Re: root kit detection/penetration

From: Javier Fernandez-Sanguino (jfernandez@germinus.com)
Date: Thu Sep 15 2005 - 05:41:11 EDT

• Next message: ctg: "Re: What ever happened to the Netbios share scanner utilities?"
• Previous message: Luke Eckley: "Re: Pen test, tcp/1404 found - advice needed"
• In reply to: cdewitt@indepthsec.com: "root kit detection/penetration"
• Next in thread: Omar A. Herrera: "RE: root kit detection/penetration"
• Reply: Omar A. Herrera: "RE: root kit detection/penetration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

cdewitt@indepthsec.com wrote:

> What are the best practices for penetration testing the viability
> of placing root kits on a client's external servers - vpn, web,
> app...?

If you did not write it yourself _and_ are confident that its impact
in business critical systems is 0 don't do it. If you have the
capability to install a root kit in an external server the game is
over, it might be better for you (and for the client) to allow you to
plug a system (laptop) to the external server LAN and go from there
than to compromise production servers. Of course, that depends on the
value your customer places on those servers.

> And, while I'm asking - what are the best practices or
> countermeasures for root kit placement?

Properly bastion hosts and severly limit the capabitilies of the users
the services exposed to the Internet as running at (i.e. defense in
depth, chroot jails, up-to-date patched systems, etc.) including
host-IDS with (in Windows) updated antivirus (which will carry rootkit
signatures too) or (in UNIX) rootkit detectors.

> What root kits are still viable/current?

Too many to list, take a look at http://packetstormsecurity.org/
For UNIX: http://www.packetstormsecurity.org/UNIX/penetration/rootkits/

> All comments/tomatoes welcome...cd

Tomato.

Javier

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: ctg: "Re: What ever happened to the Netbios share scanner utilities?"
• Previous message: Luke Eckley: "Re: Pen test, tcp/1404 found - advice needed"
• In reply to: cdewitt@indepthsec.com: "root kit detection/penetration"
• Next in thread: Omar A. Herrera: "RE: root kit detection/penetration"
• Reply: Omar A. Herrera: "RE: root kit detection/penetration"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:54 EDT