Page 6 of 6 FirstFirst ... 456
Results 51 to 57 of 57

Thread: Pentester Interview

  1. #51
    Junior Member
    Join Date
    Nov 2008
    Posts
    35

    Default

    The walk me through NTLM v1 authentication and what's passed between the client and serverquestion has a number of answers.

    1. challenge is sent from the server and the client responds to it

    2 The client an server negotiate an authentication method enabling an agreement on the authentication parameters. The server sends a challenge based on the parameters negotiated and the client responds using user's credentials to calculate the response.

    3 Taken from wikipedia
    1. The client first sends a Type 1 message containing a set of flags of features supported or requested (such as encryption key sizes, request for mutual authentication, etc.) to the server.
    2. The server responds with a Type 2 message containing a similar set of flags supported or required by the server (thus enabling an agreement on the authentication parameters between the server and the client) and, more importantly, a random challenge (8 bytes).
    3. Finally, the client uses the challenge obtained from the Type 2 message and the user's credentials to calculate the response. The calculation methods differ based on the NTLM authentication parameters negotiated previously, but in general they apply MD4/MD5 hashing algorithms and DES encryption to compute the response. The client then sends the response to the server in a Type 3 message.

    Unfortunately most Google results have the 'a random challenge is sent ' in the returning web sites which is wrong ! A known constant is sent.

    All 3 answers are valid but it shows how much they know, i think the level of knowledge required for an admin has reduced over the years,and the current crop of people entering IT in the last few years would not have been interviewed 5 years ago.Of course there are exceptions and they are the people im looking for.

    The chain question is irrelevant to the job but as i say is shops an inquiring mind.

    What i have found is the job requires creative solutions to problems, how to get an app running as a normal user that requires local admin rights, how to install printers as a normal user etc,most of the issues are security related or require some creative solution to get things done.

  2. #52
    Junior Member
    Join Date
    Nov 2008
    Posts
    35

    Default

    befor any one question the statement about
    "'a random challenge is sent ' in the returning web sites which is wrong ! A known constant is sent."

    think about how pass the hash works

  3. #53
    prowl3r
    Guest

    Default

    Quote Originally Posted by o0hex0o View Post
    Very true ! i have just interviewed 20 people, all were selected by HR

    i ask them 2 questions

    First walk me through NTLM v1 authentication and what's passed between the client and server.

    Second what are chains in relationship to rainbow tables.

    No ones got the first question even close ! a few have even asked what NTLM is

    Also the info they get on the degrees looks to be a few years out of date.
    It's up to you how you hire people, however I fully agree with Lupin and other members. Those questions are in no way related to the job profile you posted, furthermore, they aren't appropriate for a infosec/pentest position interview.

    So, nothing personal, but I do believe you aren't qualified to hire people. As a result of it, the quality of the global process will be seriously limited by your own skills.

  4. #54
    Junior Member
    Join Date
    Nov 2008
    Posts
    35

    Default

    Is knowing how a logon works that difficult a question for an admin ?

    As i posted before the question can be answered in a number of ways from a basic response up to a in-depth technical response. It give the candidate a chance to show how much they know. Most admins could answer this question correctly, its how they answer thats important.

    A simple, its a challenge response method may get them the job, where as a full blown in depth technical response may show they are over qualified for the job.

    I have just asked some of the people here and they all gave a correct answer, even the first line help desk chap was able to give a answer that was non detailed but correct.

  5. #55
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by o0hex0o View Post
    Is knowing how a logon works that difficult a question for an admin ?
    I know some fairly competent Windows admins that couldn't answer this. When I started my career and was administering Windows networks I didn't know it for a while either, and I think I only initially came across it because it was in the Microsoft Training, at which point I learned it but didn't ever really need to use it. I only learned it in depth when I was studying authentication systems during my Masters Degree, but I haven't had the requirement to use it or refer to it again since so most of the specific details currently escape me.

    Knowing how it works is really only useful as an admin if you need to troubleshoot authentication problems with NTLM. In my experience this only seems to pop up if you use Samba, or a mix of old and new Windows servers, and you can usually solve the problem by searching the MS KB and following the instructions without ever having to know how it actually works.

    Besides which, this is a mobile device admin you are hiring, not a general Windows server admin. There is a justification for assuming that they guy who will be configuring your Active Directory should know about NTLMv1 (at least to know that its a network authentication protocol), but I don't really see one for a mobile device admin knowing this, especially considering I was successfully doing the stuff you describe very early on in my career BEFORE I even knew what NTLMv1 was.

