, etc)
    • redirecting traffic to a competitor (assuming high volume this could result in reputation issues, legal issues, etc)
    • etc


    Again I still maintain that whatever you call the type of test you were conducting and whatever you were or were not able to actually accomplish the concern and needed solution are the same.

    If you'd been able to get a password via hydra would you consider the issue any more or less serious? From the posts here it seems your answer would be yes. However, I think there's a certain fallacy in that answer your time and resources were limited while those of an attacker we assume is interested in the data and systems involved may not be. Even if the resource of said individual are only 10% greater than your time and resources that may be all it takes for them to accomplish compromise where you failed (whether due to skill, dictionary size, knowledge of the company, previous similar engagements, etc). To assume or suggest that others would be unsuccessful just because you were would be a BIG mistake.

    For example, I'm doing a web application VA right now. I've identified a page/parameter that are vulnerable to XSS, however, I've been unable to find a malicious XSS that actually works (i.e.: alert that pops, redirect that works, frame that inserts, etc). I can see that the injected value is included in the page returned to the user I simply haven't found the right combination of scripting and escape characters to do something malicious in the end. Does that make the XSS any less risky or severe? No, there could easily be someone out there that has more time to put into developing a working XSS for the particular vulnerability or has different experience and would see it immediately. Since I'm time limited in trying to find a POC I still tell the client it's a high severity issue.

    The other thing you might want to consider for reporting of your results is distinction between severity and risk. Personally I'd say leave risk for full blown Thread and Risk Assessments keep severity for Penetration Tests and Vulnerability Assessments. Assessment of risk isn't really a simple thing to be done properly it requires analysis of asset values, threats, vulnerabilities, safeguards, threat agents. While severity is pretty simple, if someone can reasonably (even if improbably) leverage an issue (vulnerability) to own your systems or data then the severity of the issue is high. Though that's just my 2 cents.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  10. #30
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default

    Quote Originally Posted by humbleman View Post
    yes, Cisco. 3750 Catalyst. It routes traffic to the firewall and I believe spans the traffic to our vendors IPS. It is the border router.
    I think this whole situation could be fixed with some proper ACL's on the router and firewall. I don't see a reason why you ought to be able to reach the router/switch through the public interface over the internet? At least block incoming SSH and telnet from the outside. This should be blocked to keep intruders out.

    Ideally for remote access you should setup a VPN server.

Page 3 of 4 FirstFirst 1234 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •