PIVA and AIVA... What DO they mean???

I have just performed a PIVA and an AIVA (new acronyms for me) or Passive Internet Vulnerability Assessment and an Active Internet Vulnerability Assessment. The assessed company contracted thier auditing firm to do both kinds of assessments. The auditors hired three "consultants/firms" to do them... We each did both... from anywhere we chose, except from inside the company. We could have "colluded" with each other... but the other firms (yes, firms, I was the only single consultant) chose to "KEEP" the secrets... BTW, the company is 100% Windows at the borders, even the routers... even the VPN stuff... They have about 1100 Clients nodes and about 200 Server Nodes...

The other two firms found about 1/3 as many of exploits/holes/improprities as I did in the Passive phase... Which means that we were not supposed to be detected whilst gathering the information. One was discovered and basically shut-off any traffic to them, too bad for them.

I was able to touch without incident ALL of thier App Servers, Database Servers and Reverse Proxied Webservers all without going through the "Proper" way... Riding on "Other" traffic the whole way. I was able to query thier "AD" and Dynamic DNS servers directly. I was able to get IPC$ from nearly all thier major document data stores. I was able to basically map the WHOLE shooting match inside the firewall. All without actually doing anything "suspicious"... as I just knew they weree using a couple of "network analyzers/watchers"... but in a switched environment... it is indeed rather hard to watch the stuff properly... unless the sniffer is actually one of the routes to and from... needless to say, I found quite a few fat cows to butcher during the active process.

I also garnered a _TON_ of social engineering data to be used in the active phase, it is literally amazing what people actually put into AD when they believe it is secure. I wasn't able to get actual login data... but the Description data of "containers" in AD for them were basically a sketch of the companies Hierarchy. I could probably guess how thier naming convention goes... as e-mail address names are typically duplicates of the login-name.

The PIVA gave a ~60 page report (single spaced and small margins w/o letterhead), on just the stealthy practices I used and the vulnerabilities I found. Yes alot of the servers had Telnet on, anonymous FTP (with put capcity), open printing from anyone, mail didn't use PGP if available, passwords in the domains were not encrypted... ;) as I KNOW they have unpatched Win95(non-Winsock 2) still on some machines from the traffic patterns... Plus a plethora of SQL issues that can cause DoS issues for them, some IIS installs are not even close to being up-to-date. Heck a couple of servers were NT4 pre-SP3.. yeeek! All in all though they do manage to keep out MOST of the script kiddies out with the common tools available and without much loss of life.

Now on to the AIVA, Let's just say... Poisoning Dynamic DNS was very very easy. Getting thier AD to trust a machine outside thier Firewall was simple. Social engineering is a BIG tool nearly EVERYONE forgets about. I was able to send e-mail to the CIO from someones account, I was able to get a "consultant" login and actually get at senstive data for the company, I was able to get account numbers, SSNs for employees, login account names and even some passwords kept in a "password protected" Excel spread sheet. I was able to get MY "rogue" network to appear to be part of thier network using the consultant accounts... therefore becoming tursted in the process... I had a W2K server on my desk part of thier AD. I actually found a "left over" machine they had taken the apps off... but left in the domain for "safeties" sake.. it being the "first" BDC they ever had.... NOT any more... mine was that machine shortly thereafter. WRMMC or Windows Machine Management Console is a wonderful thing... for people like me... I then changed the Admin Password for the Domain, removed my machine from thier domain... and then e-mail it to the "admin" and "CIO" and the Auditors all at the same time. That was my "agreed upon" signal I was done with my assessment. I left all kinds of signs I was there... but did no damage to them.

They really didn't know I was even ON thier network. But the management DID know there were going to be three attempts. Little did I realize I was the last one to do either part. They had taken EXTRA measures once they found the one firm doing tests and such , then were told about the active assessment. Where? I never saw them... and I looked too.

