[GRLUG] PCI v1.2 Compliance.
dagda at pathwaynet.com
dagda at pathwaynet.com
Thu Dec 11 15:32:39 EST 2008
>> Of course, the penetration tester asked for a username and password on
>> these machines and the ports the consoles were running on. And I
>> didn't
>> give them to him.
>>
>> I gave him a Debian SID machine with a minimal install (but a public
>> interface and a private interface with SSHD running on the public side
>> only), with out any obvious way to get things onto the machine. No
>> FTP,
>> no SCP (ssh client stuff), no wget, no curl... in fact the only thing
>> available was netcat and a few other "networking" tools left around.
>> He
>> called me immediately and asked that I install this and that with a
>> smattering these things with a compiler and other nice to haves. I
>> said:
>> "No, you are the penetration tester. I gave you a machine that I'd
>> place
>> on the Internet straight and I even gave you tools I'd typically not
>> leave on the machine."
>>
>> He reported us as non-compliant, I challenged that declaration. I
>> won as
>> I was able to demonstrate the idiot wasn't a good penetration
>> tester. He
>> had a public interface *WIDE* open and a Private Interface *WIDE*
>> open.
>> With no IPTABLES loaded, no routing or forwarding ability. Effectively
>> an SSH relay machine with SSH turned off on the private side. I used
>> netcat and a combo of the tools on the machine to GET a compiler, a
>> set
>> of rootkits, a remote command daemon and other things installed.
>> Including libraries and many other things needed for compiling. I then
>> went on and installed apache2, MySQL, nessus and other pieces to scan
>> the interior network and also nmap to sweep the network. All from HIS
>> account, without ever using root. I even found the IDS and other
>> monitoring machines and the logging server (though I couldn't get to
>> them as things are configured for access). All in all it took about 4
>> hours longer to get everything installed and compiled in his
>> userdir...
>> but it all worked and like a charm.
>>
>> By the way... Don't use TrustWave as a PCI QSA (or whatever its
>> called).
>> Hint Hint.
>>
>
> I find that part the most interesting of all. It sounds like you gave
> the tester the keys to the castle and he/she went right ahead and
> shoved them up their ass for lack of knowing what to do with them.
> Not being at a company that has any publicly facing anything from this
> office I don't have any experience with pen testers. Are they
> typically this bad? Are they mostly just script kiddies that need a
> windows box to run an automated test from? That situation is really
> slightly scary/sad in the end. After you proved your point did you go
> out and find another pen testing firm worth their salt?
>
I'm very interested by this as well.
Was this QSA supposed to be doing a PCI audit or a Penetration Test?
What was the purpose of giving him a machine on the network?
-Brian
More information about the grlug
mailing list