Sunday, July 27, 2008

The Importance Of Internal Monitoring

So last assessment I got caught on the first internal port scan. Seems that all the internal routing was done via static routes so when I tried to scan a subnet that wasn't being used those packets would hit the firewall and then create a syslog error which in turn would display on the big TV in the NOC. Bummer for me...of course I didn't know this at the time, I just knew they saw me.

Second try. I had 2 class B's to look at so I took one of the shells from the snapshot viewer exploit and had it ping .0 of every class C in the network range. Whatever replied I took as a "good" subnet and if it didn't I marked it as not having anything listening and removed it from subsequent scans. Did I miss some boxes? Probably...didn't matter in this case.

Armed with my new ranges, minus off limit ones and dead ones, I started a new nmap scan looking for just a few ports that I had exploits for and let it roll at a blistering T2 pace. It did its thing and finished like 40 hours later and then I did my thing trying to do some manual enumeration and exploitation.

I upped the intensity as the week went on and never had any other trouble or any of my "worker bees" taken off line for misbehaving. So all was good.

At the outbrief it was determined that I found a fatal flaw with their system that there was no internal IDS monitoring for suspicious activity on the LAN. Had their been I probably would have been seen again but they had figured that anyone getting into the network would make the same mistake I had made the first time and scan or try to exploit non-used networks and they would catch them. I lucked out that 1) my ping sweep wasn't logged (should have been) or wasn't noticed after the fact and 2) I had more than one box on the LAN...I figured it was 50/50 that I would get seen with the ping sweep and worst case it would lead back to one of their boxes and not mine.

So what's the point? You need something watching your internal network even if its for the straight up blatant shit that could be happening. Had something been in place they would have definitely caught later port scans, enumeration, and exploit attempts.

5 comments:

JayCJames said...

Bloody Hell, 2 B's and no IDS?
Did I read that right?
And the NOC syslog didnt catch any *nix boxes reporting any kind of connections?

CG said...

evidently not, and suffice to say i made "plenty" of connections.

i did run into the interface for a cisco mars but i dont think it was set up correctly or not being monitored --manpower issues

jaycjames said...

Theres so much wrong here, its hard to pick stuff to comment on :)

Why MARS if its not done right?!

Oh well.

Would love to see the faces of the client when the report is final.

CG said...

@jay

I think they knew alot was wrong, hence the outside look. now they have some more ammunition for some more people and $

Anonymous said...

Hi! Could you do a review of the eee PC900 used as a pentest machine?