Overall this company would be easy prey to someone without scruples and with a good amount of skill. I was the only one to compromise the entire network... without causing havoc. I guess finesse is one of life finer qualities... and a reason I got to do so much without being found. I didn't hammer on the door, or step heavily or leave the door open. I was also told I was the only one actually get critical data and actually change the Administrator password for the domain. Boy oh boy... if were evil... people'd HATE me for sure.

After I submitted my report to the auditors, the whole report was basically re-formatted without changing any wording or content (maybe misspellings though), to fit the "report" format they used. I was very proud of it. Auditors were very happy with it... evidently so was the Company. I got $4000 (and a 1099 form) for the work I did.

One bad thing though... Michigan State Police showed up this morning... 7AM. 4 MSP Cruisers, 2 MSP Yukons, 2 MSP "Package" Vans and an umarked car with about 2 billion antenna on it. The Detective came to the door... Rang the door bell... my Brit-Spaniel barked his head off... woke everyone up. I was asked to get ready and of course I asked him to come in... he declined... I got ready... heart pumping... My wife "innocently" happen to ask him if I were being arrested... No was the answer...

Now I start to think... WTF is going on here... awwww SHITE!!! DMCA or UCITA or some dam crap... I knew it... Just as I was getting my poop-in-a-group *FINALLY*...

Well, to make a long story short, I compromised a... "company" setup in Networking and computers only... The servers were real... the clients nodes were not... They were being simulated with some new hardware designed to stress systems and make it appear to be a real liv esetting. It did... I fell for it hook line and sinker. The only time they really knew I was inside thier network was when I was dialed in and when the VPN showed activity beyond "typical" traffic.

I spent the whole day explaining, just how I was able to do the things I did. I went through everything I did... how I did what I did, why I di them in the order I did... basically my whole game plan. BTW they have had this in the workings for quite a while I guess... as the domain and addresses have been assigned quite a while. I was paid $200/hour for 12 hours today... check (and 1099 form) given as I left the unmarked car at home.

I am guessing they are doing this stuff to beef up thier "Computer Crime" people. I was also told they'd be calling me from time to time, to do some things for them on the side... nothing THIS complex... but could be alot more work though... hmmm I wonder...

So... how was your day today???

I usually like to stay local... that way I can AT least do some foot work ... ;)

I don't take just **ANY** kind of work... especially THIS kind of work... I had to think a couple of days on this one... I made sure I had a "get out of jail - FREE" card if yah know what I mean "in writing"...

I just don't like doing this kind of work 'cause it CAN cause tons of other problems for me... especially about those pesky STATE lines... makes it FBI territory... well we all know the FBI blows things WAY out of proportion...

I just got a wake up call today with the DMCA... I have a College Customer that lost/forgot the Password for an Access Database... Well according to the letter of the law... I cannot crack the Database without permission from the owner of the data writing out a "permission" form and Microsoft giving written permission to bypass it's internal security for Access...

Same would go for any "Office Document"... Ouch... As Microsoft will never---NEVER give that permission... Haha... I am waiting for that quintessential "Violation" being brought to Court and winning because of A single "additional" loophole no-one thought of... Then it having to go to the Supreme Court... to be ruled unconstitutional... or maybe not!

Well it ain't gonna be me...

But, sure thing I'll consider anything... no promises... as I can only take a "joke" like what happened saturday... a couple of times....

and BTW, I still love this industry... hate it too...

