Re: pen test help please asap

[Oliver.Karow () gmx de]

Hi,

for some of your question i can give you some hints..

you can compress any (DOS/WIN)binary with tools like "petite.exe". This
tool decompresses an exe-file (once compressed) on runtime. What means that
the antivirus is in many cases not able to detect signatures in the file.

Further you can use binary-wrappers like EliteWrap (there are better
ones...just search on google) to put different executables together to one exe. This
tools also support funktions like running one file in the background whilst
another one is running on the desktop.

You have to test several of this tools in combination to find one that can
fool the antivirus. Maybe you can download a trial-version of the antivirus
software for testing.

ok, hope this info will help you a little..

Oliver

www.greyhat.de



> Hi all,
>
> I am currently working on a no holds barred pen test that includes social
> engineering.
> As such, I intend to get a trojan installed onto the clients network via
> email or autostarting CDROM, but want something that is going to not be
> caught by AV software (they say they have Norton AV enterprise wide).
> I was hoping that someone out there in pen test land already had developed
> something of the same ilk and could save me some time by sending me a copy
> or linking to something I could use.
>
> Features desired are:
>
> 1>>
> Machine A on client site makes a configurable encrypted OUTBOUND
> connection
> to  Machine B. Desire a netcat type outbound connection on port 80 that
> will
> detect and use the clients existing Internet Browser proxy settings. Once
> the connection is made to the outbound host (Machine B), a smtp mail will
> be
> sent out to notify that it is active. At that point I want to be able to
> connect to machine B from Machine C and leverage that outbound tunnel from
> Machine Ato get back into the organization, and have a remote command
> prompt
> and or remote desktop control of the target (Machine A)
>
>                                      -------------------------------
>                                     |                               |
>                                     |  My slave system              |
>                                     |      (machine B)              |
>                                     ---------------------------------
>                              /|\
> /|\
>                               |
> |
>                     Port 80 / 443 encrypted              SSH connection or
> equivalent
>                               |
> |
>     --------------------------------                      
> -----------------
> ---------------
>    |                                |                     |
> |
>    |  Client Target sys             |                     |  my control
> system             |
>    |     (machine A)                |                     |     (machine
> C)
> |
>     ---------------------------------                    
> ------------------
> ---------------
>
>
>
> 2>> Source code available so I can confirm no "hidden extras" ;-)
>
> 3>> Autoinstalls  on machine A by leveraging a bug in IE or Outlook if
> possible; tho not essential
>
> 4>> Attached to some joke or funny, so the recipient is not suspicious
>
> 5>> Not detected by AV software
>
> 6>> Detects OS; installs as a SERVICE on NT/Win2k/XP systems, else in the
> Run sections of HKLM on Win9x
>
> 7>> Installs at the same level as TinyFirewall or ZoneAlarm, and thus will
> bypass these products (if possible)
>
> 8>> Incorporate a keystroke or screen capture element (if possible)
>
>
>
> I know this is quite a tall order; really the most important element is
> that
> Machine A makes the outbound connection, and that the traffic at least
> looks
> a bit like HTTP and it survives a reboot.
>
> Any help would be *so* appreciated!
>
> Sincerely
> Kimberly
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
> see:
> https://alerts.securityfocus.com/

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/