{"id":1197,"date":"2014-07-25T19:37:49","date_gmt":"2014-07-25T18:37:49","guid":{"rendered":"http:\/\/www.phillips321.co.uk\/?p=1197"},"modified":"2014-07-25T19:37:49","modified_gmt":"2014-07-25T18:37:49","slug":"things-to-do-before-a-pentest-infrastructure","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2014\/07\/25\/things-to-do-before-a-pentest-infrastructure\/","title":{"rendered":"Things to do before a pentest – Infrastructure"},"content":{"rendered":"

So it grinds my gears that every time I do a pentest I end up reporting the same sh!t every time. You’d think before I turn up you’d at least patch your kit, but nope!<\/p>\n

Here’s a little Top 5 for sysadmins, project managers and security controllers to consider doing before I break their kit. And this relates specifically to infrastructure kit, if it’s a web application that I’m testing I strongly suggest you read this post as well; Things to do before a pentest – web application<\/a>.<\/p>\n

    \n
  1. Updates! And we\u2019re not just talking about OS updates, we\u2019re also talking about software updates and anti virus definitions. It\u2019s no good having fully patched Windows device if you\u2019ve then got firefox version 10 installed along with an AV virus definitions database dating back to 2010. Look to install a WSUS in your environment to keep the Microsoft devices up to date and ensure a process is in place to update installed software components such as Apache Tomcat, Mozilla Firefox, Adobe Reader and Oracle Java.\n<\/li>\n

    <\/p>\n

  2. Encrypted Services. So this covers services like HTTPS, RDP and more. Ensure that you\u2019re SSL services do not support SSL version 2, do not support weak ciphers (generally anything <128bits is considered weak) and use a reliable and trusted valid certificate (signed using a hashing algorithm such as SHA256 and a trusted Certificate Authority). And this also means not using insecure services such as Telnet, FTP and rlogin!\n<\/li>\n

    <\/p>\n

  3. Account lockdown. There\u2019s no point having up to date systems if an attacker doesn\u2019t need to exploit anything other than weak accounts. Use a password policy! All passwords should be using a complex mixture of UPPERCASE, lowercase, numeric and special characters (this includes SNMP community strings) and that passwords are changed frequently. Ensure users do not share accounts, and that each account is appropriately locked down to limit access to nothing more than the account needs (i.e. does a basic user need the ability to write to the root of the C: drive?).\n<\/li>\n

    <\/p>\n

  4. Network protection. Great, you\u2019ve gone and installed an all signing, all dancing and cutting edge firewall, but; what\u2019s the point if you\u2019re not using it correctly? That IPS you paid out for is being used as an IDS? Pointless! That firewall is simply acting as a routing device? Pointless! That managed switch is simply acting as a dumb switch? Pointless! Ensure that where protection functionality is available that it is being used. This means creating firewall rules on a per service basis and destination basis, don\u2019t group too many rules into one rule, break them down; and never use an ANY:ANY rule! That IPS needs to be configured to correctly understand your valid network traffic and what to do when it sees bad traffic, and make sure it\u2019s INLINE! And that managed switch that you installed, make sure it\u2019s being used properly, disabled unused ports, enable port security (sticky MACs ect) and segregate your traffic into different VLANs!\n<\/li>\n

    <\/p>\n

  5. Auditing. Lets just say you have been hacked, how are you going to identify what happened and what\u2019s been lost? Networking devices offer logging functionality via syslog and\/or SNMP so this should be enabled but auditing and event logging should also be performed and remotely mirrored on server devices such as the event log in Windows and the \/var\/log folder on unix devices.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"

    So it grinds my gears that every time I do a pentest I end up reporting the same sh!t every time. You’d think before I turn up you’d at least patch your kit, but nope! Here’s a little Top 5 for sysadmins, project managers and security controllers to consider doing before I break their kit. […]<\/p>\n","protected":false},"author":1,"featured_media":1206,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1197"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=1197"}],"version-history":[{"count":6,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1197\/revisions"}],"predecessor-version":[{"id":1207,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/1197\/revisions\/1207"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media\/1206"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=1197"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=1197"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=1197"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}