Post #49,708 by folkert 8/18/02 12:47:00 AM Reply	PIVA and AIVA... What DO they mean??? I have just performed a PIVA and an AIVA (new acronyms for me) or Passive Internet Vulnerability Assessment and an Active Internet Vulnerability Assessment. The assessed company contracted thier auditing firm to do both kinds of assessments. The auditors hired three "consultants/firms" to do them... We each did both... from anywhere we chose, except from inside the company. We could have "colluded" with each other... but the other firms (yes, firms, I was the only single consultant) chose to "KEEP" the secrets... BTW, the company is 100% Windows at the borders, even the routers... even the VPN stuff... They have about 1100 Clients nodes and about 200 Server Nodes... The other two firms found about 1/3 as many of exploits/holes/improprities as I did in the Passive phase... Which means that we were not supposed to be detected whilst gathering the information. One was discovered and basically shut-off any traffic to them, too bad for them. I was able to touch without incident ALL of thier App Servers, Database Servers and Reverse Proxied Webservers all without going through the "Proper" way... Riding on "Other" traffic the whole way. I was able to query thier "AD" and Dynamic DNS servers directly. I was able to get IPC$ from nearly all thier major document data stores. I was able to basically map the WHOLE shooting match inside the firewall. All without actually doing anything "suspicious"... as I just knew they weree using a couple of "network analyzers/watchers"... but in a switched environment... it is indeed rather hard to watch the stuff properly... unless the sniffer is actually one of the routes to and from... needless to say, I found quite a few fat cows to butcher during the active process. I also garnered a _TON_ of social engineering data to be used in the active phase, it is literally amazing what people actually put into AD when they believe it is secure. I wasn't able to get actual login data... but the Description data of "containers" in AD for them were basically a sketch of the companies Hierarchy. I could probably guess how thier naming convention goes... as e-mail address names are typically duplicates of the login-name. The PIVA gave a ~60 page report (single spaced and small margins w/o letterhead), on just the stealthy practices I used and the vulnerabilities I found. Yes alot of the servers had Telnet on, anonymous FTP (with put capcity), open printing from anyone, mail didn't use PGP if available, passwords in the domains were not encrypted... ;) as I KNOW they have unpatched Win95(non-Winsock 2) still on some machines from the traffic patterns... Plus a plethora of SQL issues that can cause DoS issues for them, some IIS installs are not even close to being up-to-date. Heck a couple of servers were NT4 pre-SP3.. yeeek! All in all though they do manage to keep out MOST of the script kiddies out with the common tools available and without much loss of life. Now on to the AIVA, Let's just say... Poisoning Dynamic DNS was very very easy. Getting thier AD to trust a machine outside thier Firewall was simple. Social engineering is a BIG tool nearly EVERYONE forgets about. I was able to send e-mail to the CIO from someones account, I was able to get a "consultant" login and actually get at senstive data for the company, I was able to get account numbers, SSNs for employees, login account names and even some passwords kept in a "password protected" Excel spread sheet. I was able to get MY "rogue" network to appear to be part of thier network using the consultant accounts... therefore becoming tursted in the process... I had a W2K server on my desk part of thier AD. I actually found a "left over" machine they had taken the apps off... but left in the domain for "safeties" sake.. it being the "first" BDC they ever had.... NOT any more... mine was that machine shortly thereafter. WRMMC or Windows Machine Management Console is a wonderful thing... for people like me... I then changed the Admin Password for the Domain, removed my machine from thier domain... and then e-mail it to the "admin" and "CIO" and the Auditors all at the same time. That was my "agreed upon" signal I was done with my assessment. I left all kinds of signs I was there... but did no damage to them. They really didn't know I was even ON thier network. But the management DID know there were going to be three attempts. Little did I realize I was the last one to do either part. They had taken EXTRA measures once they found the one firm doing tests and such , then were told about the active assessment. Where? I never saw them... and I looked too. Overall this company would be easy prey to someone without scruples and with a good amount of skill. I was the only one to compromise the entire network... without causing havoc. I guess finesse is one of life finer qualities... and a reason I got to do so much without being found. I didn't hammer on the door, or step heavily or leave the door open. I was also told I was the only one actually get critical data and actually change the Administrator password for the domain. Boy oh boy... if were evil... people'd HATE me for sure. After I submitted my report to the auditors, the whole report was basically re-formatted without changing any wording or content (maybe misspellings though), to fit the "report" format they used. I was very proud of it. Auditors were very happy with it... evidently so was the Company. I got $4000 (and a 1099 form) for the work I did. One bad thing though... Michigan State Police showed up this morning... 