Penetration Testing mailing list archives
Re: Social Engineering Website (and Trojan test)
From: Martin Mačok <martin.macok () underground cz>
Date: Sat, 10 Jan 2004 00:50:59 +0100
On Fri, Jan 09, 2004 at 06:32:48AM -0800, Random Task wrote:
The modification we'd like to make to our site would be a remote exploit of some sort, and I'm not totally sure where to go with that.
It is of utmost importance that this program can be easily and totally removed after the testing is complete.
Implement expiration in your trojan code and set it for several days (for duration of the test). After the expiration date make sure the trojan does not do anything (ie. immediately exit). If you want to it to be "totally removed", *do not do any* automagic removal in your code but ask the user to contact his security administrator (and make sure he knows how to do it). Each copy of the Trojan could possibly identify itself when it calls home (unique identifier) so you can tell who forwarded which copy further in test period. The "call home" technique is sometimes not trivial. You should test it *with the help of the client* before the actual test: - consult what sort of OS/MUA/browser combination is expected (to not use MS Outlook(IE) tricks in Lotus Notes environment etc.), - test if the trojan can go "in" in email attachment (sometimes not allowed or just removed from the message by SMTP content filters, usually by decision based on filename extension) or as a HTML message with URL to your webserver/trojan code, - test if it is possible to execute the trojan in their typical desktop environment and how easy is that (what steps are required to be performed by the user), - test if the trojan is able to "call home" from their LAN - direct TCP/IP connection, http(s) proxy (authentication!), email through SMTP server, DNS query etc. You could also place the PC inside their LAN, - finally, get the list of the target users (email recipients) Try to make sure the client does understand the test and its purpose. Especially that he does not plan to use the test results as a "reason" for firing someone. You don't want to make enemies :-)
* Use IE remote exploits to start a netcat listening session (not * Create a screen saver application of some sort that would gather * Create a free automated "security scanner" application similar to
No need to. Just popup some window and do the work in background (make sure the background job still runs *after* the user closes the window) or simply do not do anything (only the background job).
Cons to doing this, as I see it: the employee may forward the message outside their company, skewing results and running on systems without permission. (this would only be if a screensaver/application were used)
This happens. Make sure the trojan does not do anything harmful under any circumstance, only the minimun needed. -- Martin Mačok http://underground.cz/ martin.macok () underground cz http://Xtrmntr.org/ORBman/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Social Engineering Website Random Task (Jan 09)
- Re: Social Engineering Website (and Trojan test) Martin Mačok (Jan 12)
- Converting raw 802.11 (rfmon) capture file to standard libpcap Jerry Shenk (Jan 12)
- Re: Converting raw 802.11 (rfmon) capture file to standard libpcap James Golovich (Jan 12)
- RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Jerry Shenk (Jan 12)
- Re: Converting raw 802.11 (rfmon) capture file to standard libpcap Aaron Turner (Jan 13)
- Re: Converting raw 802.11 (rfmon) capture file to standard libpcap James Golovich (Jan 12)
- RE: Converting raw 802.11 (rfmon) capture file to standard libpcap Chris Eagle (Jan 12)
- Re: Social Engineering Website (URL obfuscation/hiding) Martin Mačok (Jan 12)
- Re: Social Engineering Website Nicolas Gregoire (Jan 13)
- <Possible follow-ups>
- RE: Social Engineering Website Otero, Hernan (EDS) (Jan 12)