A day in a pentester's life
This morning, just after I had gotten to work, I found a frustrated project leader waiting at my desk. I had just left the kids in school for another day in the office, looking forward to breakfast and a warm cup of tea whilst reading RSS-news feeds before my first meeting. Instead this guy, not very well known as the sharpest knife in the drawer, was standing by my desk, demanding that I would sanction openings in the DMZ firewall.
- Why would I open the DMZ firewall? I asked as I saw my breakfast window shrink and most likely disappear in the horizon like Lone Ranger and Tonto. There are a few fairly good reasons why we put a firewall there and closed access to almost anything. And absolutely none from DMZ to the inside network.
- We need it for penetration testing, and we really need the openings ASAP, said the beforementioned project manager.
I suddenly felt very fortunate not chewing on my cream cheese bagel with hot tea an inch from my face. What the hell was the man suggesting? Had he finally burnt his last fuse? What kind of a question was that? Did he really think it was funny? Let's face it, he can't be serious. I know it's Monday morning, and he might still be drunk from Saturday night rumblings out on town. Either way I thought he should have called in sick. No one can have such bad luck when coming up with good ideas. Go home, man! You're not well!
- Ehmmm... let me just see if I got you right. You want me to open the DMZ firewall because you want to do a penetration test? And you want me to open it from DMZ into our corporate network?
I tried really hard to understand. I had some issues of overheating my brain as the cells tried to find new ways of looking at the concept. I still could not get it. I even seriously started questioning my ability to think logically. Was there something I missed in this conversation? Did I just not get it?
- Yes, came the short answer from mister project manager.
- OK, and exactly why would I open? What kind of a penetration test would that be?
- I want them to get to the application, so they really can test it, the project manager continued.
Well, that's allright then! Why would I be a stubborn dick and refuse a thing like that?
- Why don't you just give them an account on the computer and they can test it locally?
The project manager looked at me as if I was totally insane and confidentially asked me:
- What kind of a penetration test would that be? Huh?
You tell me... At this stage i realized my colleague on the other side of the desk had overheard the conversation and I could tell he had a hard time, either not exploding or keeping his laughter very silent inside. His face was red as a beetroot.
- What do you think, I asked my colleague. I can't really say that this sounds sane in any way, maybe you have anther opinion?
Once the color of his face got to a more normal one, he asked the project manager:
- Who has approved of the openings?
- CITSO, prject manager answered promptly.
- And I can have it in writing?
- Here you go, he said, and passed on a piece of paper from the CITSO which indeed confirmed what the project manager just said.
Should I admire this guy? He has persuaded the CITSO to sign this paper with exactly which arguments? I need to have these arguments. They have to be useful in any conversation I want to win. Universal arguments which will give anything I want, whenever I want. The Holy Grail of reasoning and argumentation was standing here, in front of my desk, in reach. How could I get this information? Was there a back door into this guy's mind through which I could withdraw that data?
I decided upon being disgusted with the CITSO's decision instead. He had probably been winning on the lottery or his old lady had put out the previous night. I didn't really care which, it was a stupid decision.
The paper looked real, so I said:
- OK. I'll just check a few things. Can you come back in ten?
Obviously I needed to call the CITSO and see where things had gone terribly wrong. The phone call just confirmed what the project manager had asked for. Open up the firewall as demanded, no questions asked. Bite me!
Ten minutes passsed and the project manager appeared with a consultant (his badge gave that away).
- This is Victor, the penetration tester.
- Hi, Victor, said both my colleague and I. No point in shooting the doer, just yet. He is probably just doing what he is told be the project manager, and who am I to tell him to bite off the hand that feeds him? So, look happy!
- How's it going? asked the project manager.
- Well, we checked what you needed to be done, and you need to get to server apollo in order to use that as a jumpserver in order to get further into the network, right?
- Yes, the project manager confirmed, we need to get to mars and venus, the servers in scope.
- OK. We really think this is a weird idea, but since we have the exemptions on paper, signed by the right people, we will open up, I said, not feeling very good about it at all, and I could see my colleague sitting and shaking his head in disgust. I could sense his feelings and thoughts, and they were not suitable for print.
