Penetration Testing mailing list archives

Re: dumping hashes on box w/ Norton AV

From: Bill Stout <billbrietstout () yahoo com>
Date: Thu, 10 May 2007 22:49:12 -0700 (PDT)

I found it to be surprisingly easier than I thought it should be. 

For a specific program (like fgdump), each AV vendor has their own secret way to detect the program by inspecting it's 
bits, or in some cases, behavior. If you compiled your own version of fgdump, most likely it would not flag AV. 

Once the AV community realizes your exe or script is 'malware', then it'll get flagged after the user updates their 
signatures. I know from experience by writing the first few versions of a security test 
(http://www.wilderssecurity.com/showthread.php?t=150840) with Dror Shalev. A few exploits got by AV, then once the AV 
community (esp. competing vendors) heard about it, they'd make their defense know about the exploit. 

I found a few simple things are not protected on some PCs, .hta (hypertext application) files are allowed to run now, 
obfuscating scripts will bypass AV, there's a DOS command line buffer overflow which triggers DEP (c:\> %comspec% /k 
"dir 
\\?\AbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyz"),
 etc. 

The exercise made me realize that if someone wanted to get into a specific protected PC, it wouldn't be that difficult. 
However if someone wanted to get into every protected PC, then it the AV community makes it really difficult. 

Bill Stout 
(Not working anywhere at the moment) 

----- Original Message ---- 
From: Neil <neil () horizontheory com> 
To: pen-test () securityfocus com 
Sent: Thursday, May 10, 2007 3:03:57 PM 
Subject: dumping hashes on box w/ Norton AV 


When I tried to run fgdump against a DC with Norton AV Enterprise 
running on it, Norton AV was able to block & flag it. At the time, it 
wasn't a big deal (well, it was a good thing, since that meant the 
server was that much more secure); but now I'm a bit interested in what 
methods could be used to get around these sorts of mechanisms. 

How do you slip your tools past the AV when it flags and deletes them on 
the spot? 

-- 
Neil. 


------------------------------------------------------------------------ 
This List Sponsored by: Cenzic 

Are you using SPI, Watchfire or WhiteHat? 
Consider getting clear vision with Cenzic 
See HOW Now with our 20/20 program! 

http://www.cenzic.com/c/2020 
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

Current thread:

dumping hashes on box w/ Norton AV Neil (May 10)
- Re: dumping hashes on box w/ Norton AV H D Moore (May 10)
  - RE: dumping hashes on box w/ Norton AV George M. Garner Jr. (May 11)
- Re: dumping hashes on box w/ Norton AV Teh Fizzgig (May 11)
- Re: dumping hashes on box w/ Norton AV Danett song (May 11)
  - Re: dumping hashes on box w/ Norton AV Peter Wood (May 11)
- <Possible follow-ups>
- Re: dumping hashes on box w/ Norton AV Bill Stout (May 11)