news from the noc – penetrated

Our onsite office security audit/pen-test has begun in earnest late this afternoon by doing some quick full scans and hitting our servers and network infrastructure.

The two testers loaded up some initial tools. The Mac user loaded Rendezvous Browser and immediately spotted some interesting things. First, he was able to locate our printers with little effort. Second, he was able to spot our two Mac computers. Third, he spotted 4 iTunes users (2 Macs, and 2 iPods). Fourth, he spotted two iTunes installs that had open guest listening. Fifth, one of the Macs had Appleshare turned on. And lastly, shared on that Appleshare was a licensed piece of software which I am unsure is licensed or not. Whew…all in minutes with one unobtrusive free tool.

Pen-testing kicked off later. The Mac user ran down an nmap scan while the PC user loaded up and struck up the ISS Internet Scanner program. They also talked about using John the Ripper, Cerberus, and kismet (wireless) for further testing.

A number of things were spotted, and I’ll just go through a laundry list for my own benefit…please remember, this is just day 1/2.

  • we allow open email access, i.e. people can download hotmail mail. Also, SSL mail is not enforced.
  • Two of our switches have old firmware which is easily overrun.
  • Our switches have HTTP turned on, which is not cool.
  • Domain password policies do not seem to be working globally. Some passwords are beyond easy.
  • People running as local admin appeared to be of some concern, since that allows circumvention of acceptable use policies.

At any rate, I’m not terribly surprised by the results, and this sort of thing excites the heck out of me, especially to see tools and users like this running away and basically verifying what I’ve always known about how to use these tools effectively, but have just never had the confirmation that I’m down with the knowledge. I am, however, concerned with what they find, since every bit they find will mean additional talking about why it is bad, and additional time spent to mop it up or attempt to wrest.