I think one of the more fun & spectacular techniques is to show them session hijacking of a telnet session or an X-Windows session or the like. Tools like T-Sight and IPWatcher from Engarde are excellent for this, and there are others like Hunt that you might want to use for session hijacking. It is always effective to show them serious vulnerabilities on real production systems - in a way that doesn't make it seem like you are picking on anyone in attendance (you don't want to alienate anyone). For example if you can remotely gain access and root/admin level privs in a matter of seconds or a few keystrokes they often are impressed. I would replay or show the results of that kind of thing if you are unable to do so at the time. I would definitely show them session sniffing to illustrate the problem with unencrypted logins. Every manager and executive needs to see the hackers disapearing act - such as blowing WTMP/UTMP and hiding processes (either with utilities, backdoors, or rootkit). They need to see that standard logging is not in effect on backdoor access, and that the hacker can effectively hide himself on a system including processes, files, directories, network connections, etc.. Most Executives and IT Managers need to see how fast most NT/2000 passwords crack (on most networks with the LAN MAN hash enabled). You can get the majority of passwords in a couple days, especially if you know what you are doing (have a dictionary of previously cracked passwords from prior audits, and analyze last few password cracks for character frequency - so you can brute force crack most efficiently). I'd start it at the beginning of the effort and then produce results at the end. LC3 can output results without displaying actual passwords, although maybe a top executive or two should see how poorly people often choose the passwords in the first place. They need to understand how big a problem this is and how trivial and quick it is to crack. Senior executives are not all that technical and have short attention spans. I would think that tying your testing to important or sensitive business processes, or illustrating financial or other impact to the business is as important as a flashy demo. Nothing got my CEO's and Exec VP's attention like seeing the primary financial and other business-critical systems compromised. In the words of one CEO I worked for in the past, "if someone gets these other systems they may get the companies money. If someone gets this particular financial system they get **REAL** money". These are just a few suggestions, but there are really lots of things you can do. ARP spoofing in interesting (dsniff). Web based vulnerabilities. Enumeration of NT/2000 networks via null user, open network shares. SNMP often reveals ALOT, and some Cisco tools can be fun! Getting a router and displaying all known routes. Illustrating common stupid things like r-services issues and trusts, NFS mounts of user space, improper file permissions, displaying what services remotely advertise about the system (rusers, finger, SMTP VRFY/EXPN, showmount, rpcinfo, etc., etc.). IT Managers will be more technical and some may be defensive - more oriented at providing services and features than in doing things securely - and feeling adversarial about security (like you are there to make their life more complicated and make them look bad). It is really important to get these guys on your side to be effective. Having the ability to generically discuss vulnerabilities in each IT Managers area of business is also a positive (and it can disarm them somewhat - its hard to argue against the facts), but actual details must be provided discretely with each individual manager. The "names can be changed to protect the innocent" if you want to use actual data for examples in your presentation. Anyhow, have fun and keep it interesting. Don't bog down too much in the technical details. Just do a quick show and tell. Keep it simple. Good Luck!! - Mike __________________________________________________ Do You Yahoo!? Listen to your Yahoo! Mail messages from any phone. http://phone.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Oct 04 2001 - 11:07:45 PDT