Penetration Testing mailing list archives
Re: Email Pen-testing
From: <hwertz () voltron homelinux org>
Date: Sun, 21 Mar 2004 18:38:38 -0600 (CST)
Doing a pen-test for a small bank which was proving very difficult to get it. A friend of mine suggested I send a backdoor trojan attachment via an email. If they clicked on it, the backdoor performs maybe a boxscan, grab passwords, and connects out to the Internet. --Much like a virus.
*cut*
I spoke with a previous customer of mine about the idea. He said he would be very upset if he was not told prior to that type of test as part of normal pen-testing.
*cut*
What's your ideas on the email pen-tesing?
I would certainly not send a worm that sends out passwords or do a box scan or anything (without previous permission). I would consider sending an attachment that "phones home" with IP and perhaps some identifiable info (like the E-Mail addr of the person if they're running Outlook, or NetBIOS machine name or something.) The extra info would be so if they're behind NAT or on DHCP, it'll help narrow down the source of trouble. I would not have the executable even install, just have it execute once in RAM. I would feel free to use any Outlook exploits to attempt to force execution though. Then if you do get some IPs etc. sent back, you can put in your report that your attachment was harmless but people (or unpatched software) automatically running attachments can cause a leak of passwords, backdoors installed, etc. I don't think you need to actually *get* passwords to show this 8-). --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- RE: Email Pen-testing, (continued)
- RE: Email Pen-testing Rob Shein (Mar 23)
- RE: Email Pen-testing Brad . Murray (Mar 23)
- Re: Email Pen-testing Michael Richardson (Mar 23)
- RE: Email Pen-testing R. DuFresne (Mar 23)
- RE: Email Pen-testing Mike Sues (Mar 22)
- Re: Email Pen-testing Joe Blatz (Mar 22)
- Re: Email Pen-testing Al Smolkin (Mar 22)
- Re: Email Pen-testing Andreas (Mar 22)
- Re: Email Pen-testing Michael Richardson (Mar 22)
- Re: Email Pen-testing Rainer Duffner (Mar 23)
- Re: Email Pen-testing hwertz (Mar 22)
- RE: Email Pen-testing Reava, Jeffrey (Mar 22)
- RE: Email Pen-testing Eric McCarty (Mar 22)
- FW: Email Pen-testing Intel96 (Mar 22)
- RE: Email Pen-testing Reava, Jeffrey (Mar 23)