While I was typing in the new firewall rules the project leader turned to my colleague stating that he needed admin on the windows boxes too. When I heard that I stopped typing and turned to him:
- What do you need admin for? You've got a hacker there, take care of the problem! What good is he if you can't get admin?
Oops... I didn't mean to shoot him, but I apparently did that without thinking. My colleague saved me, sort of:
- OK. What credentials? I can just as well give you the goods...
He had obviously resigned to all this stupidity. And I was ready to give up entirely. Was there an end to this insanity? Will I live long enough to see anymore, or have I seen it all now? I just couldn't be bothered with thinking about it so I went to the cafeteria and started flipping through the job ads in the morning papers. Seemed to be plenty of offerings.
After lunch I ran into the penetration tester, Victor. He had been seated in an open cubicle, with his back facing the hallway where maybe a hundred co-workers pass by every hour and all of them could clearly see his computer screen and what was going on. Thankfully most of them wouldn't have a clue of waht he was up to, but a few would, and that's far too many in my book, so I took him aside and appointed him to a room which gave him some privacy. I didn't think everyone and their aunts needed to see what this guy was doing.
While moving his gear into the secluded room we started chatting and he was a very likeable character. He had no real education, but had started in his bedroom hacking away on computers that are long forgotten by now, and as many of us gotten into chat groups and irc channels, picking up tips and tricks of the trade. I like that. I don't trust college guys coming out being fully trained security guys. Don't think so.
So we chatted away and I asked what the scope of his intrusion tests was, and he explained that there was this new classified project going into production in a few weeks and the penetration tests were needed to be done before that. I greet these initiatives, of course, but then I asked why he needed the firewall openings and admin on the production servers that had been running for years?
- What do you mean? asked Victor.
- You've been working on the same network segment as the servers that you have admin for, and they are not in a new project, I truthfully answered.
- Oh, crap!, he said, equally as truthfully. That means I have full control over the machines and I could have been in there running netstat instead of nmap from the outside? Oh, crap...
- That's exactly what you could have been doing. The new servers, although similar setup, are in a totally different network segment, behind other firewalls, that are not even near the DMZ.
- Oh, great. I'll just give the project manager a call and ask him to ring me when he has sorted things out..., said the pentester as he walked out from the premises.
I was left there with my thoughts. That has probably been a day I will remember for a long time.
- Why would I open the DMZ firewall? I asked as I saw my breakfast window shrink and most likely disappear in the horizon like Lone Ranger and Tonto. There are a few fairly good reasons why we put a firewall there and closed access to almost anything. And absolutely none from DMZ to the inside network.
- We need it for penetration testing, and we really need the openings ASAP, said the beforementioned project manager.
I suddenly felt very fortunate not chewing on my cream cheese bagel with hot tea an inch from my face. What the hell was the man suggesting? Had he finally burnt his last fuse? What kind of a question was that? Did he really think it was funny? Let's face it, he can't be serious. I know it's Monday morning, and he might still be drunk from Saturday night rumblings out on town. Either way I thought he should have called in sick. No one can have such bad luck when coming up with good ideas. Go home, man! You're not well!
- Ehmmm... let me just see if I got you right. You want me to open the DMZ firewall because you want to do a penetration test? And you want me to open it from DMZ into our corporate network?
I tried really hard to understand. I had some issues of overheating my brain as the cells tried to find new ways of looking at the concept. I still could not get it. I even seriously started questioning my ability to think logically. Was there something I missed in this conversation? Did I just not get it?
- Yes, came the short answer from mister project manager.
- OK, and exactly why would I open? What kind of a penetration test would that be?
- I want them to get to the application, so they really can test it, the project manager continued.
Well, that's allright then! Why would I be a stubborn dick and refuse a thing like that?
- Why don't you just give them an account on the computer and they can test it locally?
The project manager looked at me as if I was totally insane and confidentially asked me:
- What kind of a penetration test would that be? Huh?
You tell me... At this stage i realized my colleague on the other side of the desk had overheard the conversation and I could tell he had a hard time, either not exploding or keeping his laughter very silent inside. His face was red as a beetroot.
- What do you think, I asked my colleague. I can't really say that this sounds sane in any way, maybe you have anther opinion?
