Dailydave mailing list archives
Re: Better, more FLAME-like, penetration testing
From: Daniel Clemens <daniel.clemens () packetninjas net>
Date: Fri, 27 Sep 2013 09:34:00 -0500
On Sep 26, 2013, at 2:41 PM, Dave Aitel wrote:
You use your exploit framework of choice to phish a few people with a PDF exploit. Your exploit is written by a professional team and is highly reliable, and you know it triggered because it downloaded your trojan from your watering-hole website, but you never got a callback. This is one of those features of modern well-run networks. It's sometimes easy to get INTO the network, but hard to get OUT of the network. INNUENDO is an injectable DLL, so not easy to catch even by modern AV/HIPS. By design INNUENDO is highly configurable at build-time, and hot-patchable at runtime using blocks of code that are strongly signed and encrypted. One of the core features is that there are channels into and out of the core message pumps, and these are themselves hot-swappable. So for PDF exploits, one of the channels you'll use is a PDF sniffer that sits in the PDF reader and looks at all new PDF's for signed messages from the C&C. It can then use these to update itself with, say, a bi-directional ICMP channel, or a Twitter/IMGUR channel (slightly higher bandwidth). Or a local exploit, of course. One of the main things we're moving into here is a complete break from the concept of tunneling connections into a network. Messages move throughout the network and get routed as they want to. INNUENDO handles interruptions in connectivity in a completely reliable way - if you switch to DNS tunneling halfway through a big file transfer because they've blocked your HTTPS callback, then so be it. In any case, if you want to be in on the early testing, or want to budget for it in the new FY, let me know!
Awesome, sounds like http://www.youtube.com/watch?v=F3hi5nsy1lE , just not as great on payload protection. Daniel Uriah Clemens O +1 202 747 0043 Ext. 7001 M +1 205 567 6850 F +1 205 449 4731 Packet Ninjas LLC 265 Riverchase Pkwy E. Suite 103 Hoover, AL 35244 "Moments of Sorrow are moments of sobriety" _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Better, more FLAME-like, penetration testing Dave Aitel (Sep 26)
- Re: Better, more FLAME-like, penetration testing Daniel Clemens (Sep 27)
- Re: Better, more FLAME-like, penetration testing Dave Aitel (Sep 27)
- Re: Better, more FLAME-like, penetration testing Dave Aitel (Sep 27)
- Re: Better, more FLAME-like, penetration testing Moses (Sep 27)
- Re: Better, more FLAME-like, penetration testing Daniel Clemens (Sep 27)