    Quote Originally Posted by o0hex0o View Post
    A simple, its a challenge response method may get them the job, where as a full blown in depth technical response may show they are over qualified for the job.
    Personally I'd rather ask them to provide a full blown technical answer to a question they would need to know to do the job. An answer of "its a challenge response method" tells you that the candidate may have been able to recall some snippet of the MCSE training that they crammed for but didn't understand. An answer that has a little more technical depth tells you that they understood the subject to at least some extent, but since its not really relevant to the job it only really tells you something about their willingness to learn and not that they can do the job you are hiring them for. And a detailed technical response tells you that they are over qualified? Those possible answers don't seem like the most efficient way to find the best candidate for the job.

    A candidate who can't answer that question (as well as the one about Rainbow tables and chains) but who may actually be able to do the job is also likely to get turned off by being asked irrelevant questions during the process. They may erroneously think that they are not qualified, or they may think that YOU don't have a good idea about what the job will entail.

    If I'm hiring someone to be an intrusion analyst (for example) I would ask a question like, "Give me a detailed description of how the TCP session initiation process works". There are multiple different levels of answers you could give to that (from its a three way process all the way to talking about how the sequence/acknowledgment numbers change and negotiation of additional session specific settings such as MSS and ECN), and each of them would tell you just how much the candidate knows about an area relevant to the job they will be doing. A good candidate will appreciate being asked challenging questions that are relevant to a job they are really interested in, instead of being forced to play your version of IT Trivial Pursuit.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  6. #56
    Junior Member
    Join Date
    Nov 2008
    Posts
    35

    Default

    Authentication of mobile devices is one of the key parts of the roll, because of the way the business has grown through acquisitions and the services offered to customers and suppliers.

    We have mobile devices moving between all sorts of systems in acquisitions, customer sites suppler systems etc and there is a large range of systems to authenticate to.

    A device could be authenticating to head office on w2k8 AD today and tomorrow be in a acquisition using Novell 3 and later at a suppler using samba to get data to go to a customer using work groups.On top of this we have CRM systems to connect for customers suppliers and our own, custom apex solutions etc,all requiring authentication.

    An assumption has been made in that the mobile devices will be windows connecting to AD and this is far from what happens!

  7. #57
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by o0hex0o View Post
    Authentication of mobile devices is one of the key parts of the roll, because of the way the business has grown through acquisitions and the services offered to customers and suppliers.

    We have mobile devices moving between all sorts of systems in acquisitions, customer sites suppler systems etc and there is a large range of systems to authenticate to.

    A device could be authenticating to head office on w2k8 AD today and tomorrow be in a acquisition using Novell 3 and later at a suppler using samba to get data to go to a customer using work groups.On top of this we have CRM systems to connect for customers suppliers and our own, custom apex solutions etc,all requiring authentication.
    I still think that you could manage that job with your only knowledge of NTLMv1 being that its an authentication protocol and that the protocol used by the server and client must match.

    So if your mobile device isn't authenticating, you check with the system admins to find which authentication protocols they allow, and you configure the device to use one of them. For bonus points you could even pick the most secure of the allowed protocols (in which case you might want to know that NTLMv2 is more secure than NTLMv1). If it still doesn't work, look at the Microsoft KB for details about problems with a specific client/server combo, fiddle with parameters, test an upgrade of the software to the latest version, and if desperate actually contact Microsoft or the support vendor for the Mobile Devices authentication client. If none of that works you are pretty much boned anyway, because you can't change the code of many of these authentication systems yourself because the source isn't open. (Samba is of course an exception, but even in that case I doubt many organisations will be wanting to put their own homebrew version of Samba into prod use)

    For all of those problems I mentioned though, I don't see how knowing NTLMv1 is challenge response is going to help, let alone knowing any of the more esoteric details.

    Maybe you would be better off asking which authentication protocols the mobile devices you use actually support, the relative differences between them (e.g which is more or less secure, which environments do they work in), and whether the applicant is aware of any caveats or problems with their use. That's actually a pretty good question (if I do say so myself) given the parameters of the job as you have described them.

    Quote Originally Posted by o0hex0o View Post
    An assumption has been made in that the mobile devices will be windows connecting to AD and this is far from what happens!
    I didn't assume that at all, but I don't know if anyone else did. My only 'assumption' was that detailed knowledge of NTLMv1 would not be relevant to that many jobs, but that's really more of a logical deduction than an assumption.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Page 6 of 6 FirstFirst ... 456

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •