Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

How to pull a dinosaur out of a hat in 2010

From: dave <dave () immunityinc com>
Date: Fri, 04 Jun 2010 11:55:48 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you are a good pentester (and I'm sure you are!) then you know that you have 5000
projects in the back of your notebook that are essentially TODO's that you've never
gotten around to doing. Some of them are exploits, but probably a lot of them are
small tools that are useful in edge case situations. Then when you finally do those
projects, which take almost no time, you're like "man, I should have done that AGES ago."

For example, you want a tool that gets logged in hashes on x64 machines, but doesn't
crash those machines or get caught by AV/HIDS.[1] Or "I want a trojan that grabs the
cleartext passwords out of lsass as people log in or RDP in"[2]

That said, there's still room in your toolbox for what I like to call "name brand"
exploits. My favourite latest is the NGINX remote exploit which works even when you
don't expect it to!

But as we expand the CANVAS Exploit Pack program, where selected boutique security
companies add their magic to CANVAS, I'm starting to see the Immunity penetration
testing team use other name-brand exploits more and more often.

For example, WhitePhosphorus just launched:

http://www.immunityinc.com/products-whitephosphorus2.shtml

I don't even know how much it is, but I do know that reliably owning Wireshark on
Windows 7 is priceless. Even if you know for a fact every Wireshark on your network
is perfectly patched up (hahaha) don't you want to see how that kind of heap magic is
done these days? I know I do.

- -dave
[1]
We'll release a CANVAS Early Update for this later today if I understand correctly.

[2]
So many otherwise very cautious people don't realize that RDP is like giving your
passwords away to the remote machine. So we had to write a trojan that stole the
passwords as people RDP'd in and we installed it for demos on various client sites.
Perhaps we'll include it in the next CANVAS release!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkwJIgQACgkQtehAhL0ghepnNACfaZBNM+aldIrHAEdROkSKQRrD
qqgAn2nnuoccBh/u0SE+ljhutu3YhiCd
=Epz8
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: