Penetration Testing mailing list archives
Re: [PEN-TEST] Hypothetical Wargaming
From: "Deus, Attonbitus" <Thor () HAMMEROFGOD COM>
Date: Tue, 10 Oct 2000 10:32:15 -0700
From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
I won't specifically command-line script this, and there's no really good way to judge what my initial response to each machine will be. It depends on what services are running, and that can vary from machine to machine. Right now, the heavy-hitters are IIS, and NetBIOS over TCP (NBT).
I agree. The path I take to the pot of gold changes with the forest that I am exploring (Note the clever Win2K reference!). But, insofar as Mr. Carvey's original post, I don't think he was asking for a general "how do you do it" (because he knows what he is doing), but more of a specific "how do YOU do it" from others. We all check for 139, blank SA's on SQL, old/bad IIS installs, dirty ASP form input, SQL insertion, etc as if we were PenBots, but I am thinking that a good question would be "What really cool method have you discovered that worked in a given scenario that was new and different, and are you willing to share it with us?" I also agree with Noah in that the more up front information you glean from an organization, the better your tactical foundation. So know, on to the original question... IMHO, NetBios, SQL, and IIS are indeed the most prevalent entry points for us, but I have also seen an alarming number of internal software product exploits go without being patched. It seems that if the admins block NetBios, then they do not concern themselves the proliferation of Office-oriented exploits, because they think they are safe. And, they may be as far as external attacks are concerned, but they are still vulnerable for internal escalation of privilege attacks (which are FAR more common!). Example... Mr. Carvey mentions Exchange- I had the privilege of working with a client who was supposed to be (and really was) very tight from the outside. They only had 25 and 53 open.. No web, nothing - just mail and DNS (as far as I could tell anyway). The mail headers from the company showed the were using exchange (that plus the fact that the Exchange admin guy was VERY proud of how good he was). It also showed they were using Trend Micro's ScanMail package. So was I. On a whim, we sent the guy a blank Access .ade file, and got a response that the file type was blocked. So, I guess the guy was good after all. However, we knew that ScanMail's package dumped the blocked file types into the quarantine directory as the original file (dumb if you asked me-but you didn't). The exchange computer's name was part of its DNS, so we took another chance and sent a follow up HTML message to him with an <object> tag referencing the .ade file in the default directory that scanmail dumps this stuff via its Netbios name (\\servername\c$\program files\Trend\SMEX\Alert\GotCha.ade or whatever it was), and nailed his butt immediately. He called me on the phone, said some things about my mother, and asked me how we did it... I liked that one, but am not sure now often I will be able to use it again. This is the kind of stuff I would like to know from the group- cool war stories of good pens where you had to cook the noodle a bit before you popped the weasel. --------------------------------------------------------- Attonbitus Deus thor () hammerofgod com
Current thread:
- [PEN-TEST] Hypothetical Wargaming H Carvey (Oct 07)
- Re: [PEN-TEST] Hypothetical Wargaming Mark Teicher (Oct 09)
- Re: [PEN-TEST] Hypothetical Wargaming Etaoin Shrdlu (Oct 11)
- Re: [PEN-TEST] Hypothetical Wargaming Bennett Todd (Oct 11)
- Re: [PEN-TEST] Hypothetical Wargaming van der Kooij, Hugo (Oct 12)
- <Possible follow-ups>
- Re: [PEN-TEST] Hypothetical Wargaming Dunker, Noah (Oct 09)
- Re: [PEN-TEST] Hypothetical Wargaming Deus, Attonbitus (Oct 10)
- Re: [PEN-TEST] Hypothetical Wargaming Danny DS Stieler (Oct 09)
- Re: [PEN-TEST] Hypothetical Wargaming H Carvey (Oct 11)
- Re: [PEN-TEST] Hypothetical Wargaming Deus, Attonbitus (Oct 11)