Dailydave mailing list archives
more biology
From: Dave Aitel <dave () immunitysec com>
Date: Wed, 06 Jul 2005 20:55:24 -0400
Here's another version of the anatomy of a hack article: http://www.informit.com/articles/article.asp?p=397660&seqNum=1 This is my fav paragraph which is not in the other article (I dunno what real attackers Jesper J. and Steve R. have been talking to about 0days, or why they think 0days are less reliable than other attacks): """ This last point leads us to one of the important things to realize about unpatched vulnerabilities. Generally speaking, in penetration tests we prefer not to use methods that depend on unpatched vulnerabilities to break into systems. Proving that they are there is interesting, but because vulnerabilities are almost always unintended functionality, using them runs the risk of destabilizing the host and, consequently, the network. If you are doing a penetration test, bringing the network down in the process is highly unlikely to be met with a lot of cheers, and could cut the exercise a lot shorter than it should be. For a real attacker, using unpatched vulnerabilities as an entrance to the network is also a last resort. In general, it is rather noticeable when a server crashes. If the attacker can get in without using potentially destabilizing techniques, he will surely choose to do so. However, if using unpatched vulnerabilities is the only way in, the attacker will absolutely use them. """ Also note the use of netsh to do portforwarding instead of a custom tool. Netsh is pretty neat in general. One thing the article doesn't go into is what to do when the target performs the following evasive action: 1. Claims the hacked boxes were a honeypot. 2. Watches the penetration test with a sniffer and fixes things as they are being exploited 3. Pulls the ethernet cable for "unscheduled downtime" if they notice a hack successfully happening 4. Says thank you, and ignores the report anyways until next year. I'm sure ya'll can add tons to this list. :> -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- more biology Dave Aitel (Jul 06)
- autoscan efforts Jeremy Richards (Jul 06)