All,

Out of sheer curiosity, I would like to test the accessibility of my Linux server at work. It's a SLES10 box with OES2 installed - I built the server but just as a mirror of another one here so I'm not sure what it's running in terms of services. I know it is definitely running VNC and possibly SSH.

I'd just like to treat this as if I were coming in completely from the outside and knew nothing about the network. I can obviously answer questions about the setup but would like to be able to discover anything that I already know and use none of my insider knowledge unless I am able to discover it with various tools. If I can't get in, obviously that's a good thing, but I know I personally haven't done much hardening on this box so there must be a hole somewhere...

Where would you start? (I know this is a general question, I'm just looking for a brainstorming session as to how you guys would start if you knew nothing but say, the name of the company, maybe the website, and that there was a server somewhere on the network that you wanted access to). For this exercise I am just going to assume that I only want to attack this one server, and once I get the process down I might use a similar process for other servers on the network.

Any ideas to throw around?

Disclaimer: Of course I am not asking you to "teach me how to hack" - if it's coming off that way please feel free to redirect the question to something more specific that might help me to accomplish the goal, which is to discover vulnerabilities on this and other servers on my network. Let's keep this open-ended...

Thanks!

Looks as though you are after Penetration (Pen) Testing advice. Pen Testing is perfectly legitimate and used by many companies. You need to know what it is you want to test and to what levels. I'm no expert, so when one gets here they can give you more info on the subject.

Start with Nmap, and examine the server. Nessus and SARA scans are useful too. Those should expose vulnerable points, and are often used by auditing teams to examine servers. Once you've identified the weak spots, you can address them.

The best rule is "If you don't use it...turn it OFF!". If you need it, see if you can put it at a non-standard port. Sometimes, I'll run SSH on port 80 (if I'm not using a web server, mind you), so a scan would identify port 80 as open. Obviously, any http attacks fail miserably...because port 80 isn't http. Turn off weak services, like telnet, FTP, rsh/rexec, etc. If your boss wants them on, get it IN WRITING. Deny remote desktop (VNC) services, allow root logins ONLY at the console, and use IP and host based ACL's to limit who can log in from where, over the network.

Lots of articles on box hardening....first step is identifying the weak spots.

Please ensure that you have some cover for what you are doing, in the way of an acknowledgement from someone in management that this is a legitimate exercise. Otherwise, if things go wrong, they may go badly, badly wrong, and you wouldn't want that.

Excellent point. That is a given though - I can easily get that.

Thanks for the link on pentesting. Yes that is exactly what I'm looking for. This was more of a "which step of the pentesting process would you start at, assuming you just wanted to compromise this one server and you already knew it existed" type question. Maybe I worded it wrong.

I will start with nmap - can I run that directly against the server? Obviously a hardware firewall will get in the way - and we are using NAT so how should I get around the NAT to actually target the server I want to compromise? I guess what I'm saying is this: if I wanted to target the firewall I know the external IP. I don't know the external IP of this particular server (or if it even has one), because it's not supposed to be exposed to the internet. Being that it's behind my firewall, do I need to launch some kind of attack against that? Maybe I'm completely mixed up, haha. It just seems to me that putting a server behind a firewall is a standard move and shouldn't be enough to thwart me from getting at it.

Thanks for you help! This is exactly what I'm looking for!!

First step is identifying what you have to work with. Once you know the open ports/services, you can then try to penetrate them.
Well, you're getting into muddy waters there. Unless the firewalls are under your control, do NOT run any sort of attack on them. Other folks will get all sorts of alerts, etc. Give those folks a heads up before you try anything against your box. And what you're doing is what someone ELSE would do...you have to try to penetrate that box, behind the firewall. So, if you can't get through...they'll have a similar hard time as well. See previous post about running services on non-standard ports, but every open port in the firewall, is one more place someone can poke at that server.

And remember, there's two sides to this. The external (internet facing), and internal (corporate LAN/DMZ). The ports facing that box on the DMZ side, may be totally different than the external ones, so you'll have to scan both. Alot of attacks are run by employees, or by folks who 'social-hack' the building, and get in. Someone can hide a laptop in a wiring closet with a note on it, and let that scrape addresses, capture packets, etc., for a good while, and it'll either go unnoticed, or someone will assume some sort of maintenance is being done, and leave it be. Unless you test both sides, you're missing things.

It does also matter what the aim is. Are you looking to prevent external attacks, check that everything is logging and alerting correctly, check that files are safe from malicious users inside the network and so on. You have to have a plan.

House analogy: in your pen test you state that you are checking the door locks. The door locks pass. Your house is broken into because you have no windows.

You absolutely need to have a plan and an aim.

Well said, XavierP. Sounds like you've been through this as many times as I have.

My first starting point is usually the auditing group. While they can be a pain to deal with, they usually have a 'stock' set of things they check on each server, from a security standpoint. Check those first. After that, apply what the server DOES to what you check. For example, they may check the standard ports...but this server runs Tomcat on a different port, and also have an Oracle listener. Those need to be checked as well.

The ONLY way to be 100% safe is to unplug the server, power and network, and keep it locked in a vault. Aside from that, all you can do is minimize the risk. It's very much a pain in the backside, but there's two things to remember about it: You're getting paid to do it, and if the server is compromised, it's YOU that's going to have to explain why.

If you do everything you can to minimize the risk (and DOCUMENT it), and the server is broken in to, you're in the clear.

Thanks again for all the help guys. For the record, I own control of the network. I have access to all the servers, all the firewalls, etc. Of course I have a boss, but as long as I tell him what I'm doing he will have no problem. It sounds like I need to start with an nmap scan against the firewall, since that is the first line of defense. Of course I could check social engineering weaknesses as well but my concern right now is just this one particular server. And actually, it's not even really a concern. It's more of a curiosity and I just decided to use this server as an example.

The only thing that is really a concern for me is causing problems during working hours, so I'll probably do most of my experiments at night.