Once the color of his face got to a more normal one, he asked the project manager:
- Who has approved of the openings?
- CITSO, prject manager answered promptly.
- And I can have it in writing?
- Here you go, he said, and passed on a piece of paper from the CITSO which indeed confirmed what the project manager just said.
Should I admire this guy? He has persuaded the CITSO to sign this paper with exactly which arguments? I need to have these arguments. They have to be useful in any conversation I want to win. Universal arguments which will give anything I want, whenever I want. The Holy Grail of reasoning and argumentation was standing here, in front of my desk, in reach. How could I get this information? Was there a back door into this guy's mind through which I could withdraw that data?
I decided upon being disgusted with the CITSO's decision instead. He had probably been winning on the lottery or his old lady had put out the previous night. I didn't really care which, it was a stupid decision.
The paper looked real, so I said:
- OK. I'll just check a few things. Can you come back in ten?
Obviously I needed to call the CITSO and see where things had gone terribly wrong. The phone call just confirmed what the project manager had asked for. Open up the firewall as demanded, no questions asked. Bite me!
Ten minutes passsed and the project manager appeared with a consultant (his badge gave that away).
- This is Victor, the penetration tester.
- Hi, Victor, said both my colleague and I. No point in shooting the doer, just yet. He is probably just doing what he is told be the project manager, and who am I to tell him to bite off the hand that feeds him? So, look happy!
- How's it going? asked the project manager.
- Well, we checked what you needed to be done, and you need to get to server apollo in order to use that as a jumpserver in order to get further into the network, right?
- Yes, the project manager confirmed, we need to get to mars and venus, the servers in scope.
- OK. We really think this is a weird idea, but since we have the exemptions on paper, signed by the right people, we will open up, I said, not feeling very good about it at all, and I could see my colleague sitting and shaking his head in disgust. I could sense his feelings and thoughts, and they were not suitable for print.
While I was typing in the new firewall rules the project leader turned to my colleague stating that he needed admin on the windows boxes too. When I heard that I stopped typing and turned to him:
- What do you need admin for? You've got a hacker there, take care of the problem! What good is he if you can't get admin?
Oops... I didn't mean to shoot him, but I apparently did that without thinking. My colleague saved me, sort of:
- OK. What credentials? I can just as well give you the goods...
He had obviously resigned to all this stupidity. And I was ready to give up entirely. Was there an end to this insanity? Will I live long enough to see anymore, or have I seen it all now? I just couldn't be bothered with thinking about it so I went to the cafeteria and started flipping through the job ads in the morning papers. Seemed to be plenty of offerings.
After lunch I ran into the penetration tester, Victor. He had been seated in an open cubicle, with his back facing the hallway where maybe a hundred co-workers pass by every hour and all of them could clearly see his computer screen and what was going on. Thankfully most of them wouldn't have a clue of waht he was up to, but a few would, and that's far too many in my book, so I took him aside and appointed him to a room which gave him some privacy. I didn't think everyone and their aunts needed to see what this guy was doing.
While moving his gear into the secluded room we started chatting and he was a very likeable character. He had no real education, but had started in his bedroom hacking away on computers that are long forgotten by now, and as many of us gotten into chat groups and irc channels, picking up tips and tricks of the trade. I like that. I don't trust college guys coming out being fully trained security guys. Don't think so.
So we chatted away and I asked what the scope of his intrusion tests was, and he explained that there was this new classified project going into production in a few weeks and the penetration tests were needed to be done before that. I greet these initiatives, of course, but then I asked why he needed the firewall openings and admin on the production servers that had been running for years?
- What do you mean? asked Victor.
- You've been working on the same network segment as the servers that you have admin for, and they are not in a new project, I truthfully answered.
- Oh, crap!, he said, equally as truthfully. That means I have full control over the machines and I could have been in there running netstat instead of nmap from the outside? Oh, crap...
- That's exactly what you could have been doing. The new servers, although similar setup, are in a totally different network segment, behind other firewalls, that are not even near the DMZ.
- Oh, great. I'll just give the project manager a call and ask him to ring me when he has sorted things out..., said the pentester as he walked out from the premises.
I was left there with my thoughts. That has probably been a day I will remember for a long time.
Comments
Post a Comment