Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

more biology

From: Dave Aitel <dave () immunitysec com>
Date: Wed, 06 Jul 2005 20:55:24 -0400
Here's another version of the anatomy of a hack article:

http://www.informit.com/articles/article.asp?p=397660&seqNum=1

This is my fav paragraph which is not in the other article (I dunno what
real attackers Jesper J. and Steve R. have been talking to about 0days,
or why they think 0days are less reliable than other attacks):
"""
This last point leads us to one of the important things to realize about
unpatched vulnerabilities. Generally speaking, in penetration tests we
prefer not to use methods that depend on unpatched vulnerabilities to
break into systems. Proving that they are there is interesting, but
because vulnerabilities are almost always unintended functionality,
using them runs the risk of destabilizing the host and, consequently,
the network. If you are doing a penetration test, bringing the network
down in the process is highly unlikely to be met with a lot of cheers,
and could cut the exercise a lot shorter than it should be. For a real
attacker, using unpatched vulnerabilities as an entrance to the network
is also a last resort. In general, it is rather noticeable when a server
crashes. If the attacker can get in without using potentially
destabilizing techniques, he will surely choose to do so. However, if
using unpatched vulnerabilities is the only way in, the attacker will
absolutely use them.
"""

Also note the use of netsh to do portforwarding instead of a custom
tool. Netsh is pretty neat in general. One thing the article doesn't go
into is what to do when the target performs the following evasive action:

1. Claims the hacked boxes were a honeypot.
2. Watches the penetration test with a sniffer and fixes things as they
are being exploited
3. Pulls the ethernet cable for "unscheduled downtime" if they notice a
hack successfully happening
4. Says thank you, and ignores the report anyways until next year.

I'm sure ya'll can add tons to this list. :>


-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: