Pre-Review: Penetration Tester's Open Source Toolkit
Today I received a copy of the new Syngress book Penetration Tester's Open Source Toolkit by Johnny Long, Chris Hurley, SensePost, Mark Wolfgang, Mike Petruzzi, et al. This book appears unnecessarily massive; it's probably 1/2 thicker than my first book, but at 704 pages it's nearly 100 pages shorter than Tao. I think Syngress used thicker, "softer" paper, if that makes sense to anyone.
The majority of the book appears to be the standard sort of hacker stuff one finds in books like Hacking Exposed, with some exceptions. The book contains two chapters on Metasploit which look helpful. I do not know yet how well these Metasploit 2.0-based chapters apply to the new Metasploit 3.0, whose alpha stage was announced last week. Similarly, chapters on Nessus may not hold up well for Nessus 3.0, also recently released.
A major selling point of the new book is its integration of the Auditor live CD. I learned that Auditor is going to merge with "competitor" IWHAX to produce BackTrack in early 2006. Consolidation among similar open source projects to pool resources and create better results? Heresy!
The majority of the book appears to be the standard sort of hacker stuff one finds in books like Hacking Exposed, with some exceptions. The book contains two chapters on Metasploit which look helpful. I do not know yet how well these Metasploit 2.0-based chapters apply to the new Metasploit 3.0, whose alpha stage was announced last week. Similarly, chapters on Nessus may not hold up well for Nessus 3.0, also recently released.
A major selling point of the new book is its integration of the Auditor live CD. I learned that Auditor is going to merge with "competitor" IWHAX to produce BackTrack in early 2006. Consolidation among similar open source projects to pool resources and create better results? Heresy!
Comments
With that said, I see this as a potential security oversight by many sysadmins. On large scale Windows networks like the one's I work with, I have never seen the BIOS password feature enabled. So what? Well, what is to stop an insider from bringing in a live CD like Whax and booting up their workstation with it. If the network switch has port security turned on it doesn't matter because the box will still have the same MAC address. I may not be 100% right on that, if not let me know. This individual has bypassed the firewall (physically) and is on the inside network. They can perform a full enumeration and footprint of the internal network. My coworker is saying to me right now, "You can install scanning software for Windows, so why would you want to waste time with the live CD?" Not true, I don't have admin rights on my Windows box so I can't install anything. But with a live CD and boot sequence change rights, I don't need admin rights. I'm root on my box now with my own little hacker suite.
Just something to think about while you're stuffing your mouth with Christmas dinner. Ho Ho Mofo's!
I do not personally use live CDs for any security work. I may boot a live CD in a research environment to learn about new tools that may be installed on the live CD. Then I add that tool to my own laptop. I am never comfortable doing work in someone else's environment, whether it's a live CD or on a system provided by a client.
I agree that live CDs have really serious security implications inside companies. Setting a BIOS password and disabling booting from CD-ROM can help, as long as the user can't physically erase the BIOS settings.
A system running a live CD will have the same MAC, unless the live CD decides to change the MAC.
on a side note, if i was an evil meannie beannie and i managed to get into your network, i wouldn't bother with WHAX. i would just install rootkits on the VP and his secreatiries machines and perhaps try to steal as many of your backup tapes as I can get my hands on.
;-0