Home
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

Every year most businesses go through some form of penetration test and typically within a few minutes of being on site I can make a reasonably good prediction as to what I will find. So I thought why not create a quick post on Top 5 Ways to Annoy a Pentester. Very useful to all those sysadmins and IT Managers.

No1. Long passwords

You can guarantee if I am on the network then I am probably going to sniff out some passwords from somewhere. Of course, they are almost always in the form of a hash and very rarely in clear text. So I need to crack the hash. Easy enough, I just run the hash through my GPU based password cracking rig. But, if your password is based on three or more random words and is more than 12 characters long then you are really going to put a dent into my day.

No2. All the things are patched

So it is January 2017 and I am on an engagement and find 3 machines with the NetAPI patch MS08-067 not applied. It does make me smile and it makes my job much easier. But does it need to be this way? Of course not. Just patch the systems and dont forget about the applications too. Bring them all up to date.

No3. Uninstall old applications

You patched all the systems yet you left an old version of Java or Flash on a system. Poof, I am inside the system. Out of date applications are one of the most common ways of getting into the system. If you dont need it, or have updated it and the old version is left behind (I am looking at you Java) then uninstall / remove them.

No4. AV turn off

Back in 2014 this issue started to reduce but it is back. Modern AV does a really good job of keeping the naughty stuff from running and causing IT a headache. So why when I am running as a user, should I be allowed to turn it off? Stop that right now. Do not let me disable your AV and then escalate my privileges to take over your system. Make me work for it.

No5. Developers

My favourite, developers. Developers need to run weird configurations and databases with no password for SA or ROOT. No, wait a moment, they do not! Make sure all your developers are securing their development environments or I will be pushing that open door and making myself at home.