pen testing & obfuscated shell code

["Don Parker" <dparker () rigelksecurity com>]

Hello group, have a question to ask which is about using obfuscated shell code during a 
pen test. Do any of you actually use home cooked obfuscated shell code during a pen test?
By that I mean do you replace the known sled of x90 with another 1 byte instruction that 
won't affect the egg? 

Outside of some .gov and .mil clients do you even bother offering this level of 
granularity to your clients? It is not every client out there governmental or otherwise 
that has application level firewalls working in tandem with an IDS, and even more 
importantly an analyst who will recognize a possible overflow. 

With the development of such tools as ADMutate among others this is becoming of genuine 
concern. I would be most interested in hearing your opinions, and or insights.

Cheers!

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------