Amen on exploitation vs politics. Must devise some sort of political
0day. I gotta be honest though, many places don't even do much if you
show them you have a remote SYSTEM shell. A lot of times I'll come
back a year later to a place and get in with the same bugs, even find
my same backdoor accounts (which they were aware of and promised to
remove) still there. Makes the pentest alot quicker / easier though.

They will rationalize their lack of fixing things one way or another,
whether it be resources, time, what the fix might break, etc. I've
also hears "well of course you got in, your GOOD, not like the real
attackers", or worse "well you got in because you know about stuff
here, no one else will figure that out".

I'm not sure any certification, even Dave's, will make these kinda
places more likely to listen. (Since we started on the subject of the
cert :)

V.

ps I realize I am much too fond of parenthesis in my posts, sorry.

Makes me wonder what kind of work other people are doing! Wherever I've
worked, security consulting followed penetration testing and in that
consultancy we advised the client. We had little time to test the security
let alone actually exploit anything so that if we couldn't provide a trophy
from some major bump and jump we could still report effectively on how
exposed they were to business losses caused by competitive intelligence, HR
leaks, client leaks, and of course poor use of system controls. The root
shell was nice to have if we could get it but it was not our priority and
it definitely was not what we needed to inform the client of their
problems. And if they chose not to fix them then that is their choice on
how to manage risk. I've seen pen-testers flip out because the client's
tech staff chose not to stop using email address names for extra-net
logins. They felt the risk wasn't there. That's actually their decision to
make because I don't see their balance sheets and I don't know their
business strategy and in the end it's their gamble to make. They have my
report and my notes and my tests. I can't do more.

Isn't our top job to thoroughly audit the security and safety of assets and
properly report. Properly protected infrastructures do not require
patching to maintain security. Therefore we shouldn't do free (for the
development company) Q&A on shrink-wrapped software as part of the job. We
should always assume that shrink-wrapped software, even up to the latest
patch level, will still have holes so we need to make sure that even if
exploited, proper controls assure nothing is lost.

I like the idea of a certification on writing exploit code. I think
there's a lot of q&A jobs where that would be a good fit, even on a
pen-testing team. You should team up with the OSVDB guys to offer
something less vendor-centric though. Of course you could always work with
ISECOM too....

-pete.

On Wed, Jul 16, 2008 at 12:48:46AM -0400, Dino A. Dai Zovi wrote:
...
| Finding and exploiting an 0day vuln in the app server and being able
| to call the admin up and tell him that you have a remote SYSTEM shell
| on it from the Internet makes the point much better. After they pick
| the phone back up, they usually start doing whatever it takes to fix
| the problem as soon as possible.
|
| Without vulnerability exploitation skills, effecting that change would
| have required a political battle and I'm distinctly better at
| exploitation than politics.

Is the person paying your salary better at exploits than getting
things done in an org? Are they better at creating crisis than
creating culture change?

Both problems are common, and I think it's helpful of Dino to point
them out. At the same time, I think we need more security people who
can get fixes prioritized without the sploit.

Adam
(Speaking for your employer, not mine. ;)

| On Tue, Jul 15, 2008 at 2:38 PM, val smith
| <***@offensivecomputing.net> wrote:
| > I'm going to have to award the point to Thomas here. The scenarios he
| > presented are very often what I get myself. Super compressed time
| > frame, unlikely to achieve goal so any time I spend developing tools
| > or exploits is time I lose achieving the goal.
| >
| > I've also recently had an app test where I had something like 6 hours.
| > There was no way (for me cause I suck) to come up with working exploit
| > in that time, but I was able to find half a dozen bugs and report
| > them. In this case knowing how to write an exploit wouldn't do me much
| > good.
| >
| > However I'll have to say i've run into maybe 1 place in the world
| > where getting access to 1 host didn't get me much. (mac locking on
| > ports, 1 time passwords everywhere, no shared admin accounts, or admin
| > from console only, lots of vlanning, etc.)
| >
| > Cheating is what its all about. I have this think I call the cooking
| > show hack. You know in a cooking show how they make the food and put
| > it in the oven then pull one out already cooked and try it. Same thing
| > but with rootshell :)
| >
| > Fuzzy kiddies just sounds wrong man, just wrong.
| >
| > V.
| >
| > On Mon, Jul 14, 2008 at 6:18 AM, Thomas Ptacek <***@matasano.com> wrote:
| >>> Anyone can fire a fuzer, find a bug and tell their client about how
| >>> exploitable it is.
| >>> People then will talk about ret-to-libc and malloc tricks that really
| >>> don't work anymore in modern systems.
| >>
| >> This is NO DOUBT true. It is obviously much HARDER to exploit modern
| >> memory corruption flaws than it is to find them. Respect, yo. S'all
| >> love in here.
| >>
| >> The problem is, it is not MORE VALUABLE to exploit memory corruption
| >> flaws than it is to find them. Consider two scenarios:
| >>
| >> (1) A shrink-wrap software pen test, for a vendor or a customer ---
| >> the target is one application. You have 5 days. Unless you think you
| >> can sweep 500,000 lines of C code clean of vulnerabilities in 40
| >> hours, an hour spent on exploit dev is an hour not spent finding
| >> vulnerabilities.
| >>
| >> (2) A network penetration test. You have 5 days. Unless you have found
| >> the zero enterprises in the world where access to their network
| >> doesn't immediately offer up 30 different mass casualty scenarios, an
| >> hour spent on exploit dev is an hour not spent breaking into systems.
| >>
| >> We could go back and forth on (2) --- no doubt there are NPT's where
| >> being able to bust CreateProcess in some sleazy Windows backup
| >> software is going to win the game for you (there are also NPTs where
| >> the client says, "tell me about the zero-day mass casualty exploits
| >> you could have run, but don't stop testing until you get in without
| >> cheating").
| >>
| >> And another thing: we all know about the "fuzz kiddies", but that
| >> doesn't make all vulnerability research a matter of aiming /dev/random
| >> at a socket and writing an advisory on the xor ebx,ebx; mov eax, [ebx]
| >> findings. Plenty of people cheat at writing exploits too.
| >> _______________________________________________
| >> Dailydave mailing list
| >> ***@lists.immunitysec.com
| >> http://lists.immunitysec.com/mailman/listinfo/dailydave
| >>
| >
| >
| >
| > --
| > ******************************************
| > * Val Smith
| > * CTO Offensive Computing, LLC
| > * http://www.offensivecomputing.net
| > *******************************************
| > _______________________________________________
| > Dailydave mailing list
| > ***@lists.immunitysec.com
| > http://lists.immunitysec.com/mailman/listinfo/dailydave
| >
| _______________________________________________
| Dailydave mailing list
| ***@lists.immunitysec.com
| http://lists.immunitysec.com/mailman/listinfo/dailydave