Dailydave mailing list archives
How to pull a dinosaur out of a hat in 2010
From: dave <dave () immunityinc com>
Date: Fri, 04 Jun 2010 11:55:48 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you are a good pentester (and I'm sure you are!) then you know that you have 5000 projects in the back of your notebook that are essentially TODO's that you've never gotten around to doing. Some of them are exploits, but probably a lot of them are small tools that are useful in edge case situations. Then when you finally do those projects, which take almost no time, you're like "man, I should have done that AGES ago." For example, you want a tool that gets logged in hashes on x64 machines, but doesn't crash those machines or get caught by AV/HIDS.[1] Or "I want a trojan that grabs the cleartext passwords out of lsass as people log in or RDP in"[2] That said, there's still room in your toolbox for what I like to call "name brand" exploits. My favourite latest is the NGINX remote exploit which works even when you don't expect it to! But as we expand the CANVAS Exploit Pack program, where selected boutique security companies add their magic to CANVAS, I'm starting to see the Immunity penetration testing team use other name-brand exploits more and more often. For example, WhitePhosphorus just launched: http://www.immunityinc.com/products-whitephosphorus2.shtml I don't even know how much it is, but I do know that reliably owning Wireshark on Windows 7 is priceless. Even if you know for a fact every Wireshark on your network is perfectly patched up (hahaha) don't you want to see how that kind of heap magic is done these days? I know I do. - -dave [1] We'll release a CANVAS Early Update for this later today if I understand correctly. [2] So many otherwise very cautious people don't realize that RDP is like giving your passwords away to the remote machine. So we had to write a trojan that stole the passwords as people RDP'd in and we installed it for demos on various client sites. Perhaps we'll include it in the next CANVAS release! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkwJIgQACgkQtehAhL0ghepnNACfaZBNM+aldIrHAEdROkSKQRrD qqgAn2nnuoccBh/u0SE+ljhutu3YhiCd =Epz8 -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- How to pull a dinosaur out of a hat in 2010 dave (Jun 04)