Opening the Treasure Chest-Attacking Network Attached Storage on a Pen Test

No ratings

Presented at BSideSRhodeIsland 2013 by

Network attached, cheap, highly available storage is becoming more prevalent on networks today, especially with the increased use of virtualization and more energy efficient servers which do not rely on directly attached storage. However, these appliances are often designed with availability and ease of access first and security second, with many security features not enabled by default, making storage targets especially juicy during an assessment as often the real network “treasures” such as company data, virtual disk images, and other juicy targets can be obtained through storage compromise. Also, many storage devices leak vast amounts of sensitive information about the internal network through management protocols, giving an attacker or tester a way to quickly enumerate other targets and profile the network without making a lot of noise. This talk will focus on how to identify storage devices on the network and build a testing methodology for them.