7AM. 4 MSP Cruisers, 2 MSP Yukons, 2 MSP "Package" Vans and an umarked car with about 2 billion antenna on it. The Detective came to the door... Rang the door bell... my Brit-Spaniel barked his head off... woke everyone up. I was asked to get ready and of course I asked him to come in... he declined... I got ready... heart pumping... My wife "innocently" happen to ask him if I were being arrested... No was the answer... Now I start to think... WTF is going on here... awwww SHITE!!! DMCA or UCITA or some dam crap... I knew it... Just as I was getting my poop-in-a-group FINALLY... Well, to make a long story short, I compromised a... "company" setup in Networking and computers only... The servers were real... the clients nodes were not... They were being simulated with some new hardware designed to stress systems and make it appear to be a real liv esetting. It did... I fell for it hook line and sinker. The only time they really knew I was inside thier network was when I was dialed in and when the VPN showed activity beyond "typical" traffic. I spent the whole day explaining, just how I was able to do the things I did. I went through everything I did... how I did what I did, why I di them in the order I did... basically my whole game plan. BTW they have had this in the workings for quite a while I guess... as the domain and addresses have been assigned quite a while. I was paid $200/hour for 12 hours today... check (and 1099 form) given as I left the unmarked car at home. I am guessing they are doing this stuff to beef up thier "Computer Crime" people. I was also told they'd be calling me from time to time, to do some things for them on the side... nothing THIS complex... but could be alot more work though... hmmm I wonder... So... how was your day today??? `greg - scared-shitless Grand-Master Artist in IT, curley95@attbi.com -- [link\|http://www.iwethey.org/ed_curry/\|REMEMBER ED CURRY!!!]`
Post #49,714 by ben_tilly 8/18/02 7:18:08 AM Reply	Sounds like you found yourself some nice temporary work :-) Computer Science is no more about computers than astronomy is about telescopes. -- Edsger Wybe Dijkstra (1930-2002)
Post #49,772 by boxley 8/19/02 9:30:11 AM Reply	ooooh funstuff!!! ."Once, in the wilds of Afghanistan, I had to subsist on food and water for several weeks." W.C. Fields
Post #49,830 by inthane-chan 8/19/02 4:57:14 PM Reply	Sounds like fun. Heh. Oh, mind if I pass on your name to our admin for some work? There are 10 types of people. Those who understand binary, and those who don't.
Post #49,977 by folkert 8/20/02 9:39:28 PM Reply	Sure... If ya wanna... no probs... I usually like to stay local... that way I can AT least do some foot work ... ;) I don't take just ANY kind of work... especially THIS kind of work... I had to think a couple of days on this one... I made sure I had a "get out of jail - FREE" card if yah know what I mean "in writing"... I just don't like doing this kind of work 'cause it CAN cause tons of other problems for me... especially about those pesky STATE lines... makes it FBI territory... well we all know the FBI blows things WAY out of proportion... I just got a wake up call today with the DMCA... I have a College Customer that lost/forgot the Password for an Access Database... Well according to the letter of the law... I cannot crack the Database without permission from the owner of the data writing out a "permission" form and Microsoft giving written permission to bypass it's internal security for Access... Same would go for any "Office Document"... Ouch... As Microsoft will never---NEVER give that permission... Haha... I am waiting for that quintessential "Violation" being brought to Court and winning because of A single "additional" loophole no-one thought of... Then it having to go to the Supreme Court... to be ruled unconstitutional... or maybe not! Well it ain't gonna be me... But, sure thing I'll consider anything... no promises... as I can only take a "joke" like what happened saturday... a couple of times.... and BTW, I still love this industry... hate it too... `greg - Grand-Master Artist in IT, curley95@attbi.com -- [link\|http://www.iwethey.org/ed_curry/\|REMEMBER ED CURRY!!!]`

Welcome to IWETHEY!