I just returned from a great trip to SANS 2010, in Orlando, where I was taking SEC 560 – Penetration Testing. Our instructor, Ed Skoudis (an amazing guy, by the way), repeatedly hammered into our brains the mantra “Pivot Mercilessly!”
This concept is something that a penetration tester or vulnerability assessor needs to always keep in mind – look for the easy toehold into a system, and then see where you can go from there. “Pivot” throughout the environment using the weak link as a starting point.
I was performing an assessment recently on a Solaris system that demonstrated this concept very effectively. One of the boxes was vulnerable to a relatively old telnet vulnerability , which we exploited with pleasure – granting us root access to the machine. From there, we examined the trust relationships inside the network and noticed that this box had “r service” trust relationships set up with many other machines in the network. So, we used rsh to connect to numerous other boxes, all with root level access, and from those boxes to others… quickly we had the entire system PWNED.
All of this was made possible by a single box with one weak spot. This is likely the case with most systems out there – maybe you’ll have one or two boxes vulnerable to exploits, especially in a well-managed corporate network. From there, it’s up to you to pivot your way through the rest of the system!