Re: [PEN-TEST] Hypothetical Wargaming

["Deus, Attonbitus" <Thor () HAMMEROFGOD COM>]

From: "Dunker, Noah" <NDunker () FISHNETSECURITY COM>
> I won't specifically command-line script this, and there's
> no really good way to judge what my initial response to each
> machine will be.  It depends on what services are running,
> and that can vary from machine to machine.  Right now, the
> heavy-hitters are IIS, and NetBIOS over TCP (NBT).

I agree.  The path I take to the pot of gold changes with the forest that I
am exploring (Note the clever Win2K reference!).  But, insofar as Mr.
Carvey's original post, I don't think he was asking for a general "how do
you do it" (because he knows what he is doing), but more of a specific "how
do YOU do it" from others.

We all check for 139, blank SA's on SQL, old/bad IIS installs, dirty ASP
form input, SQL insertion, etc as if we were PenBots, but I am thinking that
a good question would be "What really cool method have you discovered that
worked in a given scenario that was new and different, and are you willing
to share it with us?"

I also agree with Noah in that the more up front information you glean from
an organization, the better your tactical foundation. So know, on to the
original question...

IMHO, NetBios, SQL, and IIS are indeed the most prevalent entry points for
us, but I have also seen an alarming number of internal software product
exploits go without being patched.  It seems that if the admins block
NetBios, then they do not concern themselves the proliferation of
Office-oriented exploits, because they think they are safe.  And, they may
be as far as external attacks are concerned, but they are still vulnerable
for internal escalation of privilege attacks (which are FAR more common!).

Example... Mr. Carvey mentions Exchange- I had the privilege of working with
a client who was supposed to be (and really was) very tight from the
outside.  They only had 25 and 53 open.. No web, nothing - just mail and DNS
(as far as I could tell anyway).  The mail headers from the company showed
the were using exchange (that plus the fact that the Exchange admin guy was
VERY proud of how good he was).  It also showed they were using Trend
Micro's ScanMail package.  So was I. On a whim, we sent the guy a blank
Access .ade file, and got a response that the file type was blocked.  So, I
guess the guy was good after all.  However, we knew that ScanMail's package
dumped the blocked file types into the quarantine directory as the original
file (dumb if you asked me-but you didn't).

The exchange computer's name was part of its DNS, so we took another chance
and sent a follow up HTML message to him with an <object> tag referencing
the .ade file in the default directory that scanmail dumps this stuff via
its Netbios name (\\servername\c$\program files\Trend\SMEX\Alert\GotCha.ade
or whatever it was), and nailed his butt immediately. He called me on the
phone, said some things about my mother, and asked me how we did it...

I liked that one, but am not sure now often I will be able to use it again.
This is the kind of stuff I would like to know from the group- cool war
stories of good pens where you had to cook the noodle a bit before you
popped the weasel.

---------------------------------------------------------
Attonbitus Deus
thor () hammerofgod com